Security of apps such as 1Password?

MWhiskerton said:

I noted that 1Password seems to have really good reviews (Mac App Store and CNET) and it seems like a convenient program. I am curious--do many of you use it (or similar apps), and do you not feel nervous about actually putting all your logins/credit card information into one program?

I think one thing that makes me hesitant is that it's integrated into the browser--it just seems weird entering a Master Password prompted by Safari or Chrome. On the flip side, I see you can also set it to not prompt you for your Master Password, but to store it in the Apple Keychain. Is that safe?

As someone who is relatively new to Macs (and relatively paranoid), I'm not sure I really understand how some of the applications work, including the Keychain.

Any advice or feedback would be appreciated.

Click to expand...

The app is amazing, I have been using it for over a year now. I have it integrated into my browser, it's very secure, I have it sync to my phone via wifi. It's safe to keep in your keychain as LONG AS you are on the only one who has access to the desktop. If not I would leave the master password on.

1Password is a decent app. The one thing that I don't like about it (and which many people may not even be aware of) is that not all of the data that it stores is actually encrypted.

It encrypts username, password, notes, and credit card number fields but leaves the entry title, associated url and perhaps some other fields readable.

So, if someone gets hold of your datafile they won't get your passwords or credit card numbers, but they would be able to see everywhere that you have logins and accounts.

But, it is a nice app for keeping track of stuff and makes it very easy to manage all of your website logins.

petisjioweelsha said:

1Password is a decent app. The one thing that I don't like about it (and which many people may not even be aware of) is that not all of the data that it stores is actually encrypted.

It encrypts username, password, notes, and credit card number fields but leaves the entry title, associated url and perhaps some other fields readable.

So, if someone gets hold of your datafile they won't get your passwords or credit card numbers, but they would be able to see everywhere that you have logins and accounts.

But, it is a nice app for keeping track of stuff and makes it very easy to manage all of your website logins.

Click to expand...

The data file for 1password is encrypted unless you have the master password you cannot view any of the data in the file. I specifically emailed them and asked them about this before purchasing.

jmcgeejr said:

The data file for 1password is encrypted unless you have the master password you cannot view any of the data in the file. I specifically emailed them and asked them about this before purchasing.

Click to expand...

The file uses encryption for many but not all fields.
This is explained in their knowledgebase article:
http://help.agile.ws/1Password3/agile_keychain_design.html
(Scroll down the section titled, "Individual Entry Contents."

Also you can also see this for yourself by examining your 1Password.agilekeychain file.

-Control-click on the 1Password.agilekeychain file and select 'Show package contents'
-Open the 'data' folder
-Open the 'default' folder
-view one of the items in a viewer such as TextEdit
you will be able to see some plain text for entry titles and urls.

Regardless, your passwords are safe.
I would just prefer that the entire data file was encrypted, but it is not a major security issue.

I've been using it around three years now and can't recommend it enough.

I am like you and very protective of my personal information, when I first got it I would only use it for passwords. But now I have all my bank details, credit cards, identity etc on it, I have complete confidence in 1password.
If there is any security issues with it i'm sure they would have come to light by now and be all over the net.

Its very secure, just make sure you use a complicated master password.

I have been using it and I don't worry about it. I have a secure password and they tell you if you forget it you can't get it back.

Of course this doesn't mean that some sneaky government spook couldn't break it, but I'm not storing secret lists of things the spooks would be interested in.

I am a long time user of Roboform on the Windows PCs and on the Mac I used 1Password until Roboform Everywhere for Mac OS X and iOS arrived. Now I completely switched to Roboform because it syncs across Windows, iOS, And OS X platforms through the cloud. I love it!

I use LastPass. There is a very detailed podcast on it's inner working here: http://www.grc.com/securitynow.htm

Scroll down to episode 256. After listening to this, I decided LastPass was good for me and very secure.

I use LastPass and I really like it. I don't store credit card info on it, but all my usernames and passwords.

I have the Premium edition ($1.00/month) which gets you very quick response to any problems. The only downside is they no longer have telephone support (or didn't the last time I communicated with them - about 4 months ago) They used to have it, but discontinued telephone support. So your only communication is email.

My impression is that it is quite secure, and integrates with Safari (the free version is a Safari Extension).

waynep said:

I use LastPass. There is a very detailed podcast on it's inner working here: http://www.grc.com/securitynow.htm

Scroll down to episode 256. After listening to this, I decided LastPass was good for me and very secure.

Click to expand...

Shrink said:

I use LastPass and I really like it. I don't store credit card info on it, but all my usernames and passwords.

I have the Premium edition ($1.00/month) which gets you very quick response to any problems. The only downside is they no longer have telephone support (or didn't the last time I communicated with them - about 4 months ago) They used to have it, but discontinued telephone support. So your only communication is email.

My impression is that it is quite secure, and integrates with Safari (the free version is a Safari Extension).

Click to expand...

I used LastPass for a long time but gave up when they announced that their servers may have been accessed by an intruder. For now, I use Keychain on my Mac (only I use this computer) and I use 1Password on my iPhone (since I picked it up for free when it came on sale).

keepassX Mac
Keepass Win
kypass Edit: iPad/iPhone
There are also clients for BlackBerries and others

One db file on all in sync via Dropbox

Free ! (well almost, $2 for the iPad/iPhone app)

All my sensitive information are in there: bank accounts, credit cards, PIN, email/sites accounts, etc.

saberahul said:

I used LastPass for a long time but gave up when they announced that their servers may have been accessed by an intruder. For now, I use Keychain on my Mac (only I use this computer) and I use 1Password on my iPhone (since I picked it up for free when it came on sale).

Click to expand...

That event you mentioned did, of course, occur. I was impressed with the way they handled it, keeping in constant contact with subscribers through website updates. I felt confident that the situation was handled with great concern for subscribers. And I have not experienced any problems as a result.

That being said, I certainly can understand your concerns, and your decision to drop the service and go elsewhere.

It is my impression that anyone can be hacked, and feel confident enough in the service to be comfortable recommending it.

Shrink said:

That event you mentioned did, of course, occur. I was impressed with the way they handled it, keeping in constant contact with subscribers through website updates. I felt confident that the situation was handled with great concern for subscribers. And I have not experienced any problems as a result.

That being said, I certainly can understand your concerns, and your decision to drop the service and go elsewhere.

It is my impression that anyone can be hacked, and feel confident enough in the service to be comfortable recommending it.

Click to expand...

You're right and I agree with you 100%. That being said, I thought to myself, why should I store my confidential data online? I then decided to store everything in Keychain on my Mac where nothing is uploaded to any server on the internet. Of course, my Mac can be stolen and hacked but I doubt the chances of that happening are even close to 1%.

MWhiskerton said:

Does 1Password upload anything to a server, or is it a local program only? It seems like such a convenient program.

I keep wanting to try it, but every time it prompts me for my Master Password, I can't do it. I know I'm paranoid.

Click to expand...

No I do not think so. I only use the iOS version with all sync's disabled so nothing of mine actually leaves the iPhone. Of course, the app could be doing this in secretive mode but I highly doubt that.

MWhiskerton said:

Does 1Password upload anything to a server, or is it a local program only?

Click to expand...

By default it only stores your datafile on your local machine.
You can, if you wish, configure it to to use Dropbox.com
http://help.agilebits.com/1Password3/configure_dropbox_on_mac.html

but every time it prompts me for my Master Password, I can't do it. I know I'm paranoid.

Click to expand...

Not sure what you mean by that.
The 1Password master password is specific to 1Password. You create it in 1Password and it is only used to open your 1Password file. It does not pertain to any other aspect of your Mac system.

MWhiskerton said:

Does 1Password upload anything to a server, or is it a local program only? It seems like such a convenient program.

Click to expand...

By default, 1Password stores everything locally and does not "phone home" except to check for software updates.

If you want to use the Dropbox syncing feature to sync between multiple computers and your iDevices, the password database is stored (encrypted) on Dropbox's servers.

If storing your database on Dropbox makes you nervous, but you still want to sync between devices, 1Password offers a WiFi sync option that syncs ONLY on a local network, and it uses an encrypted connection to do the sync.

I can't say enough good things about 1Password. It's seriously one of the best pieces of software I've ever used, their support is fantastic, and my online life is MUCH more secure now that I have a separate password (automatically randomly generated by 1Password, in fact) for each online login.

Plus1 on the previous poster's comments. 1Password is slick, stable and secure. For anyone thinking keychain is "good enough" consider this, unless you have a separate long /strong password for your keychain from your os login your keychain is not secure. Also 1Passwords integration and autofill into browser sites means no more keeping easily hacked browser stored Ids and passwords.

The iOS version withs it's dual layer password protection also means you have your stored passwords with you all the time. Just a great app and I personally feel my passwords, which are along/strong passwords are secure. No more reusing the sane short passwords across multiple accounts and no more notes or documents with passwords like many people keep.

NorCalLights said:

1Password offers a WiFi sync option that syncs ONLY on a local network, and it uses an encrypted connection to do the sync.

Click to expand...

Can wifi sync be used between two Macs or only between a Mac and an iPhone/Ipad? If yes then any help would be appreciated.

I use LastPass, primarily because it available for OSX, Windows, Linux, and iOS. It's the best of the bunch that is also available for Linux.

LastPass encrypts everything and stores both locally and on their server. The encryption is done locally, and there server never sees unencrypted data.

I am not too concerned about their possible security breech. All that anybody could have gotten are encrypted files that they could try to decrypt. Good luck! It would take the resources of a government agency, and they would find some way to get the data if they wanted it anyway.

I won't use any "cloud service" that stores unencrypted data on their server or that uses SSL to transfer unencrypted data and then re-encrypts on their server. The encryption has to be done on your device, and it needs to encrypt everything, including file or item names, etc.

It's important to have a local copy, in case the service or Internet is unavailable or the company goes out of business. LastPass satisfies all my criteria.

saberahul said:

I used LastPass for a long time but gave up when they announced that their servers may have been accessed by an intruder. For now, I use Keychain on my Mac (only I use this computer) and I use 1Password on my iPhone (since I picked it up for free when it came on sale).

Click to expand...

LastPass does not store you actual login info on their servers. They store and encrypted blob that's created on your machine then shipped up to the mothership. Your master password is part of the key that helps unlock the blob locally. The podcast I posted the link to explains it all in great detail, a lot better than I ever could. I still use it.