Risks of using 1Password?

[keaide]

I' not taking about the risk of storing all your passwords somewhere in the cloud here. I'm just trying to understand some side effects of using it. Is it correct that

1. if I forget the master password then I'm doomed and can't access anything any more
2. if the password storage file is corrupt or some reason (this happened to me once with an iCloud-synced file) then all my passwords are gone, too
3. I won't be able to log in to anything any more using another computer (e.g. at a friend's home) because it's 1Password that knows all my password (not me any more)

Or did I miss anything and these concerns are not valid?

[mon999]

i thought of these possibilities once i started using 1password on my mac..
so:
1. i chose the same password as my primary email that i have been using for ages. i will less likely forget that one.

2. i feel safer now that i got the iphone app as well and they sync nicely.
if i lose data on one device, i always can access the other.

3. you can sync with dropbox but i'm not sure if you can actually see your password somehow.

[2012Tony2012]

You are better off using an App that stores personal information and passwords encrypted locally, I would never trust anything in the cloud. You may wake up one morning and have $0 in all your bank acccounts.

[keaide]

Quote:

Originally Posted by mon999

i thought of these possibilities once i started using 1password on my mac..
so:
2. i feel safer now that i got the iphone app as well and they sync nicely.
if i lose data on one device, i always can access the other.

Will version 4 not sync automatically via iCloud? So if the data file is corrupt, it will sync a broken one to all devices...

@2012Tony2012: That's definitely the other issue. There is actually not much compelling reason why you should trust any cloud service with your entire digital life and real-world bank accounts other than convenience.

[HazyCloud]

Quote:

Originally Posted by 2012Tony2012

You are better off using an App that stores personal information and passwords encrypted locally, I would never trust anything in the cloud. You may wake up one morning and have $0 in all your bank acccounts.

1Password stores your info in an encrypted file in Dropbox that even 1Password can't open without your master password.

Also 1Password stores all of your info locally unless you choose to store it on Dropbox.

Quote:

Originally Posted by keaide

Will version 4 not sync automatically via iCloud? So if the data file is corrupt, it will sync a broken one to all devices...

@2012Tony2012: That's definitely the other issue. There is actually not much compelling reason why you should trust any cloud service with your entire digital life and real-world bank accounts other than convenience.

I think that even if your iCloud data was borked, 1Password would still open. It may just not grab any recently added info.

[mon999]

Quote:

Originally Posted by keaide

Will version 4 not sync automatically via iCloud? So if the data file is corrupt, it will sync a broken one to all devices...

i don't think it does.. by default, it does not sync anything nor does it save anything online. it only saves data locally unless you tell it to do otherwise.

[flynz4]

Quote:

Originally Posted by 2012Tony2012

You are better off using an App that stores personal information and passwords encrypted locally, I would never trust anything in the cloud. You may wake up one morning and have $0 in all your bank acccounts.

You do not have to. Sharing via dropbox is your choice. 1Password creates a local encrypted vault that you do not have to share.

/Jim

[HazyCloud]

Quote:

Originally Posted by mon999

Image

i don't think it does.. by default, it does not sync anything nor does it save anything online. it only saves data locally unless you tell it to do otherwise.

They're referring to the Mac version which will sync via iCloud (if it's from the MAS), but you're right, you can always turn it off and sync locally over Wi-Fi.

[flynz4]

Quote:

Originally Posted by keaide

I' not taking about the risk of storing all your passwords somewhere in the cloud here. I'm just trying to understand some side effects of using it. Is it correct that

1. if I forget the master password then I'm doomed and can't access anything any more
2. if the password storage file is corrupt or some reason (this happened to me once with an iCloud-synced file) then all my passwords are gone, too
3. I won't be able to log in to anything any more using another computer (e.g. at a friend's home) because it's 1Password that knows all my password (not me any more)

Or did I miss anything and these concerns are not valid?

1. Duh... but you use it every day. Plus... my wife and I share the same master password... so if Alzheimer's kicks in... the other takes control
2. 1Password saves daily backups... I think to a maximum of 30 by default. Plus... you do have backup right?
3. Personally... I never use other people's computers at all. I do not want to type into their keylogger. Still... you can always get your passwords off of you iPhone, iPad, Android or whatever you have with you. 1Password optionally lets you have encrypted access via 1Password via a web browser... but I do not put my data out there. I do not need to since I never use 3rd party computers... ever.

/Jim

----------

Quote:

Originally Posted by HazyCloud

They're referring to the Mac version which will sync via iCloud (if it's from the MAS), but you're right, you can always turn it off and sync locally over Wi-Fi.

I think just the new iOS version has the capability to sync via iCloud. The MAS version can sync via WiFi (manually) or via Drobpox (Automatically).

I would assume that 1Password 4 will add iCloud sync... but it will also need to sync via Dropbox since 1Password is a cross-platform application.

/Jim

[HazyCloud]

Quote:

Originally Posted by flynz4

I would assume that 1Password 4 will add iCloud sync... but it will also need to sync via Dropbox since 1Password is a cross-platform application.

/Jim

It won't have to have sync via Dropbox ever. That's totally optional. A user can just sync via Wi-Fi or via iCloud if they choose. Now if you wanted to sync it with the Windows version, sure you'd need to sync via Dropbox.

[colshine]

Quote:

Originally Posted by keaide

if I forget the master password then I'm doomed and can't access anything any more

If you forget you master password then you lose access to the datafile:

http://help.agilebits.com/1Password3..._password.html

I like this approach, which is why I selected 1Password.

Quote:

Originally Posted by keaide

if the password storage file is corrupt or some reason (this happened to me once with an iCloud-synced file) then all my passwords are gone, too

Make sure you're creating backups:

http://help.agilebits.com/1Password3/data_backup.html

Quote:

Originally Posted by keaide

I won't be able to log in to anything any more using another computer (e.g. at a friend's home) because it's 1Password that knows all my password (not me any more)

They have thought of this:

http://help.agilebits.com/1Password3...danywhere.html

EDIT: If you're using the MAS version it is a little different:

http://forum.agilebits.com/index.php...mac-app-store/

Quote:

What happened to my backups?

1Password creates a daily backup of your information in the ~/Library/Containers/com.agilebits.onepassword-osx-helper/ directory. Up to 30 backups are kept at a time. This is not currently a user-configurable option.

[scarred]

For me, getting 1Password was step one to organizing my information. Buy 1Password, store everything in there. From passwords to passport numbers to software licenses.

Step 2. Buy a fire safe for my house. Write down my master password, and put it in there. In fact, I wrote instructions for someone to sort it all out if I'm no longer around.

Step 3. Get a backup plan in place. Time Machine to an external hard drive, and a subscription to backblaze.

[colshine]

Quote:

Originally Posted by scarred

Step 3. Get a backup plan in place. Time Machine to an external hard drive, and a subscription to backblaze.

That's a good point, have a look at Arq for what I consider a straight forward backup plan to Amazon S3.

[AGKyle]

Quote:

Originally Posted by keaide

I' not taking about the risk of storing all your passwords somewhere in the cloud here. I'm just trying to understand some side effects of using it. Is it correct that

1. if I forget the master password then I'm doomed and can't access anything any more
2. if the password storage file is corrupt or some reason (this happened to me once with an iCloud-synced file) then all my passwords are gone, too
3. I won't be able to log in to anything any more using another computer (e.g. at a friend's home) because it's 1Password that knows all my password (not me any more)

Or did I miss anything and these concerns are not valid?

Hi there. Friendly neighborhood 1Password Tech Support guy here. Figure I can chime in on this. You're of course free to ignore my suggestions

1) Your data is lost if you lose your master password.

I combat this by having my master password written down on a piece of paper (along with instructional information in case I die) and put it in my safe deposit box. This serves two purposes: It's there if I forget it and it's there in case I die and someone needs access to my accounts (banking, credit cards, etc) to cancel or handle those things that happen when you die.

2) We store your data only on the device unless you specify to us to store it in the cloud. This means we keep two copies of the data. One locally on the device and one on the cloud. If the data is corrupt, it may or may not corrupt the data locally. This is why you keep backups, right? I mean, you are backing up your important data. I hope.

Part of the above master password procedure is that I put a thumbdrive in the safe deposit box along with my keychain file. I have two thumb drives and I rotate them in and out on a bi weekly basis. So roughly every two weeks I go in, drop off an up to date backup of the thumb drive and take the out of date one with me. Repeat the cycle. The thumbdrive actually has several backups:

thumbdrive/2013/01-January/Date/1Password.agilekeychain
thumbdrive/2013/01-January/Date2/1Password.agilekeychain
thumbdrive/2013/02-February/Date/1Password.agilekeychain

So if one of the most recent backups is corrupt, I have the past 30 or so (i think, it's not a hard rule). The keychain is pretty small so having dozens of copies doesn't take up much space.

Obviously the thumbdrive contains other data, contact information exported from Contacts, SSH keys (which are actually in 1Password), and other important files that I must have access to.

Of course, I also have a local backup that I make with Time Machine (or in my real case Carbon Copy Cloner, but TM works fine). And I use Crashplan for online backup.

Cover your bases. Backup your important data. Don't wait for that time when something does go crash and boom and your data is gone. It only takes this happening once before many people jump on the backup bandwagon.

3) Use the iOS app or 1PasswordAnywhere. Both facilitate accessing your passwords remotely. That same keychain file i put on a flashdrive? Yup, it's on Dropbox as well. I can then log into my Dropbox and goto the keychain folder then 1Password.html to view my data.

Hope that helps!

----------

Quote:

Originally Posted by flynz4

You do not have to. Sharing via dropbox is your choice. 1Password creates a local encrypted vault that you do not have to share.

/Jim

In the US at least, your money is protected by various laws and you can get it back if it was removed by someone other than yourself.

But, if you choose a strong master password and protect yourself properly by not installing random pieces of software that are untrusted. You should be just fine.

We all use Dropbox at AgileBits. If we didn't trust it, we wouldn't put it in the application. Use a strong master password to protect your data and you'll be fine. We never transmit that data over the internet so it is only ever at risk if someone has a keylogger installed on your device (and we have mechanisms in place to prevent that from gaining access to your typed in password as well).

If you have real specific questions regarding Cloud storage and 1Password please let me know. Again, we wouldn't put it in there if it wasn't secure.

[Tilpots]

Quote:

Originally Posted by 2012Tony2012

You are better off using an App that stores personal information and passwords encrypted locally, I would never trust anything in the cloud. You may wake up one morning and have $0 in all your bank acccounts.

If you have a bank account, your money is in the cloud. So...

Quote:

Originally Posted by AGKyle

2) We store your data only on the device unless you specify to us to store it in the cloud. This means we keep two copies of the data. One locally on the device and one on the cloud. If the data is corrupt, it may or may not corrupt the data locally. This is why you keep backups, right? I mean, you are backing up your important data. I hope.

If syncing over Dropbox, an iCloud backup would restore the local file if the Dropbox file corrupted, correct?

[AGKyle]

Quote:

Originally Posted by Tilpots

If syncing over Dropbox, an iCloud backup would restore the local file if the Dropbox file corrupted, correct?

This is actually beyond my knowledge of the application. So, I do apologize I'm not going to be able to provide an accurate response. I'll try to pull someone into this thread from the company that can answer it more thoroughly though.

If this won't work and you want to know more about this please email us on our support page (see my signature). Put Attention: Kyle in the subject and they'll assign it to me and I'll dig into it more and talk to the developers and our security guy who would know a lot more about this type of scenario and what will happen.

[colshine]

Quote:

Originally Posted by AGKyle

Part of the above master password procedure is that I put a thumbdrive in the safe deposit box along with my keychain file. I have two thumb drives and I rotate them in and out on a bi weekly basis. So roughly every two weeks I go in, drop off an up to date backup of the thumb drive and take the out of date one with me. Repeat the cycle. The thumbdrive actually has several backups:

thumbdrive/2013/01-January/Date/1Password.agilekeychain
thumbdrive/2013/01-January/Date2/1Password.agilekeychain
thumbdrive/2013/02-February/Date/1Password.agilekeychain

So if one of the most recent backups is corrupt, I have the past 30 or so (i think, it's not a hard rule). The keychain is pretty small so having dozens of copies doesn't take up much space.

Due to a combination of being lazy, not enough time and the difficulty in getting hold of a safe deposit box I choose instead to create a backup to the cloud. The 1Password backup files are encrypted again locally and then uploaded to the cloud.

If something went wrong with the local file, my local backup strategy or the dropbox sync files then I would still have copies of the last 30 backups available in the cloud.

[2012Tony2012]

Quote:

Originally Posted by Tilpots

If you have a bank account, your money is in the cloud. So... ..

But it's in the banks cloud, not some third party company I have no idea about.

[maflynn]

Quote:

Originally Posted by 2012Tony2012

But it's in the banks cloud, not some third party company I have no idea about.

You sure about that. Banks outsource all the time, we have no idea where our financial data is stored.

[flynz4]

Quote:

Originally Posted by 2012Tony2012

But it's in the banks cloud, not some third party company I have no idea about.

Your unencrypted data is in the bank's cloud. It needs to be unencrypted... because they need to manage the data on your behalf. Hence... any security breach exposes your data.

By contrast... when you choose to sync 1Password... your encrypted data is stored on the cloud... using a key that you control and only you know. Hence... despite any security breach... you data remains safe.

/Jim

[carlgo]

All this is far, far too scary and nerdy. While it is surely a fine program, I stopped using it and went back to hidden notes.

[maflynn]

Quote:

Originally Posted by flynz4

because they need to manage the data on your behalf.

That's not entirely true. Many current enterprise databases contain the ability to encrypt data and only the application (or user) that is authorized will decrypt the data - all very seamless and automatic (Oracle for instance can do this).

Whether the banks do this is another question, but given the laws that are on the books, I'd be surprised if banks and other financial institutions don't do this.

----------

Quote:

Originally Posted by carlgo

All this is far, far too scary and nerdy. While it is surely a fine program, I stopped using it and went back to hidden notes.

Why is it scary? I find 1Password to be safe and stable to project my data.

I use FileVault, and so the data only drive is encrypted and so is my 1Password datafile. If people do not want to risk having their 1Password data file exposed in dropbox then they don't need too.

[pitaya]

Quote:

Originally Posted by AGKyle

3) Use the iOS app or 1PasswordAnywhere. Both facilitate accessing your passwords remotely. That same keychain file i put on a flashdrive? Yup, it's on Dropbox as well. I can then log into my Dropbox and goto the keychain folder then 1Password.html to view my data.

would you mind commenting on the security implications when using 1PasswordAnywhere? Most of the 1password contents are encrypted, but 1Password.html and other stuff isn't. Is there anything in place to mitigate the chance of those being modified? Maybe published gpg signatures, or a list of checksums?

Thanks!

[2012Tony2012]

Quote:

Originally Posted by maflynn

You sure about that. Banks outsource all the time, we have no idea where our financial data is stored.

Fair and valid point.

----------

Quote:

Originally Posted by flynz4

Your unencrypted data is in the bank's cloud. It needs to be unencrypted... because they need to manage the data on your behalf. Hence... any security breach exposes your data.

By contrast... when you choose to sync 1Password... your encrypted data is stored on the cloud... using a key that you control and only you know. Hence... despite any security breach... you data remains safe.

/Jim

I do feel more safe and peace of mind using MoxierWallet as my data is encrypted locally on my hard drive only and not in the cloud.

[colshine]

Quote:

Originally Posted by 2012Tony2012

I do feel more safe and peace of mind using MoxierWallet as my data is encrypted locally on my hard drive only and not in the cloud.

1Password encrypts the contents locally before syncing to the cloud. I would never have used 1Password unless I thought they took security seriously.