Risks of using 1Password?

i thought of these possibilities once i started using 1password on my mac..
so:
1. i chose the same password as my primary email that i have been using for ages. i will less likely forget that one.

2. i feel safer now that i got the iphone app as well and they sync nicely.
if i lose data on one device, i always can access the other.

3. you can sync with dropbox but i'm not sure if you can actually see your password somehow.

You are better off using an App that stores personal information and passwords encrypted locally, I would never trust anything in the cloud. You may wake up one morning and have $0 in all your bank acccounts.

2012Tony2012 said:

You are better off using an App that stores personal information and passwords encrypted locally, I would never trust anything in the cloud. You may wake up one morning and have $0 in all your bank acccounts.

Click to expand...

1Password stores your info in an encrypted file in Dropbox that even 1Password can't open without your master password.

Also 1Password stores all of your info locally unless you choose to store it on Dropbox.

keaide said:

Will version 4 not sync automatically via iCloud? So if the data file is corrupt, it will sync a broken one to all devices...

@2012Tony2012: That's definitely the other issue. There is actually not much compelling reason why you should trust any cloud service with your entire digital life and real-world bank accounts other than convenience.

Click to expand...

I think that even if your iCloud data was borked, 1Password would still open. It may just not grab any recently added info.

keaide said:

Will version 4 not sync automatically via iCloud? So if the data file is corrupt, it will sync a broken one to all devices...

Click to expand...

i don't think it does.. by default, it does not sync anything nor does it save anything online. it only saves data locally unless you tell it to do otherwise.

2012Tony2012 said:

You are better off using an App that stores personal information and passwords encrypted locally, I would never trust anything in the cloud. You may wake up one morning and have $0 in all your bank acccounts.

Click to expand...

You do not have to. Sharing via dropbox is your choice. 1Password creates a local encrypted vault that you do not have to share.

/Jim

mon999 said:

Image

i don't think it does.. by default, it does not sync anything nor does it save anything online. it only saves data locally unless you tell it to do otherwise.

Click to expand...

They're referring to the Mac version which will sync via iCloud (if it's from the MAS), but you're right, you can always turn it off and sync locally over Wi-Fi.

keaide said:

I' not taking about the risk of storing all your passwords somewhere in the cloud here. I'm just trying to understand some side effects of using it. Is it correct that

1. if I forget the master password then I'm doomed and can't access anything any more
2. if the password storage file is corrupt or some reason (this happened to me once with an iCloud-synced file) then all my passwords are gone, too
3. I won't be able to log in to anything any more using another computer (e.g. at a friend's home) because it's 1Password that knows all my password (not me any more)

Or did I miss anything and these concerns are not valid?

Click to expand...

1. Duh... but you use it every day. Plus... my wife and I share the same master password... so if Alzheimer's kicks in... the other takes control
2. 1Password saves daily backups... I think to a maximum of 30 by default. Plus... you do have backup right?
3. Personally... I never use other people's computers at all. I do not want to type into their keylogger. Still... you can always get your passwords off of you iPhone, iPad, Android or whatever you have with you. 1Password optionally lets you have encrypted access via 1Password via a web browser... but I do not put my data out there. I do not need to since I never use 3rd party computers... ever.

/Jim

----------

HazyCloud said:

They're referring to the Mac version which will sync via iCloud (if it's from the MAS), but you're right, you can always turn it off and sync locally over Wi-Fi.

Click to expand...

I think just the new iOS version has the capability to sync via iCloud. The MAS version can sync via WiFi (manually) or via Drobpox (Automatically).

I would assume that 1Password 4 will add iCloud sync... but it will also need to sync via Dropbox since 1Password is a cross-platform application.

/Jim

flynz4 said:

I would assume that 1Password 4 will add iCloud sync... but it will also need to sync via Dropbox since 1Password is a cross-platform application.

/Jim

Click to expand...

It won't have to have sync via Dropbox ever. That's totally optional. A user can just sync via Wi-Fi or via iCloud if they choose. Now if you wanted to sync it with the Windows version, sure you'd need to sync via Dropbox.

keaide said:

if I forget the master password then I'm doomed and can't access anything any more

Click to expand...

If you forget you master password then you lose access to the datafile:

http://help.agilebits.com/1Password3/forgot_password.html

I like this approach, which is why I selected 1Password.

keaide said:

if the password storage file is corrupt or some reason (this happened to me once with an iCloud-synced file) then all my passwords are gone, too

Click to expand...

Make sure you're creating backups:

http://help.agilebits.com/1Password3/data_backup.html

keaide said:

I won't be able to log in to anything any more using another computer (e.g. at a friend's home) because it's 1Password that knows all my password (not me any more)

Click to expand...

They have thought of this:

http://help.agilebits.com/1Password3/1passwordanywhere.html

EDIT: If you're using the MAS version it is a little different:

http://forum.agilebits.com/index.php?/topic/8068-official-answers-1password-and-the-mac-app-store/

What happened to my backups?

1Password creates a daily backup of your information in the ~/Library/Containers/com.agilebits.onepassword-osx-helper/ directory. Up to 30 backups are kept at a time. This is not currently a user-configurable option.

Click to expand...

For me, getting 1Password was step one to organizing my information. Buy 1Password, store everything in there. From passwords to passport numbers to software licenses.

Step 2. Buy a fire safe for my house. Write down my master password, and put it in there. In fact, I wrote instructions for someone to sort it all out if I'm no longer around.

Step 3. Get a backup plan in place. Time Machine to an external hard drive, and a subscription to backblaze.

scarred said:

Step 3. Get a backup plan in place. Time Machine to an external hard drive, and a subscription to backblaze.

Click to expand...

That's a good point, have a look at Arq for what I consider a straight forward backup plan to Amazon S3.

keaide said:

I' not taking about the risk of storing all your passwords somewhere in the cloud here. I'm just trying to understand some side effects of using it. Is it correct that

1. if I forget the master password then I'm doomed and can't access anything any more
2. if the password storage file is corrupt or some reason (this happened to me once with an iCloud-synced file) then all my passwords are gone, too
3. I won't be able to log in to anything any more using another computer (e.g. at a friend's home) because it's 1Password that knows all my password (not me any more)

Or did I miss anything and these concerns are not valid?

Click to expand...

Hi there. Friendly neighborhood 1Password Tech Support guy here. Figure I can chime in on this. You're of course free to ignore my suggestions

1) Your data is lost if you lose your master password.

I combat this by having my master password written down on a piece of paper (along with instructional information in case I die) and put it in my safe deposit box. This serves two purposes: It's there if I forget it and it's there in case I die and someone needs access to my accounts (banking, credit cards, etc) to cancel or handle those things that happen when you die.

2) We store your data only on the device unless you specify to us to store it in the cloud. This means we keep two copies of the data. One locally on the device and one on the cloud. If the data is corrupt, it may or may not corrupt the data locally. This is why you keep backups, right? I mean, you are backing up your important data. I hope.

Part of the above master password procedure is that I put a thumbdrive in the safe deposit box along with my keychain file. I have two thumb drives and I rotate them in and out on a bi weekly basis. So roughly every two weeks I go in, drop off an up to date backup of the thumb drive and take the out of date one with me. Repeat the cycle. The thumbdrive actually has several backups:

thumbdrive/2013/01-January/Date/1Password.agilekeychain
thumbdrive/2013/01-January/Date2/1Password.agilekeychain
thumbdrive/2013/02-February/Date/1Password.agilekeychain

So if one of the most recent backups is corrupt, I have the past 30 or so (i think, it's not a hard rule). The keychain is pretty small so having dozens of copies doesn't take up much space.

Obviously the thumbdrive contains other data, contact information exported from Contacts, SSH keys (which are actually in 1Password), and other important files that I must have access to.

Of course, I also have a local backup that I make with Time Machine (or in my real case Carbon Copy Cloner, but TM works fine). And I use Crashplan for online backup.

Cover your bases. Backup your important data. Don't wait for that time when something does go crash and boom and your data is gone. It only takes this happening once before many people jump on the backup bandwagon.

3) Use the iOS app or 1PasswordAnywhere. Both facilitate accessing your passwords remotely. That same keychain file i put on a flashdrive? Yup, it's on Dropbox as well. I can then log into my Dropbox and goto the keychain folder then 1Password.html to view my data.

Hope that helps!

----------

flynz4 said:

You do not have to. Sharing via dropbox is your choice. 1Password creates a local encrypted vault that you do not have to share.

/Jim

Click to expand...

In the US at least, your money is protected by various laws and you can get it back if it was removed by someone other than yourself.

But, if you choose a strong master password and protect yourself properly by not installing random pieces of software that are untrusted. You should be just fine.

We all use Dropbox at AgileBits. If we didn't trust it, we wouldn't put it in the application. Use a strong master password to protect your data and you'll be fine. We never transmit that data over the internet so it is only ever at risk if someone has a keylogger installed on your device (and we have mechanisms in place to prevent that from gaining access to your typed in password as well).

If you have real specific questions regarding Cloud storage and 1Password please let me know. Again, we wouldn't put it in there if it wasn't secure.

2012Tony2012 said:

You are better off using an App that stores personal information and passwords encrypted locally, I would never trust anything in the cloud. You may wake up one morning and have $0 in all your bank acccounts.

Click to expand...

If you have a bank account, your money is in the cloud. So...

AGKyle said:

2) We store your data only on the device unless you specify to us to store it in the cloud. This means we keep two copies of the data. One locally on the device and one on the cloud. If the data is corrupt, it may or may not corrupt the data locally. This is why you keep backups, right? I mean, you are backing up your important data. I hope.

Click to expand...

If syncing over Dropbox, an iCloud backup would restore the local file if the Dropbox file corrupted, correct?

Tilpots said:

If syncing over Dropbox, an iCloud backup would restore the local file if the Dropbox file corrupted, correct?

Click to expand...

This is actually beyond my knowledge of the application. So, I do apologize I'm not going to be able to provide an accurate response. I'll try to pull someone into this thread from the company that can answer it more thoroughly though.

If this won't work and you want to know more about this please email us on our support page (see my signature). Put Attention: Kyle in the subject and they'll assign it to me and I'll dig into it more and talk to the developers and our security guy who would know a lot more about this type of scenario and what will happen.

AGKyle said:

Part of the above master password procedure is that I put a thumbdrive in the safe deposit box along with my keychain file. I have two thumb drives and I rotate them in and out on a bi weekly basis. So roughly every two weeks I go in, drop off an up to date backup of the thumb drive and take the out of date one with me. Repeat the cycle. The thumbdrive actually has several backups:

thumbdrive/2013/01-January/Date/1Password.agilekeychain
thumbdrive/2013/01-January/Date2/1Password.agilekeychain
thumbdrive/2013/02-February/Date/1Password.agilekeychain

So if one of the most recent backups is corrupt, I have the past 30 or so (i think, it's not a hard rule). The keychain is pretty small so having dozens of copies doesn't take up much space.

Click to expand...

Due to a combination of being lazy, not enough time and the difficulty in getting hold of a safe deposit box I choose instead to create a backup to the cloud. The 1Password backup files are encrypted again locally and then uploaded to the cloud.

If something went wrong with the local file, my local backup strategy or the dropbox sync files then I would still have copies of the last 30 backups available in the cloud.

Tilpots said:

If you have a bank account, your money is in the cloud. So... ..

Click to expand...

But it's in the banks cloud, not some third party company I have no idea about.

2012Tony2012 said:

But it's in the banks cloud, not some third party company I have no idea about.

Click to expand...

You sure about that. Banks outsource all the time, we have no idea where our financial data is stored.

2012Tony2012 said:

But it's in the banks cloud, not some third party company I have no idea about.

Click to expand...

Your unencrypted data is in the bank's cloud. It needs to be unencrypted... because they need to manage the data on your behalf. Hence... any security breach exposes your data.

By contrast... when you choose to sync 1Password... your encrypted data is stored on the cloud... using a key that you control and only you know. Hence... despite any security breach... you data remains safe.

/Jim

All this is far, far too scary and nerdy. While it is surely a fine program, I stopped using it and went back to hidden notes.

flynz4 said:

because they need to manage the data on your behalf.

Click to expand...

That's not entirely true. Many current enterprise databases contain the ability to encrypt data and only the application (or user) that is authorized will decrypt the data - all very seamless and automatic (Oracle for instance can do this).

Whether the banks do this is another question, but given the laws that are on the books, I'd be surprised if banks and other financial institutions don't do this.

----------

carlgo said:

All this is far, far too scary and nerdy. While it is surely a fine program, I stopped using it and went back to hidden notes.

Click to expand...

Why is it scary? I find 1Password to be safe and stable to project my data.

I use FileVault, and so the data only drive is encrypted and so is my 1Password datafile. If people do not want to risk having their 1Password data file exposed in dropbox then they don't need too.

AGKyle said:

3) Use the iOS app or 1PasswordAnywhere. Both facilitate accessing your passwords remotely. That same keychain file i put on a flashdrive? Yup, it's on Dropbox as well. I can then log into my Dropbox and goto the keychain folder then 1Password.html to view my data.

Click to expand...

would you mind commenting on the security implications when using 1PasswordAnywhere? Most of the 1password contents are encrypted, but 1Password.html and other stuff isn't. Is there anything in place to mitigate the chance of those being modified? Maybe published gpg signatures, or a list of checksums?

Thanks!

maflynn said:

You sure about that. Banks outsource all the time, we have no idea where our financial data is stored.

Click to expand...

Fair and valid point.

----------

flynz4 said:

Your unencrypted data is in the bank's cloud. It needs to be unencrypted... because they need to manage the data on your behalf. Hence... any security breach exposes your data.

By contrast... when you choose to sync 1Password... your encrypted data is stored on the cloud... using a key that you control and only you know. Hence... despite any security breach... you data remains safe.

/Jim

Click to expand...

I do feel more safe and peace of mind using MoxierWallet as my data is encrypted locally on my hard drive only and not in the cloud.

2012Tony2012 said:

I do feel more safe and peace of mind using MoxierWallet as my data is encrypted locally on my hard drive only and not in the cloud.

Click to expand...

1Password encrypts the contents locally before syncing to the cloud. I would never have used 1Password unless I thought they took security seriously.