Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
1Password Extension to be Deprecated in July
- Thread starter countermoon
- Start date
- Sort by reaction score
Analogies can be skewed to any point really. Do you keep every single house, garage, letter box key separate or on a key bundle? End of the day it's whatever system works best consistently, easily updatable and without making things complicated for each user. We'll have to agree to disagree on this one as it's a case of whatever works best for each person.
I would not trust sensitive credentials to applications which are not dedicated to securing them. If I had casual information that I just wanted to keep away from prying eyes, then encrypted notes would be good enough.
Sometimes I need to copy a password when sitting in a coffee shop, where someone might be looking over my shoulder. I would never expose a note in such an environment. With 1Password, anything sensitive is not displayed, but I can still copy it. That feature is super important to me.
I work in cybersecurity, and have no concerns about using 1P8, and honestly it's by far the best option overall. Their encryption solution is such that it is impossible for them to decrypt the keychain. Just never use the in-browser option (plug in is ok), and your creds never leave your machine. With the secret key (aka cryptographic salt), even if an attacker gets your master passphrase, they still won't be able to decrypt it.
Now, you do have to use a browser to do the initial setup - so I did that with a fresh, clean installed browser on a known good machine (actually a brand new VM). But then again I also wear tinfoil hats for a living, so it was probably a bit overkill.
It goes without saying, to never, ever, login from a device you don't control (not just 1P - but any site).
Now, you do have to use a browser to do the initial setup - so I did that with a fresh, clean installed browser on a known good machine (actually a brand new VM). But then again I also wear tinfoil hats for a living, so it was probably a bit overkill.
It goes without saying, to never, ever, login from a device you don't control (not just 1P - but any site).
Not sure what you mean by that. What is the "in-browser option"? What is the "plug in"?
Are you saying it's ok to use the browser extension but to make sure some particular setting is turned off?
Using the plugin is fine, as that's all local to your machine, but don't go to 1password.com, login there, and use the web-interface itself to access your vault. In that case, then your creds are transmitted to the 1password servers.
That's interesting. Does simply logging into my.1password.com cause that?
I feel like it would since you have to use your secret key + password to log in there. Which sucks, because billing and some vault permissions can only be managed through the web.
They claim that your credentials are not transmitted to the servers. The JavaScript that is running in your browser is a full application that does all the encryption work locally.
Do you know that to be false?
From a security standpoint, how is 1P8 superior to those of us who store our vaults locally?
I'm in the same boat, though because I wanted to keep my local vaults not OS version issues so I'm stuck on 7, planning to switch to bitwarden
I use completely separate storage for vaults for work, personal, and shared and scope what devices have access to what based on what they need. I can't do that with 8. That by itself represents a major downgrade in security posture for me to switch off 7 to 8
Yup, and that's a design point I don't like.
It does have some protection, and times out the access after a period of time. But if your browser is compromised, it's a bad day.
So when I do have to do those things, I go back to a clean browser (I keep edge on my machine just for this kind of thing), with no plugins, locked down in private browsing, do the task I need to do, then wipe the cache and cookies.
This article would seem to indicate that the users password is never sent to 1Password servers as they use the Secure Remote Password protocol. This article states that the password is never sent to 1Password.
support.1password.com
How Secure Remote Password protects your 1Password account
Learn how 1Password uses Secure Remote Password to authenticate your account and protect your information in transit.
Yeah, I was too loose with my language there. Assuming that 1) it's the real site and not typosquatting, and 2) that your browser - and all the plugins - are secure, then that's true. But that's still is something I'd prefer to be able to do in the application itself versus a browser, as the latter is a much broader threat vector. Besides, other than actually administrating your account, there's very few reasons to ever do it.
It's not superior, it's on par. My point was that 1P8 is superior to competitive products, as many of those lack key features for usability or have sub-par encryption schemes (e.g. many simply encrypt with the password and no secret key/salt). BTW, I presume here we're talking about true local vaults (wifi sync) and not dropbox - because the latter is the worst of all worlds (dropbox has access to the files), and that icloud sync is disabled, there's no cloud backup, or any other cloud copies of the local vault itself), etc.
Is there a theoretical risk if someone compromises the 1P servers and extracts copies of all the vaults? Yes, absolutely. It's greatly mitigated by the secret key, and as long as you use a strong passphrase (not password!) then brute force attacks are highly unlikely to result in cracking the vault given the current state of the art. If nothing else, you'd have time to take action.
So, if, someday, all the vaults are stolen, what would I do? First, I'd immediately change my master passphrase for all the accounts. Second, I'd go change my email password, since that's the most critical one as it's used for all other password resets. Then I probably would change all my bank passwords, but mostly from a belt, suspenders, boxers, briefs, raincoat, trenchcoat from a better safe than sorry perspective. Last, I'd take a deep breath and stop - and think - about the real risk, and decide what, if any, other ones I needed to change, and when. I probably would change them all at some point, just to be safe against some future advance in cryptanalysis (e.g. quantum computing).
So my decision (and that of many large, sophisticated, and highly regulated companies that have approved 1P cloud for internal use) is that the ease of use and convenience of cloud syncing and the other modern features, is worth the tradeoff against manual syncing with a local vault and -possibly- someday have to change all my passwords (over time, and not in a panic like some of the competing cloud products that do have access to the contents).
Now talk to me about 1P8 using Electron, I'm not happy at all
.
Last edited:
I would like to find a reference where 1Password talks about their web interface. I recall seeing their discussion of this in the past. Short of that, I don't see any significant concerns using their website.
The only real concern is that a browser can be compromised. They do talk about their checks that the browser is a trusted one and signed by the developer, but I can't tell if they are talking about when their extension is running in the browser or when you're using a browser to access their website.
But, no matter what, they do not send credentials to their servers. That would border on insanity.
The only real concern is that a browser can be compromised. They do talk about their checks that the browser is a trusted one and signed by the developer, but I can't tell if they are talking about when their extension is running in the browser or when you're using a browser to access their website.
But, no matter what, they do not send credentials to their servers. That would border on insanity.
It's been a year or so since I read it, but that's the design. These guys get it. I'd still prefer an app-based option to do everything, but the browser side is as well secured as anything out there.
Does this not cover the issue? Between the article below and their security whitepaper, it states that the password and secret key are never transmitted to their servers. Admittedly, I am not a security expert so maybe you all are referencing something I am not familiar with.
How Secure Remote Password protects your 1Password account
Learn how 1Password uses Secure Remote Password to authenticate your account and protect your information in transit.
The big problem with relying on apple's keychain is that the weakest link is the PIN code on your phone. I use 1P to generate a robust appleid password, and it's completely undermined by that really poor design decision.
Does this not cover the issue? Between the article below and their security whitepaper, it states that the password and secret key are never transmitted to their servers. Admittedly, I am not a security expert so maybe you all are referencing something I am not familiar with.
How Secure Remote Password protects your 1Password account
Learn how 1Password uses Secure Remote Password to authenticate your account and protect your information in transit.
Right, it's not transmitted to the servers, but it is entered into a web page.
That web page could be fake (like all the O365 cred phishing pages out there), or a malicious browser plugin could harvest all the information transmitted to it, or the browser itself could have a vulnerability, and so on. It vastly increases the threat surface versus an application connecting to a known good authenticated API. I tolerate it because I have to, but would never use the actual web client (not the browser plugin - the website itself) for regular use. Use the app - it's actually easier, and it's more secure.
And never, ever, sign into 1password.com from a machine that you don't own or control for any reason other than disaster recovery (e.g. house burns down with all your devices inside and you have to use your brother's machine and emergency kit stored in your safe deposit box to recover access to your account).
I see what you are getting at now. I was not considering a fake web page....that is a good point.
I use a passphrase for my phone for that reason....