Risks of using 1Password?

Discussion in 'Mac Apps and Mac App Store' started by keaide, Feb 13, 2013.

  1. macrumors regular

    Joined:
    Nov 13, 2010
    #1
    I' not taking about the risk of storing all your passwords somewhere in the cloud here. I'm just trying to understand some side effects of using it. Is it correct that

    1. if I forget the master password then I'm doomed and can't access anything any more
    2. if the password storage file is corrupt or some reason (this happened to me once with an iCloud-synced file) then all my passwords are gone, too
    3. I won't be able to log in to anything any more using another computer (e.g. at a friend's home) because it's 1Password that knows all my password (not me any more)

    Or did I miss anything and these concerns are not valid?
     
  2. macrumors newbie

    Joined:
    Dec 16, 2012
    #2
    i thought of these possibilities once i started using 1password on my mac..
    so:
    1. i chose the same password as my primary email that i have been using for ages. i will less likely forget that one.

    2. i feel safer now that i got the iphone app as well and they sync nicely.
    if i lose data on one device, i always can access the other.

    3. you can sync with dropbox but i'm not sure if you can actually see your password somehow.
     
  3. macrumors 6502a

    2012Tony2012

    Joined:
    Dec 2, 2012
    #3
    You are better off using an App that stores personal information and passwords encrypted locally, I would never trust anything in the cloud. You may wake up one morning and have $0 in all your bank acccounts.
     
  4. thread starter macrumors regular

    Joined:
    Nov 13, 2010
    #4
    Will version 4 not sync automatically via iCloud? So if the data file is corrupt, it will sync a broken one to all devices...

    @2012Tony2012: That's definitely the other issue. There is actually not much compelling reason why you should trust any cloud service with your entire digital life and real-world bank accounts other than convenience.
     
  5. macrumors 68030

    HazyCloud

    Joined:
    Jun 30, 2010
    #5
    1Password stores your info in an encrypted file in Dropbox that even 1Password can't open without your master password.

    Also 1Password stores all of your info locally unless you choose to store it on Dropbox.

    I think that even if your iCloud data was borked, 1Password would still open. It may just not grab any recently added info.
     
  6. macrumors newbie

    Joined:
    Dec 16, 2012
    #6
    [​IMG]

    i don't think it does.. by default, it does not sync anything nor does it save anything online. it only saves data locally unless you tell it to do otherwise.
     
  7. macrumors 68040

    Joined:
    Aug 9, 2009
    Location:
    Portland, OR
    #7
    You do not have to. Sharing via dropbox is your choice. 1Password creates a local encrypted vault that you do not have to share.

    /Jim
     
  8. macrumors 68030

    HazyCloud

    Joined:
    Jun 30, 2010
    #8
    They're referring to the Mac version which will sync via iCloud (if it's from the MAS), but you're right, you can always turn it off and sync locally over Wi-Fi.
     
  9. macrumors 68040

    Joined:
    Aug 9, 2009
    Location:
    Portland, OR
    #9
    1. Duh... but you use it every day. Plus... my wife and I share the same master password... so if Alzheimer's kicks in... the other takes control
    2. 1Password saves daily backups... I think to a maximum of 30 by default. Plus... you do have backup right?
    3. Personally... I never use other people's computers at all. I do not want to type into their keylogger. Still... you can always get your passwords off of you iPhone, iPad, Android or whatever you have with you. 1Password optionally lets you have encrypted access via 1Password via a web browser... but I do not put my data out there. I do not need to since I never use 3rd party computers... ever.

    /Jim

    ----------

    I think just the new iOS version has the capability to sync via iCloud. The MAS version can sync via WiFi (manually) or via Drobpox (Automatically).

    I would assume that 1Password 4 will add iCloud sync... but it will also need to sync via Dropbox since 1Password is a cross-platform application.

    /Jim
     
  10. macrumors 68030

    HazyCloud

    Joined:
    Jun 30, 2010
    #10
    It won't have to have sync via Dropbox ever. That's totally optional. A user can just sync via Wi-Fi or via iCloud if they choose. Now if you wanted to sync it with the Windows version, sure you'd need to sync via Dropbox.
     
  11. macrumors regular

    colshine

    Joined:
    Mar 2, 2011
    Location:
    UK
    #11
    If you forget you master password then you lose access to the datafile:

    http://help.agilebits.com/1Password3/forgot_password.html

    I like this approach, which is why I selected 1Password.

    Make sure you're creating backups:

    http://help.agilebits.com/1Password3/data_backup.html

    They have thought of this:

    http://help.agilebits.com/1Password3/1passwordanywhere.html

    EDIT: If you're using the MAS version it is a little different:

    http://forum.agilebits.com/index.php?/topic/8068-official-answers-1password-and-the-mac-app-store/

     
  12. macrumors 6502a

    Joined:
    Jul 24, 2011
    #12
    For me, getting 1Password was step one to organizing my information. Buy 1Password, store everything in there. From passwords to passport numbers to software licenses.

    Step 2. Buy a fire safe for my house. Write down my master password, and put it in there. In fact, I wrote instructions for someone to sort it all out if I'm no longer around.

    Step 3. Get a backup plan in place. Time Machine to an external hard drive, and a subscription to backblaze.
     
  13. macrumors regular

    colshine

    Joined:
    Mar 2, 2011
    Location:
    UK
    #13
    That's a good point, have a look at Arq for what I consider a straight forward backup plan to Amazon S3.
     
  14. macrumors 6502

    Joined:
    Jun 10, 2012
    #14
    Hi there. Friendly neighborhood 1Password Tech Support guy here. Figure I can chime in on this. You're of course free to ignore my suggestions :)

    1) Your data is lost if you lose your master password.

    I combat this by having my master password written down on a piece of paper (along with instructional information in case I die) and put it in my safe deposit box. This serves two purposes: It's there if I forget it and it's there in case I die and someone needs access to my accounts (banking, credit cards, etc) to cancel or handle those things that happen when you die.

    2) We store your data only on the device unless you specify to us to store it in the cloud. This means we keep two copies of the data. One locally on the device and one on the cloud. If the data is corrupt, it may or may not corrupt the data locally. This is why you keep backups, right? :) I mean, you are backing up your important data. I hope.

    Part of the above master password procedure is that I put a thumbdrive in the safe deposit box along with my keychain file. I have two thumb drives and I rotate them in and out on a bi weekly basis. So roughly every two weeks I go in, drop off an up to date backup of the thumb drive and take the out of date one with me. Repeat the cycle. The thumbdrive actually has several backups:

    thumbdrive/2013/01-January/Date/1Password.agilekeychain
    thumbdrive/2013/01-January/Date2/1Password.agilekeychain
    thumbdrive/2013/02-February/Date/1Password.agilekeychain

    So if one of the most recent backups is corrupt, I have the past 30 or so (i think, it's not a hard rule). The keychain is pretty small so having dozens of copies doesn't take up much space.

    Obviously the thumbdrive contains other data, contact information exported from Contacts, SSH keys (which are actually in 1Password), and other important files that I must have access to.

    Of course, I also have a local backup that I make with Time Machine (or in my real case Carbon Copy Cloner, but TM works fine). And I use Crashplan for online backup.

    Cover your bases. Backup your important data. Don't wait for that time when something does go crash and boom and your data is gone. It only takes this happening once before many people jump on the backup bandwagon.

    3) Use the iOS app or 1PasswordAnywhere. Both facilitate accessing your passwords remotely. That same keychain file i put on a flashdrive? Yup, it's on Dropbox as well. I can then log into my Dropbox and goto the keychain folder then 1Password.html to view my data.

    Hope that helps!

    ----------

    In the US at least, your money is protected by various laws and you can get it back if it was removed by someone other than yourself.

    But, if you choose a strong master password and protect yourself properly by not installing random pieces of software that are untrusted. You should be just fine.

    We all use Dropbox at AgileBits. If we didn't trust it, we wouldn't put it in the application. Use a strong master password to protect your data and you'll be fine. We never transmit that data over the internet so it is only ever at risk if someone has a keylogger installed on your device (and we have mechanisms in place to prevent that from gaining access to your typed in password as well).

    If you have real specific questions regarding Cloud storage and 1Password please let me know. Again, we wouldn't put it in there if it wasn't secure.
     
  15. macrumors 601

    Tilpots

    Joined:
    Apr 19, 2006
    Location:
    Carolina Beach, NC
    #15
    If you have a bank account, your money is in the cloud. So... ;)



    If syncing over Dropbox, an iCloud backup would restore the local file if the Dropbox file corrupted, correct?
     
  16. AGKyle, Feb 14, 2013
    Last edited: Feb 18, 2013

    macrumors 6502

    Joined:
    Jun 10, 2012
    #16
    This is actually beyond my knowledge of the application. So, I do apologize I'm not going to be able to provide an accurate response. I'll try to pull someone into this thread from the company that can answer it more thoroughly though.

    If this won't work and you want to know more about this please email us on our support page (see my signature). Put Attention: Kyle in the subject and they'll assign it to me and I'll dig into it more and talk to the developers and our security guy who would know a lot more about this type of scenario and what will happen.
     
  17. macrumors regular

    colshine

    Joined:
    Mar 2, 2011
    Location:
    UK
    #17
    Due to a combination of being lazy, not enough time and the difficulty in getting hold of a safe deposit box I choose instead to create a backup to the cloud. The 1Password backup files are encrypted again locally and then uploaded to the cloud.

    If something went wrong with the local file, my local backup strategy or the dropbox sync files then I would still have copies of the last 30 backups available in the cloud.
     
  18. macrumors 6502a

    2012Tony2012

    Joined:
    Dec 2, 2012
    #18
    But it's in the banks cloud, not some third party company I have no idea about.:cool:
     
  19. Moderator

    maflynn

    Staff Member

    Joined:
    May 3, 2009
    Location:
    Boston
    #19
    You sure about that. Banks outsource all the time, we have no idea where our financial data is stored.
     
  20. macrumors 68040

    Joined:
    Aug 9, 2009
    Location:
    Portland, OR
    #20
    Your unencrypted data is in the bank's cloud. It needs to be unencrypted... because they need to manage the data on your behalf. Hence... any security breach exposes your data.

    By contrast... when you choose to sync 1Password... your encrypted data is stored on the cloud... using a key that you control and only you know. Hence... despite any security breach... you data remains safe.

    /Jim
     
  21. macrumors 68000

    Joined:
    Dec 29, 2006
    #21
    All this is far, far too scary and nerdy. While it is surely a fine program, I stopped using it and went back to hidden notes.
     
  22. Moderator

    maflynn

    Staff Member

    Joined:
    May 3, 2009
    Location:
    Boston
    #22
    That's not entirely true. Many current enterprise databases contain the ability to encrypt data and only the application (or user) that is authorized will decrypt the data - all very seamless and automatic (Oracle for instance can do this).

    Whether the banks do this is another question, but given the laws that are on the books, I'd be surprised if banks and other financial institutions don't do this.

    ----------

    Why is it scary? I find 1Password to be safe and stable to project my data.

    I use FileVault, and so the data only drive is encrypted and so is my 1Password datafile. If people do not want to risk having their 1Password data file exposed in dropbox then they don't need too.
     
  23. macrumors member

    Joined:
    Jun 17, 2012
    #23
    would you mind commenting on the security implications when using 1PasswordAnywhere? Most of the 1password contents are encrypted, but 1Password.html and other stuff isn't. Is there anything in place to mitigate the chance of those being modified? Maybe published gpg signatures, or a list of checksums?

    Thanks!
     
  24. macrumors 6502a

    2012Tony2012

    Joined:
    Dec 2, 2012
    #24
    Fair and valid point.

    ----------

    I do feel more safe and peace of mind using MoxierWallet as my data is encrypted locally on my hard drive only and not in the cloud.
     
  25. macrumors regular

    colshine

    Joined:
    Mar 2, 2011
    Location:
    UK
    #25
    1Password encrypts the contents locally before syncing to the cloud. I would never have used 1Password unless I thought they took security seriously.
     

Share This Page