'1Password 6' for Mac Brings Revamped Password Generator, iCloud Sync for Non Mac App Store Version

[macjunk(ie)]

To be clear, iCloud was never hacked. People used poor passwords and Apple allowed multiple password attempts without some form of timeout between them.

Nobody "hacked" iCloud. Those people used easy to guess passwords or the same password for every place they visit. Nor did they use two-factor authentication.

Sure....hacked/cracked/socially engineered or whatever we call it...the end result is the same i.e., contents in the cloud were made available for malicious intent. I was trying to determine if the cloud solutions used by LastPass, 1Password are impervious to direct access of the keychain file by hackers. If they both are, then a price comparison between LastPass and 1Password makes sense (provided we are talking about cloud hosted keychains only - not referring to the local sync provided by 1Password)

 

[Wondercow]

Sure....hacked/cracked/socially engineered or whatever we call it...the end result is the same i.e., contents in the cloud were made available for malicious intent. I was trying to determine if the cloud solutions used by LastPass, 1Password are impervious to direct access of the keychain file by hackers. If they both are, then a price comparison between LastPass and 1Password makes sense (provided we are talking about cloud hosted keychains only - not referring to the local sync provided by 1Password)

But it's not "whatever we call it" because there is an important difference: LastPass was truly hacked (if memory serves) by people who broke security that was the responsibility of the company; iCloud was "hacked" by people who broke security that was the responsibility of the individual users (to put it another way, you've never heard of an iCloud "hack" involving people with good, difficult-to-guess passwords). Any LastPass vaults that are stolen can then be brute forced at the hacker's leisure. Thus, the difference between iCloud's "hack" and that of LastPass becomes important.

I don't trust, and don't recommend anyone else does, either, a security company that can't even keep their own network locked down.

 

[macjunk(ie)]

But it's not "whatever we call it" because there is an important difference: LastPass was truly hacked (if memory serves) by people who broke security that was the responsibility of the company; iCloud was "hacked" by people who broke security that was the responsibility of the individual users (to put it another way, you've never heard of an iCloud "hack" involving people with good, difficult-to-guess passwords).
Any LastPass vaults that are stolen can then be brute forced at the hacker's leisure. Thus, the difference between iCloud's "hack" and that of LastPass becomes important.

I don't trust, and don't recommend anyone else does, either, a security company that can't even keep their own network locked down.

To be honest, the iCloud hack could have been easily prevented by Apple if they had implemented 2FA. Hacking does not just mean finding dubious ways to open/find a port and SShing to it in the background in a dark basement somewhere. Today, hacking can also include social engineering to gain access. Thus, it was Apple's responsibility to make social engineering difficult to execute. Many ways to do this...one of which is 2FA and Apple, dropped the ball on this one then. I don't deny that the users had a role to play in it too; the least they could have done is use strong passwords.

But I digress. The question is not whether iCloud was hacked. The question is even if ANY cloud service was hacked, can the hackers decrypt our keychains? I am no security expert but Kerckchoff's principle states exactly that: even if the design of the system is public, the system should still be secure as long as the key is private. So even if hackers got to our keychains, can they, in a feasible manner, decrypt our keychains? Are the security models of LastPass and 1Password sufficiently robust to handle this. If they both are, then they can be price compared.

I think, without reading LastPass's documentation, LastPass uses industry standard encryption algorithms. This is because they were able to survive two hacks; if either of those hacks would have given the hackers what they wanted, I don't think LastPass could have survived the eventual litigation. Using industry standard encryption algorithms, by itself, is great because it is extremely difficult to break today's encryption standards. Look at how the Congress is wailing about how Apple's/Google's encryption is making things difficult for them. This shows that even a well funded Government organization, cannot break into one's iPhone cause it is encrypted; even if they had all the time in the world.

Anyway, I will have to read up on LastPass. Even if I do not subscribe, it is probably good education.

And as an offshoot, it is easy to target LastPass cause the hacker is sure that a successful hack will give him a treasure trove of passwords. I *think* Dropbox is not a target like that. The ROI on hacking dropbox is not that great cause not every Dropbox user will have a keychain stored in his account but every LastPass user will surely have a keychain stored. That is why LastPass is targeted so often and I think it is a good thing; this will cause them to bump up their security models . If 1Password had their own sync service, I bet it would have been a target for the hackers and you and I would have had a very different conversation.

 

[macjunk(ie)]

1Password has a price drop in the app store now : at 24.99. I am gonna give it a shot...

 

[nightcap965]

I've been using 1Password for years, and absolutely swear by it. I sync on Dropbox, so it works on all my devices including Windows and Android.

I used to use SplashID, but syncing between machines frequently hosed my database, and I got tired of restoring it. 1Password just works.