Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Exactly,doesnt sound too secure to me, you guess the single password, that can gets you into every single site/account you have.

How is that different over what I'm doing now? Serious question...

You create a master password that can't be guessed. That's how.
 
Exactly,doesnt sound too secure to me, you guess the single password, that can gets you into every single site/account you have.

How is that different over what I'm doing now? Serious question...

The point is to have a strong master password. My master password is 25 characters long. Someone isn't going to guess it. And the chances of them being able to break it should they ever get their hands on one of my devices or a backup file is so remote, (less than 1%) I don't worry about it. There isn't enough time and computing power to break it.

In my opinion, you need a unique, strong password for every site you use. Should one site become compromised, you are still safe. You are asking for big time trouble using the same password for everything.
 
Exactly,doesnt sound too secure to me, you guess the single password, that can gets you into every single site/account you have.

How is that different over what I'm doing now? Serious question...

If you only have one password to remember, you can choose something more complex and harder to guess.

----------

So I don't get it, I have one password I use now for all my sites. And 1password also uses one secure password? What am I missing here? Anyone who knows my main password is in?

Oh good grief, where do I begin.

You hold the database on your local machine or on iCloud/Dropbox.

You then need to either get on those sites or physical access to the machine.

Having one password for all websites means, guess that one password (site databases have been downloaded and password hashes reverse engineered), and they have access to all sites.
 
If you only have one password to remember, you can choose something more complex and harder to guess.

----------



Oh good grief, where do I begin.

You hold the database on your local machine or on iCloud/Dropbox.

You then need to either get on those sites or physical access to the machine.

Having one password for all websites means, guess that one password (site databases have been downloaded and password hashes reverse engineered), and they have access to all sites.

And thats different from having 1 master 1password how?
 
And thats different from having 1 master 1password how?

Unless we all misunderstood you, you said you use one password for all of your logins. With 1Password, you will use different passwords for all of your logins, and they will be protected by a single master password. You memorize the master password, but you don't have to memorize the others.
 
Unless we all misunderstood you, you said you use one password for all of your logins. With 1Password, you will use different passwords for all of your logins, and they will be protected by a single master password. You memorize the master password, but you don't have to memorize the others.

Thank you, I guess I wasn't good at getting my point across.

I have different passwords for all my sites, but I only need to remember one password. That password is a random collection of letters and numbers and took me a few days to memorise, but now I know it, I don't have to worry about what happens if one website gets hacked. I just change the password on that site.
 
Unless we all misunderstood you, you said you use one password for all of your logins. With 1Password, you will use different passwords for all of your logins, and they will be protected by a single master password. You memorize the master password, but you don't have to memorize the others.

Yes, but in reality thats the same thing, no? Weather its my one password I use for all my sites, or 1password master password that gets access basically the same way? I mean, you find out your master password, your in. I can't explain it any simpler.

Ive held off getting 1password because of this very issue.
 
Yes, but in reality thats the same thing, no? Weather its my one password I use for all my sites, or 1password master password that gets access basically the same way?

No. It's not the same at all. With 1Password you can (and should) have a different password for each site.
 
Luckily, I am glad I downloaded it when it became freemium because I only wanted it to store passwords (of course) but also use the safari extension which is a free feature
 
Yes, but in reality thats the same thing, no? Weather its my one password I use for all my sites, or 1password master password that gets access basically the same way? I mean, you find out your master password, your in. I can't explain it any simpler.

Ive held off getting 1password because of this very issue.

So, there's a lot of replies to this already but I'm going to try to start from the beginning.

Most people use the same password (or couple of passwords) for all of their sites. Lets say:

PasswordA
PasswordB

Sites also require an email address and/or a username. Most people again use the same email or username for all sites.

Lets say that SiteA is broken into and a malicious user gains access to the usernames and passwords for that site. You as a user used PasswordA for that site.

Malicious user could then look at the username and try it at any number of other popular sites (Banks, social media sites, email sites, etc) and try that username and password combination to see if they could gain access.

In other words, using the same username and password combination is a risk, one that we don't feel you should take.

You can read more detail into this above topic here: http://blog.agilebits.com/2014/09/30/shellshock-is-bad-unique-passwords-are-good/

While the topic of that post is about Shellshock, the description of the issue is right in line with the questions you're asking.

Now, the solution to this issue is to use a password manager like 1Password, or any of the other similar tools. Our stance is always that you should use a password manager, even if it isn't ours because it's better than not using one at all. If you don't trust us, then there are others out there that do the same thing, including Apple.

When using a tool like 1Password you can generate random unique passwords for each site. Now if a malicious user breaks into a site and gets the usernames and passwords, they have a unique password for your login and it's not used anywhere else on any other site. You only have to change the password for that site, not all of the others if anyone gains access to the passwords.

Good so far?

Now, with 1Password you use a strong and unique master password. Mine is not random characters and letters and symbols. At least, not entirely. I used something called Diceware to generate my master password I then inserted some random symbols and numbers into it that makes it a bit more unique (this is all done randomly by the tool I used to generate the master password). It's something like 30 characters long. The benefit of dice ware is that it uses normal words from a dictionary so remembering it is far far easier and typing it is also quite a bit easier. They're also very secure.

Here's a bad password:

B@dP@$$w0rd

Here's a great password:

|||92.pass.England.soldier.Colombia.goodbye.enter.7|||

That's a bit longer but as you can see, even though it is longer than my ~30 characters it's still very easy to type.

I used this tool to generate it: https://www.xkpasswd.net/c/index.cgi

Now, your second part is why trust a password manager instead? This is a complicated thing, but here's some food for thought.

1) We document our data format and make it available publicly so that other people can review the process in which we encrypt your data. It has been confirmed by a lot of big names because it is open to scrutiny. No one has indicated that our new format (CloudKeychain) is doing anything inherently wrong. This part backups our usage of encryption since it's verifiable that we're using the right tools.

2) Password cracking tools have open access to our format so they can attempt to crack into it. This further proves the strength of our tools

You can read more about 1 and 2 here: http://blog.agilebits.com/2013/03/06/you-have-secrets-we-dont-why-our-data-format-is-public/

3) Your data is your data. We do not store your data on our servers. We optionally store it in Dropbox or iCloud. If you don't want to use a cloud server then you can sync via Wifi (to an iOS device) or a local folder on the computer (to other Macs/PCs). So, if you're cloud adverse you have options.

4) If you use a strong master password, like above, it would take thousands (likely several of orders of magnitude more) of years for someone to crack that password by brute force. So even if someone gains access to your data file they still need your master password, which is unique and not used anywhere else.

There's a lot here, so if you have questions I'm happy to answer anything I can. You are right in that if someone were to gain access to your master password and your data file then you did give them everything, but this is far less likely than someone obtaining a single password for a site. Keep in mind it's far harder to gain access to something that isn't available anywhere but on a physical device than it is to gain access to something that is on dozens of servers, perhaps not even encrypted (as we've found from many websites).

That means that your 1Password data is far far less likely to be in the hands of a malicious user than the username/password list from a website. You control 1Password, you don't control the website.

I'm happy to answer any questions you might have :)
 
No. It's not the same at all. With 1Password you can (and should) have a different password for each site.

Yes, but if you know the master password, it will generate the different password required to enter each site, what don't you understand about that?
 
Yes, but if you know the master password, it will generate the different password required to enter each site, what don't you understand about that?

I'm not sure I understand what you're trying to say here. Can you clarify what your concern is? Once I understand what you're concerned about I can help look at it from several different angles so you can make the best choice for you.
 
I'm not sure I understand what you're trying to say here. Can you clarify what your concern is? Once I understand what you're concerned about I can help look at it from several different angles so you can make the best choice for you.

This guy is so confused and clearly does not fully understand the functionality of a password manager and what the master password actually does or how much safer it is.
 
This guy is so confused and clearly does not fully understand the functionality of a password manager and what the master password actually does or how much safer it is.

Maybe Im confused, thanks for pointing that out.

I do understand what a password manager is. What everyone is skirting the issue on is, if you know, guess, obtain, whatever, the main master 1password, some one somehow gets it, that allows them full access to all your sites.

And that's secure how?
 
Maybe Im confused, thanks for pointing that out.

I do understand what a password manager is. What everyone is skirting the issue on is, if you know, guess, obtain, whatever, the main master 1password, some one somehow gets it, that allows them full access to all your sites.

And that's secure how?

And it has been said before, make sure you use a strong master password. Any reasonable password manager is going to suggest such.

If you don't sync to iCloud or Dropbox, a person would have to gain direct access to the devices running the program, find out the passcodes or passwords to open up the devices to use, and then be able to guess the master password to 1Password.

It is not as hard as you keep trying to make it. Create a strong master password, and secure any device using the program. Exercise common sense and safe computing practices and you should be just fine.

Nothing in this life (program or not) is 100% guaranteed against lack of personal responsibility.

If you want to test the program out, you can do so for 30 days. If not, what is the point of continuing to argue a point that has been addressed numerous time already?
 
Maybe Im confused, thanks for pointing that out.

I do understand what a password manager is. What everyone is skirting the issue on is, if you know, guess, obtain, whatever, the main master 1password, some one somehow gets it, that allows them full access to all your sites.

And that's secure how?

Can you please read my post above? It talks about exactly that.

In 1Password we do a variety of things to help protect your master password as well.

On Mac:

* The Master Password field is set as a Secure Input field, which means that no other application can read keyboard input when the cursor focus is in that field. This prevents software key loggers from gaining access to your password
* When you fill using the extension, it also prevents key loggers from gaining access to your usernames and passwords

(Key loggers often monitor keyboard input and the copy/paste input/output, we do not use the clipboard and we block keyboard monitoring using secure input on master password entry)

On iOS:

Every application is sandboxed so when 1Password is running no other application can read the input from another application (unless jailbroken but that's not generally recommended).

On Windows:

We support Secure Desktop entry, this is like Secure Input on Mac. It prevents other applications from seeing what is being typed into the master password entry area.

More detail on this here:

http://blog.agilebits.com/2014/08/2...passwords-defenses-against-keystroke-loggers/

If you use a strong master password, it would take thousands or more years to "guess." That's effectively how it works. A password cracking tool generally runs through all combinations:

a, A, b, B, c, C... etc
ab, aB, Ab, AB, etc

Some will skip those and run through words.

The focus there is how you strengthen your master password. As mentioned in my previous post that you should read if you haven't read it yet, if you make a strong master password it will take a very long time for someone to guess.

Combine a strong unique master password, with the tools we provide for securing the entry of the master password and you severely limit the possibility of someone just randomly gaining access to it. To the point where it is FAR more likely that someone would gain access to a single password from a website and if you use that same password on that site as you do on all others you're at a far greater risk than using a password manager.

Let me know if that helps! The TLDR of it is, you're at greater risk when using the same password on all sites than you are using a password manager.

The caveat is that the above applies to 1Password, it may also apply to other password managers but I cannot vouch for them nor do I know how they work internally. You'll need to ask any alternatives to 1Password for guidance on how they do things, I can only speak to what we at AgileBits do with 1Password.

Edit: Lets say one more thing. Given the above the goal is to make it take so long to crack the master password that someone would simply give up unless you were a high value target. Face it, most of us are not worth the possibly thousands upon thousands of dollars it would cost to target us and crack our master password's. If you are such a person then the risk goes up but the strength of 1Password's encryption and the precautions we take would still mean it takes thousands of years or more to crack the master password. That number can go down but you'd have to throw more hardware and more money at it.

The best target is the cheapest target. The one that requires the least amount of work. A password manager with a strong master password makes you a very expensive target.
 
Maybe Im confused, thanks for pointing that out.

I do understand what a password manager is. What everyone is skirting the issue on is, if you know, guess, obtain, whatever, the main master 1password, some one somehow gets it, that allows them full access to all your sites.

And that's secure how?

Yeah I was not ment to insult you. I have over 60 online accounts and I'm sure some people have well into the 100s. Without a password manager I would never be able to remember all those websites and having the same password on each is even worse. That's the point of these suites
1) create unique passwords for each website
2) password generator to create random, long and unique passwords
3) protected with industry standard encryption, 256 bit AES
4) quick and easy way to change passwords (i can change all my 60+ passwords in 10 min)
5) much safer than your way since hacking 1password is much less likely than say facebook with a crap password.
6) features such as Autofill, saving credit card info or making secure notes eg for social security numbers, PINS etc.

On most good password suites you can also activate 2 step verification and other security measures which would make your concern irrelevant. I am using icloud keychain and I love it. The only way for someone to see my passwords would be stealing my ios device or Mac and knowing my long complicated passcode. Hacking or knowing my Apple id password for example would NOT give them access to my password list since there are protective measures in place, like approving from trusted devices with keychain turned ON or specific recovery keys.

Watch this video and you will get a much better idea of password managers (they talk about last pass which is similar to 1password) Steve Gibson is a very respected security expert.
http://youtu.be/r9Q_anb7pwg

Also give this a read it's very good, although it doesn't directly relate to password managers you can see the damage. If one account gets compromised they will take down all the other main accounts before you realise especially if you don't have strong unique passwords for each website.
http://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/
 
Last edited:
So I don't get it, I have one password I use now for all my sites. And 1password also uses one secure password? What am I missing here? Anyone who knows my main password is in?

Yes, anyone who knows your main 1Password is in. But, they need physical access to your computer, or can get a copy of your fault file, or have to hack into your system. And if you are smart and use at least 24 characters, numbers, symbols, etc. they will spend the next several quintillian years trying to crack it.

Or, use the same password on all your websites, get one hacked, through no fault of your own, but bad security on the part of that website, and now someone has access to ALL the sites you visit.

Bottom line, websites get hacked and some sites store passwords in the clear. Crazy, but it's true. Or they end up in the clear for some reason, exploit. Let 1Password manage all your passowords with one, complex password and you are safe. A hacker wants to hack a website for passowrds, etc. Some random hacker isn't going to find you and take your 1Password vault, they are going to hack eBay and try to get it that way.
 
Yes, anyone who knows your main 1Password is in. But, they need physical access to your computer, or can get a copy of your fault file, or have to hack into your system. And if you are smart and use at least 24 characters, numbers, symbols, etc. they will spend the next several quintillian years trying to crack it.

Or, use the same password on all your websites, get one hacked, through no fault of your own, but bad security on the part of that website, and now someone has access to ALL the sites you visit.

Bottom line, websites get hacked and some sites store passwords in the clear. Crazy, but it's true. Or they end up in the clear for some reason, exploit. Let 1Password manage all your passowords with one, complex password and you are safe. A hacker wants to hack a website for passowrds, etc. Some random hacker isn't going to find you and take your 1Password vault, they are going to hack eBay and try to get it that way.

Good explanation, i get it now!
 
Good explanation, i get it now!

I think of it like this. If I use only a single password on all my websites, I'm essentially letting each website manage my password. Because if it becomes compromised on one site, effectively every site I use that password with becomes compromised. I'd much rather use 1Password, which stores this invormation locally, encrypted, or if you sync it with Dropbox/iCloud, stores that vault file in the cloud, using the same encryption. Plus with the 1Password plugin, I literally just hit my hotkey and I'm in. Now there is risk in this too. If someone grabbed your computer while you were logged in and ran away with it, if 1Password is active, they can get into all your sites. But I use FileVault and use password on sleep and I log out when I'm away from my computer. If someone tries to grab it, hopefully I can hold the power button for a few seconds and turn it off...
 
On Mac:

* The Master Password field is set as a Secure Input field, which means that no other application can read keyboard input when the cursor focus is in that field. This prevents software key loggers from gaining access to your password
* When you fill using the extension, it also prevents key loggers from gaining access to your usernames and passwords

(Key loggers often monitor keyboard input and the copy/paste input/output, we do not use the clipboard and we block keyboard monitoring using secure input on master password entry)

This is interesting information. If I am understanding it correctly, it means that using the browser extension is more than simply a matter of convenience, but is actually more secure compared to a copy/paste.

What does this mean for use of 1password in applications that do not have extensions? In my case, specifically, I end up copying/pasting certain passwords into the Terminal.app (for ssh logins) as well as the Cisco AnyConnect VPN client. Are those passwords potentially more vulnerable by being used this way? I know that I can specify a time for clearing the clipboard. Are there any potential vulnerabilities with this short of being the victim of a key logger?
 
This is interesting information. If I am understanding it correctly, it means that using the browser extension is more than simply a matter of convenience, but is actually more secure compared to a copy/paste.

What does this mean for use of 1password in applications that do not have extensions? In my case, specifically, I end up copying/pasting certain passwords into the Terminal.app (for ssh logins) as well as the Cisco AnyConnect VPN client. Are those passwords potentially more vulnerable by being used this way? I know that I can specify a time for clearing the clipboard. Are there any potential vulnerabilities with this short of being the victim of a key logger?

That'd be correct, the browser extension can actually be more secure than copy and paste. It is one primarily of convenience but it has the side effect of being more secure.

One thing to keep in mind here. Keyloggers are fundamentally part of a compromised system, we cannot suggest users continue to use a compromised system and in the event that it does happen we strongly encourage you to not use anything that is valuable to you (websites, software that requires passwords, password managers, banking software, etc). Immediately remove the offending malicious software and do your best to verify the severity of the issue and do what makes sense, such as resetting all important passwords, contacting banks, etc.

Most keyboard logging tools simply monitor the clipboard. It's pretty standard practice I think since it's easy to do and can gain access to a lot of valuable data if the user uses it. This all applies to key loggers, which are not super common but is one area where using the browser extensions can in fact be more secure than not :)

Hope that helps clear things up a little. It's probably not a scenario you have to worry too much about but it is something that I don't think a lot of people understand about 1Password and the little things that add up to form a more secure tool.
 
Does anyone know why 1password logs me out of MacRumors when I tab away to another page, then come back and have to log in? Some other forums I use don't do this?
 
Does anyone know why 1password logs me out of MacRumors when I tab away to another page, then come back and have to log in? Some other forums I use don't do this?

Is this happening in the 1Password browser? If so, you may need to make sure the "Keep me logged in" (or similar" checkbox is checked) when you log into MacRumors. At some point memory is going to be needed so we have to remove webpages from memory and in doing so it will mean that you have to log back in when you reload the page again.

If it's happening in Safari, it's the same drill. It's not really 1Password it's just simply how the browser works and what setting you have that option set to when you log in. That checkbox determines how long the browser hangs onto a cookie that keeps you logged in. If the cookie expires then you're logged out. That checkbox probably sets it to something like 2 weeks. Without the cookie it's likely much less, like 30 minutes.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.