Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
1password - Safe?
- Thread starter guklein
- Start date
- Sort by reaction score
Any application that stores potentially sensitive material is at risk. The question is whether 1password takes steps to minimize that risk, like using encryption and such.
Personally, I don't use 1password or anything like that to store my credit card/bank info for that very reason.
Personally, I don't use 1password or anything like that to store my credit card/bank info for that very reason.
1 Password uses strong encryption. See their website, which has links to reviews of the product:
http://agilewebsolutions.com/products/1Password
http://agilewebsolutions.com/products/1Password
I did a search for 1password encryption strength and came up with this article that addresses your question. I don't know how old the write-up is though. They use 128-bit encryption keys, which is decent, but hopefully they'll be upgrading to 256-bit soon.
I personally use KeePassX because it's free and cross-platform so I can use it on Windows while at work. I store the database that it keeps in a TrueCrypt volume that has stronger encryption than KeePassX or 1Password, so it gives me another layer of security.
I personally use KeePassX because it's free and cross-platform so I can use it on Windows while at work. I store the database that it keeps in a TrueCrypt volume that has stronger encryption than KeePassX or 1Password, so it gives me another layer of security.
I use 1Password with no worries, but I'm not a worrier about such stuff.
My question would be, how do you store that type of info now? Do you keep your credit cards on you? Do you carry a check book? Then you are at risk. Do you use the postal service? Even more dangerous. Encryption on your computer is safer than having hard copies, IMO. Do you carry your computer around with you on the job or on campus? That may change things a bit, but not much. Do you conduct business on the Internet? We are all at risk somehow or another.
I have over 100 passwords stored in 1Password, including my checking account info and passwords to online banking. 1Password creates excellent passwords for me and stores them (also password protected). I think it offers a level of protection that would be hard for me to duplicate on my own.
My question would be, how do you store that type of info now? Do you keep your credit cards on you? Do you carry a check book? Then you are at risk. Do you use the postal service? Even more dangerous. Encryption on your computer is safer than having hard copies, IMO. Do you carry your computer around with you on the job or on campus? That may change things a bit, but not much. Do you conduct business on the Internet? We are all at risk somehow or another.
I have over 100 passwords stored in 1Password, including my checking account info and passwords to online banking. 1Password creates excellent passwords for me and stores them (also password protected). I think it offers a level of protection that would be hard for me to duplicate on my own.
i don't store my credit card/banking information electronically. I do carry my credit cards with me (but not my check book) and yes there's risks and I attempt to minimize that risk. I don't carry all the credits I own, I only keep one or two and they're generally close to me so the likelihood of getting them stolen is small (at least I hope)
"Using" a good encryption scheme is different from successfully implementing it. Since Agile's code is closed, nobody can or will tell you whether or not it's really secure. KeePassX, on the other hand, has been open source from the start. No known back doors or potentially data-compromising bugs after years of development. The company itself is reputable and established- they're not scammers... I just think their entire approach (like most other companies') approach to "security" is flawed.
maflynn said:
While there's something to be said about being careful with your credit cards, in reality there's very little financial risk involved even if your card gets stolen. The credit system (at least in the US) is based on vendor liability for fraud; can you imagine the uproar that would ensue if a card company told its customers that it was up to them to prove any fraudulent charges? I think the UK had this system for a while (I can't remember the exact details; I think it was a bank) in which the bank told the customers that it was up to them to prove that their money was stolen. The system collapsed pretty quickly.
redwarrior said:
Depends on the situation. The NSA keeps no electronic records of its employees. A company like Google probably keeps very few paper records of its employees.
guklein said:
The nice thing about 1Password and KeePassX is that your data isn't really "out there" - the password and key databases are stored locally on your machine. In general it's not "safe" to store your credit card and bank account info on the internet regardless of the protection scheme.
The most important thing these days in protecting your personal information online is to use strong passwords. Most people don't (example). 1Password's name is a play on the sadly common "password1" password
Those of us desiring another layer of security are turning towards two factor authentication. It is based on:
1) Something you know (userid / password)
2) Something you have (for instance a device that can generate a token)
You can purchase a token generator for $5 but the easier way to do it is just install an app (verisign identity manager) to your iphone / blackberry / windows mobile device / android device. This app will generate a unique number that is valid for 30 seconds. So if someone steals your user id / password they'd still need your your device to be able to generate the token (a random number).
Now you can use open id / and verisign one click to log into any website and just use user id / password and the token (random number from your verisign app). The app is free ofcourse.
Now consider if someone has a keylogger and records your user id /password and even records the random number token. They won't be able to use it because the random number token has already expired (it's one time use) and unless they also steal your token generator (iphone or other device) they won't be able to log in.
Here is the link: https://pip.verisignlabs.com/
1) Something you know (userid / password)
2) Something you have (for instance a device that can generate a token)
You can purchase a token generator for $5 but the easier way to do it is just install an app (verisign identity manager) to your iphone / blackberry / windows mobile device / android device. This app will generate a unique number that is valid for 30 seconds. So if someone steals your user id / password they'd still need your your device to be able to generate the token (a random number).
Now you can use open id / and verisign one click to log into any website and just use user id / password and the token (random number from your verisign app). The app is free ofcourse.
Now consider if someone has a keylogger and records your user id /password and even records the random number token. They won't be able to use it because the random number token has already expired (it's one time use) and unless they also steal your token generator (iphone or other device) they won't be able to log in.
Here is the link: https://pip.verisignlabs.com/
If you do any shopping with credit cards anywhere or banking online whatsoever, then 1Password should be the least of your worries. 1Password keeps your CC info safer than some store that swipes your card or some online store that processes a transaction with it.
+1
Lifehacker did a story recently talking about how compared to most ways to pay either online or in person, using a credit card is relatively safe. The fewer places have your number, the better. Keeping it stored remotely like with PayPal is just allowing another chance of your number being stolen. But consider all the places that already have the number - everywhere you shop. Lifehacker points out its safer though since as long as you keep an eye on your statement, most cards have zero liability for fraudulent use. Just run a credit check on yourself every once in a while to make sure no one is using your identity.
1Password is an awesome and very popular app. If there were any security issues with it the word would be out so fast and the issue fixed just as fast. Probably the biggest risk is letting someone else use your system or if you system is ever stolen. All of your data could be at risk then.
I have no doubt that whatever vulnerability would be patched quickly, but since the code is closed finding vulnerabilities proactively is extremely difficult. KeePassX doesn't have this limitation.
Is anyone actively analyzing the KeePassX codebase to proactively expose vulnerabilities? If not then it's really kind of a moot point that it's open, and your argument supporting it for that reason becomes meaningless.
I've been using 1Password since I got a Mac. It's a great product and has continuous, active development.
0.4.3 was released on March 7, 2010. The framework which it is based upon (KeePass) released version 2.10 on March 5, 2010 and has been in active development by the community for years.
So what! 1Password gets updates all the time from its development community too, and part of that is work on improvements to security. You claim that KeePass is better/safer because the code is open and subject to proactive analysis for vulnerabilities. Who outside the Keepass development community is doing that analysis? If no one is doing it, then there it has no advantage to 1Password for that reason.
It's one thing to say something is open to analysis, but if no one cares enough to actually do it independently, then it doesn't matter that it's open for that purpose in the first place. Advantage: 0
Yes, but the difference is in the size of the development community. Admittedly I don't know how many people work at Agile, but I'm guessing it's less than the thousands that have looked at KeePass(X) and even less than the hundreds who have been with the project from the start. More knowledgable eyes looking for bugs tends to create a more secure product.
See above for the "size of the development community" argument.
You're comparing a profit-driven and profit-motivated business (Agile) to an open source project with the goal of creating a secure program to store passwords? Ok. Your "independent analysis" fails miserably in that respect. I am not saying that Agile is out to get you and that they're building in backdoors to steal anyone's information, but it'd be nice to have the benefit of hundreds (perhaps thousands) of independent developers verify it.
You can't make a baby in a month by getting nine women pregnant.
I run a 12+ person development team working on mission critical R&D tools at a major aerospace company. Having a larger development community is not necessary an advantage. Often when teams get too large they start to have all kinds of problems that hinder successful development.
You can argue all day that code open to analysis is better/safer, but it means nothing if it isn't independent analysis. So what if the Keepass community can analyze its own code. They will be naturally biased and will make assumptions that an independent reviewer won't. That would be like me claiming my code doesn't need Q&A because I already did that myself. It just doesn't work that way.
Don't get me wrong. I'm totally for open-source projects. I use and support open source all day long. But your claim that Keepass code is more secure because it's open source is using flawed logic.
edit: nm, got it. You're comparing a situation dictated by the laws of biology with a situation dictated by the laws of statistics as a way to make your point. It doesn't work that way.
Of course it doesn't always translate into an advantage, but in the case of security review it does.
Where does this bias come from, and what bias would it be? Do you even understand the goals of a typical open source project? The KeePass community has worked for years to create a secure program, which also happens to be its mission statement. Each "reviewer" (developer, or anyone who looks at anyone else's work) is "independent."
You're right, it doesn't work that way. Neither does KeePassX. Neither does 1Password (presumably). KeePassX is not the work of one developer, it's the work of hundreds. Anything that one developer does gets scrutinized by a large portion of the others. Bugs are found and fixed.
The same thing happens with 1Password's team, albeit on a much smaller scale.
We use the expression "Can't make a baby in a month ..." when people who don't understand better want to accelerate or improve a project by throwing more people at it. It was my response to your claim things are better because the development community is hundreds strong.
How does having a larger team improve security?
When I say independent review, I mean someone not connected with the project.
I'm not questioning Keepas, the project, or its developers. All I'm saying is the only real and balanced way to analyze code for security vulnerabilities is that it is done independently of the project and its members. Otherwise, bias (unintentional as it may be) and assumptions made through familiarity potentially corrupt the results. This is a matter of rigor and process, not trust or competence.
Constant updates does not necessarily mean the app is safe. Nor does a larger development team suggest 1password is safer than anything else.
I use it and have been using it for quite some time. There was mention of being able to access your data over the net but I never explored it as I would not do that personally. At least knowing the information is local I can hope to control some of that risk associated with apps like these.
It's a statistical argument. Do you deny that the more people you have searching for bugs, the faster they'll be found? If you're not on the same level with me here, I suggest we both perform a quick thread exit.
(Side note: This is why almost every private encryption scheme ever has failed miserably. The encryption standards these days- AES, DES/Triple DES, and RSA- are used because they've stood up to every test that the cryptography community has thrown at them. Well, DES is being phased out because today's technology makes it much easier to crack.)
Ok, using the above highlighted statement, how can you make the argument that 1Password is in any way "more secure" than KeePassX considering
a) Nobody outside of Agile has seen or has the opportunity to see the source code for 1Password, thus eliminating the possibility of "independent review" completely
b) Developer turnover within Agile is assuredly less than it is for the KeePass community due to the obvious barrier to entry of "being employed by Agile"
c) The development team for 1Password is smaller than it is for KeePassX
In addition I'm not understanding how you're coming to the conclusion that KeePass cannot be independently reviewed, or that it has not been independently reviewed. It's an open source project. It goes forward based on the assumption that anyone who looks at the code and cares about the project will raise any issues they have with the code. In that sense it's been independently reviewed hundreds if not thousands of times. Compare that to Agile who has the same few dozen (at most) developers looking at the same code they have for years. Which situation lends itself more to bias?