Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

1password - Safe?

There's really no way to tell if 1Password is safe. I use it and will continue to use it unless I hear otherwise. Pretty much any application you install on your machine that isn't open source could be considered unsafe since you can't view the code. That convenience application you have running 24/7 in your menubar could be logging all your keys for all you know. If 1Password had come out yesterday I'd be a bit more skeptical but it's been around for a while. Sure on any given release they could run "open backdoor!" and steal all your stuff... but so could a ton of other programs on your computer.
 
miles01110 said:
It's a statistical argument. Do you deny that the more people you have searching for bugs, the faster they'll be found?
Click to expand...
Yes

miles01110 said:
Ok, using the above highlighted statement, how can you make the argument that 1Password is in any way "more secure" than KeePassX ...
Click to expand...
Go back and read my posts. Don't put words into my mouth and invent quotes for me. I said I use 1Password. I never claimed it's "more secure" than Keepax (I would have no basis for such claim). Rather, I disputed your claim that Keepax is has an advantage in terms of security just because it's open source and can be proactively analyzed.

Not only are you not understanding me, but you're mis-quoting me. It's pointless to continue this discussion.
 
Tilpots said:
If you have a program like 1Password on your computer, how do you access those password protected websites at work or away from your computer?
Click to expand...

You need to remember the password. 1Password and KeePassX use locally stored databases. At least with KeePassX you can put the database on something like DropBox and point the program to use that DB, thus syncing the two machines.
 
Tilpots said:
If you have a program like 1Password on your computer, how do you access those password protected websites at work or away from your computer?
Click to expand...

My 1Password database syncs to my iPhone app and to my MobileMe webspace (I hear dropbox works "better" but MobileMe has worked fine for me). That keeps it in sync across all my personal computers. You can open the file in a web browser and if you type in your masterpassword, can view it in any web browser. The actual webpage is fully encrypted.
 
SilentPanda said:
My 1Password database syncs to my iPhone app and to my MobileMe webspace (I hear dropbox works "better" but MobileMe has worked fine for me). That keeps it in sync across all my personal computers. You can open the file in a web browser and if you type in your masterpassword, can view it in any web browser. The actual webpage is fully encrypted.
Click to expand...

miles01110 said:
The password generated.

Oh, there you go: 1Password can by synced with other machines via the cloud.
Click to expand...

I never understood how any of these programs could be useful "out and about" but it all makes sense now. Thank you both.
 
angelwatt said:
They use 128-bit encryption keys, which is decent,
Click to expand...
128-bit keys are for all practical intents unbruteforcable.

That does if course not protect you from bugs in the impementation, or attacks found against the cypher. But 256-bit keys are just as vulnerable against those kinds of problems.
 
Good program. I almost like it as much as Roboform. That being said, I only use it for website passwords. Not identity or credit card information. I try to use the temporary CC number generator for online purchases that my CC company offers. You just log in to the CC site and generate a number. This keeps companies from having my real CC number. Great service!
 
H00513R said:
Good program. I almost like it as much as Roboform. That being said, I only use it for website passwords. Not identity or credit card information. I try to use the temporary CC number generator for online purchases that my CC company offers. You just log in to the CC site and generate a number. This keeps companies from having my real CC number. Great service!
Click to expand...

I've never heard of something like this. Who's your CC thru? I'd like to look into that.
 
Tilpots said:
I've never heard of something like this. Who's your CC thru? I'd like to look into that.
Click to expand...

Mine is through Bank of America (VISA). You can create something called a "ShopSafe" number on the Bank of America site once you login. I would imagine most credit cards would let you do this, not sure about debit cards acting as credit cards though.
 
So I cheked out ShopSafe and it looks pretty interesting. I then checked with BB&T but I found nothing comparable. Guess I'll have to give my rep a call.
 
Hello!

I am one of the 1Password developers and wanted to answer the questions mentioned in this thread.
Thankfully, these most of the questions were asked before and I hope it is ok if I just add a link to the answer.

- How secure is 1Password:
http://help.agile.ws/1Password3/security.html

- Open-source:
While 1Password application is not open source, the 1PasswordAnywhere component is all written in HTML and JavaScript and its source is fully open.
http://help.agile.ws/1Password3/1passwordanywhere.html

- Accessing your data when you are away from your Mac:
http://help.agile.ws/1Password3/away_from_mac.html

And, finally, you can find more information about people behind 1Password on this page:
http://agile.ws/company

I hope this helps, let me know if you have any questions.

Best regards, Roustem
Co-author of 1Password
 
Not loving it

I love 1password's ease of use and the fact that it has probably saved me 3-5 hours of typing and recovering passwords the few month which I've had it.

But it is not safe, simply because all your (my) eggs are in one basket, and it's an extremely easy basket for someone to get a look at. I am not talking about a lack of encryption or higher-order vulnerability. It's just dangerous because it is a program which, if you are going to use it to any significant extent, is frequently visible in your contextual menus as well as in the dock, and so on.

So 1password sounds like a password manager, the icon looks like it, and your (my) friends/coworkers/onlookers can easily see you're always no more than 2 clicks away from a list of all your logins/passwords. Eventually one of these folks will likely get some time alone with it and your identity will be stolen. If your master password is saved then the problem is even more serious.

Furthermore, if you are looking in a long list of passwords for some entry then it's really easy for someone to glance at your screen and see said list. This can be particularly un-fun if you are a work or something and they see you have entries for "recreational" websites/services or just anything you'd prefer the world not to associate with you.

So that's why I am no longer going to use 1password. My standards are really high, admittedly, but at the end of the day the convenience is not worth the serious threat posed by this program or others like it.

Just my 2 cents.
 
I absolutely love it. It is a must. I think my passwords are much more safe since using 1password just because my old passwords sucked, and all of my friends were getting hacked. This looks like the best integrated solution right now. I love it.
 
sh4d0w said:
I love 1password's ease of use [...] But it is not safe, simply because all your (my) eggs are in one basket, and it's an extremely easy basket for someone to get a look at.
Click to expand...

Who cares if people can see the basket as long as there's no way for them to access the contents?
 
miles01110 said:
KeePassX is not the work of one developer, it's the work of hundreds.
Click to expand...

KeePassX might be an excellent piece of software. I have never used it so I cannot comment on the quality of the software itself.

Can say that the KeePassX source code repository has had a total of 352 commits. (Total is from http://sourceforge.net/projects/keepassx/develop). Given that software development requires more than shallow understanding of the source code. In addition, the reasoning presented in this thread is predicated on the contributors to KeePassX being actively involved in the project. As such, it is highly unlikely that the KeePassX project is "the work of hundreds".

Note that browsing the KeePassX repository shows approximately 4 unique usernames used to commit to the project. The vast majority (~90%) of the commits are by a single user "sniperbeamer".
 
mrichmon said:
KeePassX might be an excellent piece of software. I have never used it so I cannot comment on the quality of the software itself.

Can say that the KeePassX source code repository has had a total of 352 commits. (Total is from http://sourceforge.net/projects/keepassx/develop). Given that software development requires more than shallow understanding of the source code. In addition, the reasoning presented in this thread is predicated on the contributors to KeePassX being actively involved in the project. As such, it is highly unlikely that the KeePassX project is "the work of hundreds".

Note that browsing the KeePassX repository shows approximately 4 unique usernames used to commit to the project. The vast majority (~90%) of the commits are by a single user "sniperbeamer".
Click to expand...

But...But it's open source! It's automatically safer!

I use 1Password on all my devices. I keep all my information in my 1Passowrd database. Credit card information, bank account information, health insurance...Everything that's in my wallet. If I lose my wallet, ALL this information is fully accessible. If I lose my phone or iPad, or someone gains access to my computer, they cannot obtain any of this information without my complex password.

Additionally, if I ever lose my wallet, I have all the phone numbers I need to call to cancel my credit cards, all stored in my 1Password database. I wouldn't use 1Password without this functionality.

As for Agile being a reputable company: Take off your foil hats. They have been around a while. We'd know by now if they were screwing us over.
 
1Password

My concern is how do know that the people who write these programs are NOT uploading & storing your personal information on their systems and selling it or using it for their gain?
Have good solid protection in your own PC or home and NEVER upload this information to no one.










redwarrior said:
I use 1Password with no worries, but I'm not

a worrier about such stuff.

My question would be, how do you store that type of info now? Do you keep your credit cards on you? Do you carry a check book? Then you are at risk. Do you use the postal service? Even more dangerous. Encryption on your computer is safer than having hard copies, IMO. Do you carry your computer around with you on the job or on campus? That may change things a bit, but not much. Do you conduct business on the Internet? We are all at risk somehow or another.

I have over 100 passwords stored in 1Password, including my checking account info and passwords to online banking. 1Password creates excellent passwords for me and stores them (also password protected). I think it offers a level of protection that would be hard for me to duplicate on my own. :)
Click to expand...
 
dlevyus said:
My concern is how do know that the people who write these programs are NOT uploading & storing your personal information on their systems and selling it or using it for their gain?
Have good solid protection in your own PC or home and NEVER upload this information to no one.
Click to expand...

Well, for starters people would notice their info being used and it would get out that they're selling data. Second, you can use 1Password with out a internet connection (not too useful, but it still works). And your getting into a endless loop of worry, if your going to look at 1Password as a possible security risk it doesn't make that much sense as there are much bigger issues. All sites you use the data in 1Password on have your data for a least an instant.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back