My concern is that you replied to an almost 3 year old thread.
Oh, and how do you know that Apple (or Microsoft) isn't just uploading the entire contents of your computer to their servers?
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
1password - Safe?
- Thread starter guklein
- Start date
- Sort by reaction score
My concern is that you replied to an almost 3 year old thread.
Oh, and how do you know that Apple (or Microsoft) isn't just uploading the entire contents of your computer to their servers?
ShopSafe is a legacy controlled payment number service of MBNA America, a credit card issuer that Bank of America acquired in 2006.
I will occasionally use ShopSafe for one-off Internet purchases, but I find myself using it less these days as more merchants support PayPal, etc. than they did eight years ago.
As to safeness with a real world perspective, storing your credit card numbers in 1Password is much safer than handing over a physical card to a waiter in a restaurant.
Since controlled payment number functionality has not proliferated with other credit card issuers, my guess is that many companies analyzed the risk/interest and likely decided that the implementation of ShopSafe-like technology was more trouble/expensive than dealing with the occasional episode of fraud.
Both American Express and Paypal discontinued their controlled payment number programs back in 2004 and 2010 respectively. Consumers have not been enthusiastic about the technology.
An old thread but a good question (and bad advice).
There are two answers. first, network traffic is easy to monitor. The average person is unlikely to do it, but it's pretty straightforward. So we can *hope* that someone who is paying attention is using 1Password and would notice if it was making unexpected network requests. It could try to obfuscate what it is doing, of course, but that brings us to the next point...
Second, once an app like 1Password actually starts stealing data, it's just a matter of time before someone traces it back to 1Password. The more money at stake, the quicker someone will trace it back and we'd all hear about it. Even though 1Password has been around (and popular) for a while that hasn't happened. So we can comfortably infer that they are not stealing data. If they were, it would have to be a long con, where they develop, maintain, market a serious peice of software over the course of years, all the while building up trust. Then they'd have to suddenly change course and collect as much valuable data as fast as they could before people catch on, and then sell it. Seems highly unlikely though. There are faster and easier ways to steal, after all, so why would anyone bother? Perhaps if 1Password were acquired by a previously unknown Ukranian company (or Google
), we might want to start worrying.[Disclosure: I work for Agilebits, the makers of 1Password]
Yep. And let me add that we document what sorts of network traffic you should see. It is useful to keep in mind that we have no idea of how anyone actually uses 1Password unless they write to us to tell us. We never see your data, even in encrypted form. All of this is independently verifiable.
Right. Even if we were completely evil it wouldn't make financial sense to steal passwords. Credit card details sell for around $1 a piece on the black market if you buy in bulk. Banking credentials go for about $5. If we were ever suspected of being in that business we would never be able to sell another copy of 1Password. Selling copies of 1Password has been the livelihood of a growing number of people for some years. So even if we weren't the good guys that we are, it would simply be bad business to steal passwords.
Anyway, pretty much everything we say about how 1Password operates is independently verifiable. This is one of the reasons why we document the security technology as thoroughly as we do. We encourage analysis and scrutiny.
Yep. And let me add that we document what sorts of network traffic you should see. It is useful to keep in mind that we have no idea of how anyone actually uses 1Password unless they write to us to tell us. We never see your data, even in encrypted form. All of this is independently verifiable.
Right. Even if we were completely evil it wouldn't make financial sense to steal passwords. Credit card details sell for around $1 a piece on the black market if you buy in bulk. Banking credentials go for about $5. If we were ever suspected of being in that business we would never be able to sell another copy of 1Password. Selling copies of 1Password has been the livelihood of a growing number of people for some years. So even if we weren't the good guys that we are, it would simply be bad business to steal passwords.
Anyway, pretty much everything we say about how 1Password operates is independently verifiable. This is one of the reasons why we document the security technology as thoroughly as we do. We encourage analysis and scrutiny.
With 1Password configured to use DropBox the answer is easy. 1Password in this configuration does not make any network transfers. The way it works is that 1Password writes a collection of encrypted files to the local folder that is sync'd with DropBox. 1Password running on my Mac doesn't have any information about my DropBox account. Rather, 1Password only has information about which folder should be used to store the 1Password data files. These data files are encrypted.
The DropBox app is responsible for copying the encrypted files up to the DropBox servers. From the DropBox perspective, these are just data files. But the sensitive data within the files can only be decrypted using my master password. I ensure that my master password is not used anywhere else and is cryptographically complex.
sh4d0w said:
With 1Password there is a preference to control the policy for re-locking the 1Password database. Depending on your risk tolerance this can be adjusted to avoid the co-worker issue.
The "recreational" issue can also be managed in 1Password by using multiple password vaults. One "recreational" vault which you never unlock while on work machines (or just don't sync to a work machine), and a separate vault for work items.
In terms of security I find the reverse situation more common. That is, I have security policies associated with my work passwords that preclude using public cloud providers to hold the passwords. But for my personal password vaults I am comfortable with using public cloud provides to hold my encrypted data files. The multiple vault support in 1Password allows me to both sync and access my personal password vaults from my work computers while also allowing me to have work-related vaults that never get replicated to public cloud providers. (Note: The separate vault functionality was introduced with 1Password v4.)