Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Why would you not use the built in password manager and instead willingly pay to use another, less secure, manager?
Because I have Windows, other non-Apple devices. Also it doesn't have 2FA support.
 
« I don’t use the cloud, it’s all local ».

As if you are better at securing your network and your computer than 100+ security engineers who are workings at lastpass or else.
 
Last edited by a moderator:
Even if a hacker were to get a hold of my encrypted blob and I was stupid enough to have a easily guessed password (I don't), the hackers STILL couldn't get my passwords without my secret key. To get the secret key, they would have to have physical access to my house and know where I store it.
If the hackers stole the user database in this hack, who is to say they didn’t steal your encryption key? So, we are back to the dictionary attack on your password. Very few people can remember a non-complex password, so I’d say 95% (in reality 99.9%) are vulnerable to an offline dictionary attack.
 
If the hackers stole the user database in this hack, who is to say they didn’t steal your encryption key? So, we are back to the dictionary attack on your password. Very few people can remember a non-complex password, so I’d say 95% (in reality 99.9%) are vulnerable to an offline dictionary attack.
The private keys are never sent to LastPass (or Bitwarden/1Password etc.). The keys are created locally on device and never sent to the company hosting the vault. Encryption and decryption is done locally on device. Unencrypted data is not sent to, or received from the company hosting the vault. I've read both LastPass and 1Passwords security white papers and both work this way.


 
Last edited:
If the hackers stole the user database in this hack, who is to say they didn’t steal your encryption key? So, we are back to the dictionary attack on your password. Very few people can remember a non-complex password, so I’d say 95% (in reality 99.9%) are vulnerable to an offline dictionary attack.

Please, before you spread anymore falsehoods, take some time to educate yourself on how password managers work. The password and encryption key are NEVER sent to the cloud, all data is encrypted and decrypted locally. Once again, there is no way a hacker can steal my encryption key from 1Password.

Here let me help educate you. Here is a link to the security documents for 1password that explains exactly how it works.

About the 1Password security model

I am sure other password managers have similar security documents posted. If they don't i wouldn't trust them. Take some time and understand the model.
 
I can't speak for other password manager, but 1Password use TWO pieces of information to encrypt the data. One is my password (which is only in three places, in 1password, on a piece of paper in my home, and in my mind) and a secret key. (two places, piece of paper and in 1password).

Please, before you spread anymore falsehoods, take some time to educate yourself on how password managers work. The password and encryption key are NEVER sent to the cloud, all data is encrypted and decrypted locally. Once again, there is no way a hacker can steal my encryption key from 1Password.
So, how do you recover your encryption key on another device that belongs to you if the encryption key is only stored locally on your device and never sent to the cloud?

iCloud Keychain doesn’t require storing the secret key on a piece of paper in your house, and the setup of a new device automatically enables access to the iCloud Keychain (with a 2FA authentication request). Hence, the secret key is obviously stored in the cloud (if I were to guess encrypted with my public key).

This is from their website:

“Have peace of mind if you lose a device. Encrypted copies of your Secret Key are stored in your device backups and keychains to provide data loss protection. If you have iCloud Keychain turned on and lose your Mac, iPhone, or iPad, you can restore from a backup and unlock 1Password with just your account password. It’s the same for Android backups.”

What about in Windows?

So, they rely on a platform Keychain to safe-keep and propagate to other devices the encrypted secret key? What about propagating it from one platform to another? How do you get it by logging in to the account from another device? So, is it actually stored in the cloud then (maybe also encrypted with your public key)?

Do you actually understand how it works?
 
Last edited:
  • Disagree
Reactions: cyb3rdud3
So, how do you recover your encryption key on another device that belongs to you if the encryption key is only stored locally on your device and never sent to the cloud?
The key is derived from your master password, and (in the case of 1Password) the secret key that is created locally on device when you create your account. With both pieces of information the local key is created on each local device.

I'd encourage you to read the white papers on how this process works. It is very informative and helps one understand how their data is being managed.
 
Last edited:
  • Like
Reactions: ericwn
So, how do you recover your encryption key on another device that belongs to you if the encryption key is only stored locally on your device and never sent to the cloud?
That is why 1Password has a number of warnings to print and keep a copy of your Secret Key somewhere safe. If you lose it, your data is GONE. To be clear, once you have signed into your password vault, the secret key is securely stored on your device, but your password is required to login (which is NEVER stored directly on your device.)

If I want to login to my passwords on another device, I must supply both my password and secret key. I do keep my secret key in my private 1Password vault. So, let's say I buy a new computer and want to set up 1P on it. I can get my secret key from a device that I have already authorized (my phone, my old computer, etc.) and use that to login to my new computer. (For the record, I need three pieces of information to login to my vault, my secret key, my password, AND an MFA device. I use Microsoft Authenticator as my MFA, so someone trying to hack my account by logging in would need three pieces of information to hack.)


iCloud Keychain doesn’t require storing the encryption key on a piece of paper in your house, and the setup of a new device automatically enables access to the iCloud Keychain (with a 2FA authentication request). Hence, the encryption key is obviously stored in the cloud.
Again, please educate yourself about how modern security works. In the case of iCloud Keychain, your data is encrypted by your password/passcode and information about your device BEFORE it is sent to Apple. Here, once again, ******:

iCloud security overview - Apple Support

It is fine you don't understand how this works, but please consider doing research instead of posting incorrect information.
 
I use Enpass, and it syncs to my one of my Google accounts. Someone would have to have my Gmail account pass, Authy 2FA code, one of my android devices(to confirm login), and the master password for Enpass. I would never trust a password app that uses it’s own cloud.
 
No matter how secure your password are with respect to any password manager's encryption approach, nothing is secure if the software you run, which accesses your unencrypted passwords, has been compromised. LastPass' last security breach relates to unauthorized access to their software; that is a major red flag.

I feel that access to the password manager software is a much larger breach than access to the encrypted user information.

My understanding is that the breach was only retrieving the code, not updating it. But, if some bad actor working at LastPass manages to embed a backdoor (or something) into a signed version of their application, then all bets are off. Since there is proof that LastPass is insufficiently careful with their code base, I wouldn't use their product.
 
So, how do you recover your encryption key on another device that belongs to you if the encryption key is only stored locally on your device and never sent to the cloud?

iCloud Keychain doesn’t require storing the secret key on a piece of paper in your house, and the setup of a new device automatically enables access to the iCloud Keychain (with a 2FA authentication request). Hence, the secret key is obviously stored in the cloud (if I were to guess encrypted with my public key).

This is from their website:

“Have peace of mind if you lose a device. Encrypted copies of your Secret Key are stored in your device backups and keychains to provide data loss protection. If you have iCloud Keychain turned on and lose your Mac, iPhone, or iPad, you can restore from a backup and unlock 1Password with just your account password. It’s the same for Android backups.”

What about in Windows?

So, they rely on a platform Keychain to safe-keep and propagate to other devices the encrypted secret key? What about propagating it from one platform to another? How do you get it by logging in to the account from another device? So, is it actually stored in the cloud then (maybe also encrypted with your public key)?

Do you actually understand how it works?

You're making some great points. I hadn't realized that 1Password stored the secret key in the key chain. I had thought it was stored in a way that never left my machine. In fact, that's why I thought I had to be so careful with my secret key - print it out and hide it somewhere.

So 1Password's security is only as secure as my key chain, whose security I don't completely understand or trust. If I try to log in to iCloud on a new device or browser, one of my existing devices is required to grant approval. But Apple must provide a way in if you no longer have access to any old device. Email or SMS to a contact registered to my Apple Id is pretty weak security. I must be missing something.
 
Again, please educate yourself about how modern security works. In the case of iCloud Keychain, your data is encrypted by your password/passcode and information about your device BEFORE it is sent to Apple. Here, once again, ******:

iCloud security overview - Apple Support

It is fine you don't understand how this works, but please consider doing research instead of posting incorrect information.

In my opinion @sirozha is reasoning well and seems to be correct.
 
  • Disagree
Reactions: cyb3rdud3
So…
  • hacker breaks into password company
  • passwords were protected from theft
Whew! Crisis averted!

You forgot this part:

* Guy on Macrumors assumes that's all there is to the incident.

Because yeah, sure... tech companies have a long history of releasing all the details when this kind of thing happens. :rolleyes:
 
  • Like
Reactions: ericwn
You're making some great points. I hadn't realized that 1Password stored the secret key in the key chain. I had thought it was stored in a way that never left my machine. In fact, that's why I thought I had to be so careful with my secret key - print it out and hide it somewhere.
I have my iCloud Keychain off.
So 1Password's security is only as secure as my key chain, whose security I don't completely understand or trust. If I try to log in to iCloud on a new device or browser, one of my existing devices is required to grant approval. But Apple must provide a way in if you no longer have access to any old device. Email or SMS to a contact registered to my Apple Id is pretty weak security. I must be missing something.
And your master password.
 
I use 1Password but if you're only using Apple devices then the built in password manager is fine.

If you didn't move on from LastPass after the first breach now might be a good time. Think of what damage will happen if someone gets all of your passwords... 🤣
 
So, how do you recover your encryption key on another device that belongs to you if the encryption key is only stored locally on your device and never sent to the cloud?

iCloud Keychain doesn’t require storing the secret key on a piece of paper in your house, and the setup of a new device automatically enables access to the iCloud Keychain (with a 2FA authentication request). Hence, the secret key is obviously stored in the cloud (if I were to guess encrypted with my public key).

This is from their website:

“Have peace of mind if you lose a device. Encrypted copies of your Secret Key are stored in your device backups and keychains to provide data loss protection. If you have iCloud Keychain turned on and lose your Mac, iPhone, or iPad, you can restore from a backup and unlock 1Password with just your account password. It’s the same for Android backups.”

What about in Windows?

So, they rely on a platform Keychain to safe-keep and propagate to other devices the encrypted secret key? What about propagating it from one platform to another? How do you get it by logging in to the account from another device? So, is it actually stored in the cloud then (maybe also encrypted with your public key)?

Do you actually understand how it works?

So, your point about the 1Password weakness has been raised on the 1Password forums. A member of their security team did respond. Basically they said "Trust Apple".

https://1password.community/discussion/comment/590911#Comment_590911


I have my iCloud Keychain off.

Yeah, that's something that 1Password post did suggest. I've decide to leave mine on, but only because I do have a number of carefully secured devices that are consulted whenever unrecognized access to my iCloud account is attempted.

And your master password.

Good point. The forum post made that point "If an attacker managed to breach iCloud and acquire your Secret Key, they would still need a copy of your encrypted data itself, as well as your Master Password in order to decrypt it."

But, 1Password is no longer as rock solid as I thought, unless I turn off iCloud keychain.
 
  • Like
Reactions: Mr. Heckles
I don’t get a lot of this discussion on the technical level so what makes 1PW potentially more secure than LastPass?
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.