How do you have your password on your phone + computer then?Most people, i don't even use iCloud/KeyChain to save passwords, i don't want to save all my passwords with one vendor saved in a cloud.
How do you have your password on your phone + computer then?Most people, i don't even use iCloud/KeyChain to save passwords, i don't want to save all my passwords with one vendor saved in a cloud.
Because I have Windows, other non-Apple devices. Also it doesn't have 2FA support.Why would you not use the built in password manager and instead willingly pay to use another, less secure, manager?
If the hackers stole the user database in this hack, who is to say they didn’t steal your encryption key? So, we are back to the dictionary attack on your password. Very few people can remember a non-complex password, so I’d say 95% (in reality 99.9%) are vulnerable to an offline dictionary attack.Even if a hacker were to get a hold of my encrypted blob and I was stupid enough to have a easily guessed password (I don't), the hackers STILL couldn't get my passwords without my secret key. To get the secret key, they would have to have physical access to my house and know where I store it.
The private keys are never sent to LastPass (or Bitwarden/1Password etc.). The keys are created locally on device and never sent to the company hosting the vault. Encryption and decryption is done locally on device. Unencrypted data is not sent to, or received from the company hosting the vault. I've read both LastPass and 1Passwords security white papers and both work this way.If the hackers stole the user database in this hack, who is to say they didn’t steal your encryption key? So, we are back to the dictionary attack on your password. Very few people can remember a non-complex password, so I’d say 95% (in reality 99.9%) are vulnerable to an offline dictionary attack.
If the hackers stole the user database in this hack, who is to say they didn’t steal your encryption key? So, we are back to the dictionary attack on your password. Very few people can remember a non-complex password, so I’d say 95% (in reality 99.9%) are vulnerable to an offline dictionary attack.
I can't speak for other password manager, but 1Password use TWO pieces of information to encrypt the data. One is my password (which is only in three places, in 1password, on a piece of paper in my home, and in my mind) and a secret key. (two places, piece of paper and in 1password).
So, how do you recover your encryption key on another device that belongs to you if the encryption key is only stored locally on your device and never sent to the cloud?Please, before you spread anymore falsehoods, take some time to educate yourself on how password managers work. The password and encryption key are NEVER sent to the cloud, all data is encrypted and decrypted locally. Once again, there is no way a hacker can steal my encryption key from 1Password.
The key is derived from your master password, and (in the case of 1Password) the secret key that is created locally on device when you create your account. With both pieces of information the local key is created on each local device.So, how do you recover your encryption key on another device that belongs to you if the encryption key is only stored locally on your device and never sent to the cloud?
That is why 1Password has a number of warnings to print and keep a copy of your Secret Key somewhere safe. If you lose it, your data is GONE. To be clear, once you have signed into your password vault, the secret key is securely stored on your device, but your password is required to login (which is NEVER stored directly on your device.)So, how do you recover your encryption key on another device that belongs to you if the encryption key is only stored locally on your device and never sent to the cloud?
Again, please educate yourself about how modern security works. In the case of iCloud Keychain, your data is encrypted by your password/passcode and information about your device BEFORE it is sent to Apple. Here, once again, ******:iCloud Keychain doesn’t require storing the encryption key on a piece of paper in your house, and the setup of a new device automatically enables access to the iCloud Keychain (with a 2FA authentication request). Hence, the encryption key is obviously stored in the cloud.
Guess the amount of data breaches can do the talking then. One party seems prone to it.To be fair I didn’t find 1password much better and as far as I know that’s their top competitor.
I don’t work for Apple so these are all third parties to me.Best to AVOID third party products
Do you find you often need to comment on products you don’t use?The only thing I'm using is iCloud keychain. Period.
So, how do you recover your encryption key on another device that belongs to you if the encryption key is only stored locally on your device and never sent to the cloud?
iCloud Keychain doesn’t require storing the secret key on a piece of paper in your house, and the setup of a new device automatically enables access to the iCloud Keychain (with a 2FA authentication request). Hence, the secret key is obviously stored in the cloud (if I were to guess encrypted with my public key).
This is from their website:
“Have peace of mind if you lose a device. Encrypted copies of your Secret Key are stored in your device backups and keychains to provide data loss protection. If you have iCloud Keychain turned on and lose your Mac, iPhone, or iPad, you can restore from a backup and unlock 1Password with just your account password. It’s the same for Android backups.”
What about in Windows?
So, they rely on a platform Keychain to safe-keep and propagate to other devices the encrypted secret key? What about propagating it from one platform to another? How do you get it by logging in to the account from another device? So, is it actually stored in the cloud then (maybe also encrypted with your public key)?
Do you actually understand how it works?
If you don’t work for Apple, it’s technically 3rd party to you also. Besides… like Apple is perfect.Best to AVOID third party products
Again, please educate yourself about how modern security works. In the case of iCloud Keychain, your data is encrypted by your password/passcode and information about your device BEFORE it is sent to Apple. Here, once again, ******:
iCloud security overview - Apple Support
It is fine you don't understand how this works, but please consider doing research instead of posting incorrect information.
So…
Whew! Crisis averted!
- hacker breaks into password company
- passwords were protected from theft
I have my iCloud Keychain off.You're making some great points. I hadn't realized that 1Password stored the secret key in the key chain. I had thought it was stored in a way that never left my machine. In fact, that's why I thought I had to be so careful with my secret key - print it out and hide it somewhere.
And your master password.So 1Password's security is only as secure as my key chain, whose security I don't completely understand or trust. If I try to log in to iCloud on a new device or browser, one of my existing devices is required to grant approval. But Apple must provide a way in if you no longer have access to any old device. Email or SMS to a contact registered to my Apple Id is pretty weak security. I must be missing something.
So, how do you recover your encryption key on another device that belongs to you if the encryption key is only stored locally on your device and never sent to the cloud?
iCloud Keychain doesn’t require storing the secret key on a piece of paper in your house, and the setup of a new device automatically enables access to the iCloud Keychain (with a 2FA authentication request). Hence, the secret key is obviously stored in the cloud (if I were to guess encrypted with my public key).
This is from their website:
“Have peace of mind if you lose a device. Encrypted copies of your Secret Key are stored in your device backups and keychains to provide data loss protection. If you have iCloud Keychain turned on and lose your Mac, iPhone, or iPad, you can restore from a backup and unlock 1Password with just your account password. It’s the same for Android backups.”
What about in Windows?
So, they rely on a platform Keychain to safe-keep and propagate to other devices the encrypted secret key? What about propagating it from one platform to another? How do you get it by logging in to the account from another device? So, is it actually stored in the cloud then (maybe also encrypted with your public key)?
Do you actually understand how it works?
I have my iCloud Keychain off.
And your master password.