Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Security Experts Wary as 1Password Subscriptions Push Users to Cloud-Based Vaults

Val-kyrie said:
Exactly. And who pays for all the damage when they are hacked and hackers decrypt your account information?

Moreover, the way 1Password is choosing to respond to queries about local storage gives me pause about how they would handle a security breach. (Hint: like politicians, they are refusing to answer the questions posed about retaining a local storage option in future versions. They just keep repeating the "we aren't removing existing functionality in current versions" mantra).
Click to expand...

Whilst being concerned about such things is healthy, i'd suggest reading up on how most password managers work. Anything not coded by muppets is encrypted via the passphrase that is never sent over the network.

So an attacker should be able to hack the remote site and steal your password database all they like. They don't have the unencrypted data.

The naive implementation of a password database - i.e., having you enter your passphrase which is then sent to the site to decrypt your password (Or even worse, to just log into the remote site to retrieve a clear text version of your password) and send back to you just isn't the way it is done by any security company with any sense.

The encryption used by a password manager can be much, much stronger than the encryption used by say, a website login. A website has to process many, many password checks per second. Your password manager can use enough rounds of encryption so that waiting a second or thereabouts for it to unlock your database (due to processing the encryption) is good enough. But such heavy encryption means that brute forcing it is very slow.

vs. brute forcing a stolen website password database (e.g., say macrumors gets hacked and their user passwords get downloaded)- which is often very quick to crack, because the encryption has to be FAST. two totally different scenarios. as web site password database can have millions or billions of attempts made on it per second with any modern GPU. a decent password manager database is millions (or more) times slower to break - because it was designed without the constraints of having to be FAST to respond to huge numbers of website hits.


don't get me wrong.

if you KNOW your password database has been stolen, you should change the passphrase on it (as a precaution, to be sure), and when you can, change the passwords contained in it.

but the encryption on your password database gives you a very long time to be safe until you can do that, unless the attacker also KNOWS your password database master passphrase. to crack a Keepass database via brute force for example would take a current PC something in the order of trillions of years at current processing speeds.
 
Last edited:
  • Like
Reactions: sflomenb, revox12 and Val-kyrie
I can't see why people would go with 1Password now. They are getting rid of what makes them stand out. LastPass is a better deal for a cloud based sync service. They have a cheaper multi Platform sync service and free sync service.

The last I checked, LastPass supported a wider range of platforms. While the vault was stored online. It is encrypted. If you forget your password. Your vault is dead as they don't have the key. All your passwords, notes and forms are lost evermore.
 
zantafio said:
not 1password user here, so serious question to users: what's wrong with Apple's keychain?

Why using a subscription when Agile could store they password on iCloud?
Click to expand...
Same thing that's "wrong" with some other Apple apps and services: too basic for some users. 1Password can store text based notes, credit card info beyond the account numbers (like contact info if you loose it), and Google Authenticator temporary codes to name a few. It also has deeper password generator tools and cross platform.
 
  • Like
Reactions: rekhyt and throAU
DoctorDoctor said:
So you guys that are opposed to this are also opposed to services like LastPass and Dashlane ? Not the price but storing your passwords in the cloud.
Click to expand...

If "the cloud" means some random, faceless, remote, server that is accessible by who knows whom, and is located who knows where, and is as secure as my fridge, then "yes".
[doublepost=1499864084][/doublepost]
Sa1Nt said:
Did anyone actually read their security explanation: https://1password.com/security/ ? I don't use them but it doesn't appear that even if someone hacks them and obtains your vault will be able to decrypt it.
Click to expand...

Here's a better idea: Do. Not. Do. It.
 
  • Like
Reactions: nhannomad
err404 said:
Relax. My limitations are not yours. My main limitation would be from machines that I do. It administer. For example my work machine. Web access would be of value to me. For the record I am not afraid for the hacking boogie man. I expect a site maintained by established security experts to be reasonably safe. Almost every hack that you see online is the result of some amateur mistakes.
Click to expand...

You keep believing that. By the way, where do you work? I want to make sure I don't entrust any personal data with your company.
 
  • Like
Reactions: Ulenspiegel and silvetti
Would definetly change product if they go subscription only, I paid and I want to keep it the way it is now!
 
philosopherdog said:
Seems cloud based solutions are standard these days. Let's see if they actually do get hacked. Who can blame these companies. You can't sustain a business on the pittance people think they should pay for software. Have you seen the price of food, clothing and shelter in a western city? It seems like a fair price for the service. If it's not your thing then move on and stop complaining. Your in the wrong snack bracket. Maybe consider a Chrome book. Maybe all the time you spend complaining about a few dollars a month could be put to being more productive and bringing in a few bucks.
Click to expand...

I think you have misplaced your retort. Most users are not complaining about the price but rather about being forced to store their data in the cloud. That is a legitimate criticism. Who pays for identity theft when it happens?
 
err404 said:
Relax. My limitations are not yours. My main limitation would be from machines that I do. It administer. For example my work machine. Web access would be of value to me. For the record I am not afraid for the hacking boogie man. I expect a site maintained by established security experts to be reasonably safe. Almost every hack that you see online is the result of some amateur mistakes.
Click to expand...

Oh, you mean Microsoft, Apple and all other tech companies are amateurs right ?
Because they all had bugs and security holes which are patched all the time.
Do you trust 1Password more than Apple ?
I don't.

Also what is the point of this ?
I have the standalone app, and I use iCloud sync so I am not against the cloud, but who runs the cloud I do care about.
Why would I pay for basically the same thing 2.99 a month ?
To use a website ? For that I would create a LasPass for free for a small subset of passwords as I don't want my banking credentials on those types of services.
 
Last edited:
I'm a long time 1Password user. I understand why they moved to a subscription model. I cannot remember the last time I paid for the standalone version. Their upgrade model was pretty generous. The subscription model allows them to continue to support themselves.
The cloud part - I really don't have a problem with it. Dropbox, iCloud, 1Password.com - all in the cloud. Encryption is the big concern. I'm satisfied with their encryption.
Also, I got a great deal when they moved to cloud, and now am able to administer all the vaults for my family. If my wife forgets the password for her vault, I can reset it. The kids get their own vault. I even have a separate subscription for work. Keeps things separate and I can share passwords as needed. I can easily generate new passwords when needed and expire old ones. 1PW also helps me audit my passwords. I feel the value they give me for my subscription is worth it and I feel secure.
As for those wanting to use Apple Keychain. You can actually get the best of both worlds. You can have 1PW or Keychain generate the password then you can have both services save the password and all that.
Yes, the days of pay once licenses are going away but I see value in supporting some companies to ensure they are around for a long time. LastPass has been purchased. They also had a couple of security breaches. KeepPass wasn't viable for me the last time I looked. Other solutions are well, meh as well.
 
  • Like
Reactions: sflomenb, revox12, ryanmcv and 3 others
Val-kyrie said:
If they remove local storage, my family and I are out. Apple's Keychain would work for passwords and that is free.

What other options remain?
Click to expand...

I only use apple Keychain for passwords and a app that only stores passwords local on each device.

But isn't keychain using iCloud ?
 
throAU said:
Whilst being concerned about such things is healthy, i'd suggest reading up on how most password managers work. Anything not coded by muppets is encrypted via the passphrase that is never sent over the network.

So an attacker should be able to hack the remote site and steal your password database all they like. They don't have the unencrypted data.

The naive implementation of a password database - i.e., having you enter your passphrase which is then sent to the site to decrypt your password (Or even worse, to just log into the remote site to retrieve a clear text version of your password) and send back to you just isn't the way it is done by any security company with any sense.

The encryption used by a password manager can be much, much stronger than the encryption used by say, a website login. A website has to process many, many password checks per second. Your password manager can use enough rounds of encryption so that waiting a second or thereabouts for it to unlock your database (due to processing the encryption) is good enough. But such heavy encryption means that brute forcing it is very slow.

vs. brute forcing a stolen website password database (e.g., say macrumors gets hacked and their user passwords get downloaded)- which is often very quick to crack, because the encryption has to be FAST. two totally different scenarios. as web site password database can have millions or billions of attempts made on it per second with any modern GPU. a decent password manager database is millions (or more) times slower to break - because it was designed without the constraints of having to be FAST to respond to huge numbers of website hits.


don't get me wrong.

if you KNOW your password database has been stolen, you should change the passphrase on it (as a precaution, to be sure), and when you can, change the passwords contained in it.

but the encryption on your password database gives you a very long time to be safe until you can do that, unless the attacker also KNOWS your password database master passphrase. to crack a Keepass database via brute force for example would take a current PC something in the order of trillions of years at current processing speeds.
Click to expand...

That sounds good, but there are for me two key questions which you raise: 1. Does 1Password treat security properly as you describe? 2. How long would it really take to crack a database--surely a trillion years is an exaggeration.

The problem for me is that there are too many passwords (over 300) even essential ones (50-100) for me to reset if my data were to be stolen.
 
DoctorDoctor said:
So you guys that are opposed to this are also opposed to services like LastPass and Dashlane ? Not the price but storing your passwords in the cloud.
Click to expand...
I use LastPass for some less important passwords, like Twitch and things like that. For main accounts/banking hell no!
[doublepost=1499864958][/doublepost]
wizard said:
I'm not sure the so called security experts here make any sense at all. Your passwords aren't any less secure on a cloud based server than with the 1PassWord folks. Security comes from encryption of the files not the location of the files. Any server can be hacked it is a lot more difficult to decrypt a well encrypted file.
Click to expand...
Depends how the keys are stored.
 
There are some products where you don't want to pay monthly. 1Password is not one of them. They are using AWS S3 object stores for password storage and store each object separately. This means someone would have to break into AWS, get the object, run it through an AES decrypt tool (not possible currently due to the two 'passwords' used in the cloud model) - only to find it's the PIN for your country club locker. Onto the next and so on.

In my opinion, some smaller companies deserve your ongoing support - especially those that manage your most personal items - passwords and PINs. I have switched to a family account. Security isn't about just the product - it's about he company behind it too.
 
  • Like
Reactions: sflomenb, Tastannin, revox12 and 2 others
Tastannin said:
I'm a long time 1Password user. I understand why they moved to a subscription model. I cannot remember the last time I paid for the standalone version. Their upgrade model was pretty generous. The subscription model allows them to continue to support themselves.
The cloud part - I really don't have a problem with it. Dropbox, iCloud, 1Password.com - all in the cloud. Encryption is the big concern. I'm satisfied with their encryption.
Also, I got a great deal when they moved to cloud, and now am able to administer all the vaults for my family. If my wife forgets the password for her vault, I can reset it. The kids get their own vault. I even have a separate subscription for work. Keeps things separate and I can share passwords as needed. I can easily generate new passwords when needed and expire old ones. 1PW also helps me audit my passwords. I feel the value they give me for my subscription is worth it and I feel secure.
As for those wanting to use Apple Keychain. You can actually get the best of both worlds. You can have 1PW or Keychain generate the password then you can have both services save the password and all that.
Yes, the days of pay once licenses are going away but I see value in supporting some companies to ensure they are around for a long time. LastPass has been purchased. They also had a couple of security breaches. KeepPass wasn't viable for me the last time I looked. Other solutions are well, meh as well.
Click to expand...

Yeah, i use both 1password and Apple keychain.

1password as the master store. Apple Keychain so that i save logins in safari and they just magically work everywhere else. so long as its an apple device.

But not all my devices are apple sooo.... 1password or Keepass are my options. Keepass at work because we're mostly a PC shop and it is free and in some ways better. But 1password, if you are in the Apple ecosystem is very slick.
 
How is this different than iCloud or DropBox or Box? If it's well encrypted it's reasonably safe. If you store it locally and don't encrypt or have a weak password or use public WiFi w/o VPN how is that safer than encrypted cloud services?
 
Chupa Chupa said:
How is this different than iCloud or DropBox or Box? If it's well encrypted it's reasonably safe. If you store it locally and don't encrypt or have a weak password or use public WiFi w/o VPN how is that safer than encrypted cloud services?
Click to expand...

I trust more Apple with my data than 1Password. That simple.
Also some people prefer to use LOCAL only vaults and that is the main issue here, them possibly removing it in the future.
Right now you can have a encrypted vault syncing via WIFI, I don't think there is an option for non encrypted. Regarding public wifi, that is a very targeted attack.
A ONLINE password repository is much more yummy for black market hackers. See previous LastPass or OneLogin hacks...
 
Val-kyrie said:
That sounds good, but there are for me two key questions which you raise: 1. Does 1Password treat security properly as you describe? 2. How long would it really take to crack a database--surely a trillion years is an exaggeration.

The problem for me is that there are too many passwords (over 300) even essential ones (50-100) for me to reset if my data were to be stolen.
Click to expand...

Whilst 1password is closed source, the basics of how to build a proper password manager aren't rocket science.

Keepass is open source, they have a bit of info on their site (i can't remember where i found the "trillions of years" estimate, it was about 3-4 years ago and likely changed by now. however the point is that you or I will definitely be well and truly dead before it happens).

They explain how your password database can be stored in publicly accessible places here:

http://keepass.info/help/kb/faq.html#dbshare

Again, that's not 1password, but again, this stuff isn't rocket science.

IF your database is stolen, you should be totally fine. It's designed so that if the files are stolen, they are essentially useless. But it would be prudent to reset passwords when you can to be doubly sure. Because if someone has your database, the only thing that protects it is your master passphrase. If they also manage to steal that, then it's wide open.

So pick a secure master passphrase, don't use it anywhere else and don't share it. Ever. And don't store it on any electronic device.
 
Val-kyrie said:
That sounds good, but there are for me two key questions which you raise: 1. Does 1Password treat security properly as you describe? 2. How long would it really take to crack a database--surely a trillion years is an exaggeration.

The problem for me is that there are too many passwords (over 300) even essential ones (50-100) for me to reset if my data were to be stolen.
Click to expand...
They have a white paper available that may be helpful with those questions.

1Password comes with alerts (via watchtower) that let's you know if you have passwords associated to sites that have been breached. A service that would automate the password changing process would more than likely require you to transmit your password to a third party, which you would likely be concerned about as well.

Edit: Removed the question because I misread your original post.
 
  • Like
Reactions: throAU
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back