Security Experts Wary as 1Password Subscriptions Push Users to Cloud-Based Vaults

[Apple_Robert]

In my opinion, the real focus should be on educating people on creating a good vault password, whether it be for 1Password or another app.

When I was at the Verizon store last December setting up my new iPhone 7 Plus, the rep commented on the length of my iCloud password, as it took several seconds to enter. I am sure he (and many others) is used to a short word or digit for access. I told him my password is 32 characters long (mix of up and lower case, numbers and symbols). He was shocked. He thought that was crazy. I said it may sound crazy to have to manually enter that length password on a regular basis. However, I rather do that than take a chance for the sake of convenience.

 

[Quu]

You're digging deeper into a rabbit hole. If you attempt to consider every potential vulnerability/attack surface, then when will this end - at the hardware level? I keep reiterating the same idea throughout this entire thread, but the goal of having perfect security vs. providing users with good security isn't a good mindset to have because the trade-offs would otherwise be a net negative for the users.

It's simple really, keep the vault on the users computer if that is what they want. I just want to buy the software once, no monthly subscriptions and let me handle where my vault is stored.

It is possible to implement this without ever transmitting credentials to their server. Basically, you perform the key derivation and de-/encryption functions through a Javascript program running in your browser. There are a number of well-established Javascript crypto libraries out there.

I think you may have misunderstood what I was saying. I fully comprehend that the encrypted vault is transferred to the web browser of the user and then client side code (javascript) does the decryption.

My point is that, the client side javascript code only asks for 1 input from the user, their password. Meaning the encrypted vault is encrypted using the users password for the javascript to be able to decrypt it using only their password.

And that is where the problem is, if a hacker gets the encrypted vault from 1Password they can brute force user passwords against the individual vaults to unlock it just like how the javascript code run in the users browsers decrypt the vaults.

I am not suggesting your vault password is ever sent to 1Password servers.

 

[AlexH]

If they don't continue to support local vaults and wifi sync, I can't continue supporting them.

 

[maflynn]

I'm not a fan of storing my data in the cloud, regardless of how much they (or anyone for that matter) promises that my data is safe. 1Password seems to be moving in a direction that is counter to what I prefer, whether its a subscription based app, or my vault is on their servers.

 

[architect1337]

It doesn't matter if they store your password on their servers or not. If they get breached and thousands of peoples vaults are taken the cracking will begin. Many people won't use a super strong password on their 1Password vault and that is the seed which determine your encryption key for your vault.

Now instead of breaking 1 website login (like when they compromise say a forum you use) they will break your entire vault and get hundreds of logins to every website you use.

Can you imagine how long it would take to change EVERY password? I have over 350 logins in my 1Password vault. I do not want my vault store on their servers, this isn't a question about it being encrypted with a password that is stored on their servers or not this is about it being cracked in the event it gets stolen in a breach.

This is the problem you see - this is all completely wrong - on so many levels.

First your assumption of where they store the vaults is wrong. Your assumption that a weak master password will compromise each vault object is wrong (1Password don't encrypt vault objects using just one password).

Finally - your solution of 'well, we'll just pick a free password manager, not caring where this company is based (enpass is built by a company in India for example - what are the laws regarding the Indian government forcing the creators of enpass to install a back door?) - so be very careful in your assumptions.

 

[Sy Ber]

Looks like 1Password is trying to be more like Keeper Security. I suspect 1Passwords encryption model and service offerings still have a long way to go and 1Pass charges more too.

 

[Digital Skunk]

reaching for the holy grail of a subscription model. the demise of so many great software products/companies.

I agree. So far Daylite, Billings, YNAB (You Need a Budget), Adobe, Avid, and so many others. I use the applications as mentioned earlier or did at one point. YNAB at least let us keep the old one-time fee version. If 1Password goes subscription, they can forget about it.

 

[Rigby]

I think you may have misunderstood what I was saying. I fully comprehend that the encrypted vault is transferred to the web browser of the user and then client side code (javascript) does the decryption.

My point is that, the client side javascript code only asks for 1 input from the user, their password. Meaning the encrypted vault is encrypted using the users password for the javascript to be able to decrypt it using only their password.

And that is where the problem is, if a hacker gets the encrypted vault from 1Password they can brute force user passwords against the individual vaults to unlock it just like how the javascript code run in the users browsers decrypt the vaults.

From what I understand 1Password requires a combination of a password and a secret key to decrypt the database (similar to key files in other software such as Keepass or Veracrypt). That key is stored in the apps and in the web browser (if you use the web access), but not on their server, and it is composed of a long series of random characters that should be infeasible to crack.

I think the web-based access is probably the biggest weakness in their security model for the reasons mentioned earlier. And of course there is always the possibility of implementation flaws.

 

[horsebattery]

It is solved. It is solved with local sync.

I would't consider that to be solved, simply because it doesn't apply to your use case.

It's simple really, keep the vault on the users computer if that is what they want. I just want to buy the software once, no monthly subscriptions and let me handle where my vault is stored.

Ah, looks like we were talking past one another. I was referring to your original post regarding users using insecure passwords for their master passwords, and what I was trying to point out was that the secret key is generated by 1Password and is not user set, so that would mitigate the brute force attack that you brought up.

 

[Razeus]

1Password has been selling me "one-time" licenses forever, usually, when they can't get new users to buy so they fleece their current ones, breaking their promises. They've done this repeatedly because their business model simply doesn't work.

I've switched to LastPass since they went the subscription route. It's MUCH cheaper. Not as pretty, but does what I need it.

Unfortunately, 1Password is a feature, not a product.

 

[X--X]

I would't consider that to be solved, simply because it doesn't apply to your use case.

I have no problem with options. I have a problem with taking options away.

Which is what AgileBits is doing and they are not even honest about.

Their answers are carefully crafted (you currently can) and they stay as vague as possible to keep the user outrage down.

----------------------------------

 

[netnothing]

So as I understand it, 1Password runs on AWS - not their own servers. So not sure having 1Password store your data is any different than syncing through iCloud/Dropbox/MS/etc.

For the people that choose not to sync with ANY cloud service.....then I think the future is pretty clear at this point. 1Password is not going to be for you. It may work today, but you can't count on it working in the future. Personally I think that's kind of a crappy thing to do. I can see where they wanted to move away from sync options they don't control - less code, less support hassles. But you'd think they would have continued to allow local storage options if people chose that.

As for subscriptions.....yeah, I think 1Password is a bit too high. I pay for it because I don't want to use any of the other options, but would love for it to be a little less per year. I don't mind a subscription as long as it makes sense.

 

[eltoslightfoot]

This quite frankly angers me. I have bought family licenses, ios licenses, etc. If they want me to buy a subscription after all that I am gone. If I am forced to go with an alternative, I will go with Lastpass at $12/year as that is far more reasonable.

I have seen the writing on the wall for quite some time. These "older" companies that used us initially now realize their pricing strategies aren't good enough so they make us suffer. Evernote screwed those of us that paid them for years at a few bucks a year. Then they changed it all around and wouldn't grandfather in those of us who had been there since the beginning. I kicked Evernote to the curb and just went with Apple Notes. Haven't regretted it yet. I will do the same with 1Password.

O'Reilly Safari honored a deal I got in 2002 for ten books on my bookshelf for $9.99 a month. They honored that deal forever in a grandfathered capacity. My credit card even expired, I called them and they reactivated it. Now that is how you do it.

 

[manu chao]

Right, but functionally, thats comes down to how strong the encryption is, be it Apple or Last Past or One Pass. There is nothing inherently safer about storing any data, passwords, docs, video, on local drives than on the cloud.

Unless that computer is air-gapped from the internet, it's only as safe as the hacking into is easy/difficult. And when somebody hacks into your computer, they can install a keylogger to extract the master key for your vault. When somebody hacks into, eg, Dropbox, they only have your encrypted vault which they then have to decrypt by brute force.

Yes, having the data stored on another computer and transmitted over the internet between that computer and your Mac adds additional points of failure. The question is, how a big a risk are they? If your current risk of getting hacked is 1 in 1000 and the risk of the password server storage and transmission getting hacked is 1 in 10'000, then battening down your hatches brings more benefits than to giving up on password synching.

 

[Quu]

From what I understand 1Password requires a combination of a password and a secret key to decrypt the database (similar to key files in other software such as Keepass or Veracrypt). That key is stored in the apps and in the web browser (if you use the web access), but not on their server, and it is composed of a long series of random characters that should be infeasible to crack.

I think the web-based access is probably the biggest weakness in their security model for the reasons mentioned earlier. And of course there is always the possibility of implementation flaws.

One of the security researchers involved in the twitter spat actually tested this. He setup a brand new browser, went to the 1Password website, logged in using one single password and got his vault access. At what point was a secret key used?

 

[ksnell]

Only Westerners use this thing. Ridiculous.
(Go to Japan, Come to India [and China? Haha] there is no existence of 1Password, America seeks convenience for everything than goes to discover a problem that never existed at first place. The credit card structure have ruined the mind of people. Washing Machines, Mixers even Electric Toothbrushes, electric everything than Spend hours in gym and money in hospital aid to combat obesity is one example.)

So you probably don't have an iPhone out of principle because it is used and was invented by Westerners too right? Oh the horror - trying to solve problems and make the world a better place!!!

 

[bhappy]

Only Westerners use this thing. Ridiculous.
(Go to Japan, Come to India [and China? Haha] there is no existence of 1Password, America seeks convenience for everything than goes to discover a problem that never existed at first place. The credit card structure have ruined the mind of people. Washing Machines, Mixers even Electric Toothbrushes, electric everything than Spend hours in gym and money in hospital aid to combat obesity is one example.)

Lol, where did you manage to pull this out of? You're welcome for: the internet, modern transistors, GPS, iPhones and Androids. You seem a little upset about something and decided to make an ad hominem argument. Not sure what point you are trying to make about credit cards - American's have a consumptive culture which pushes innovation.

The entire concept behind entrepreneurship is creating a solution for a problem people didn't even know they had; we would still be riding horses if someone hadn't thought of making transportation more convenient. A more modern example: people would still have to carry around maps, encyclopedias, and radios if it weren't for the iPhone.

 

[dysamoria]

"It's for the customers..," blah blah blah... What a load. Every single software company that goes that way is full of crap. It's for their own best profits.
[doublepost=1499887193][/doublepost]

I expect a site maintained by established security experts to be reasonably safe. Almost every hack that you see online is the result of some amateur mistakes.

Have you met the internet? Or read software/service agreements? "Reasonable" is a rather subjective term and constantly being driven down in a virtual limbo contest. No one guarantees their service, so why promote illusions of security by putting "experts" on a pedestal?

 

[Sa1Nt]

One of the security researchers involved in the twitter spat actually tested this. He setup a brand new browser, went to the 1Password website, logged in using one single password and got his vault access. At what point was a secret key used?

According to this: https://support.1password.com/secret-key-security/ - secret key is stored on a computer and is irrelevant of the browser. They probably use a JS to locate it on your computer if it already exists there so if he didn't format his machine prior to testing - it makes sense he was automatically logged in.

 

[Larry The L]

Frankly it sounds like a security researcher or two was paid off here. A cloud based repository isn't any less secure that 1Passwords. It all comes down to the quality of the encryption of the file. The fact of the matter is that anything exposed to the wild network can be hacked so The real security comes form unreadable files.

Absolutely correct. The subscription service is cheap. I'm happy to pay it for the service of 1Password.
And the real key to this is the quality of the encryption, regardless of where the files are located. I'm very comfortable with Agilebits storing my passwords. I get spam emails from people who have gotten my email address by invading my friends' computers, so your computer isn't any less secure just because it's local.

But here, on this forum, after reading 100's of posts, I am convinced that many here live here to argue, complain, moan, want everything for free, and frankly just to spout off. What's really sad isn't 1Password. It's the posts from most here.

 

[netnothing]

One of the security researchers involved in the twitter spat actually tested this. He setup a brand new browser, went to the 1Password website, logged in using one single password and got his vault access. At what point was a secret key used?

When you go to the 1Password site to login for the first time, you are asked for 3 bits of info: Email, Secret Key and your Master Password. If you don't choose the This is a public computer, then the Secret Key is saved the first time you login.

 

[Rigby]

One of the security researchers involved in the twitter spat actually tested this. He setup a brand new browser, went to the 1Password website, logged in using one single password and got his vault access. At what point was a secret key used?

What I wrote above is based on their whitepaper. I'm not a 1Password user and don't know the details of actually using the web page, but presumably the secret key needs to be entered the first time you access your database via the web site (after that it could be stored e.g. in a cookie or localstorage object so you don't have to enter it again).

 

[Supermallet]

Okay, so for those who won't stay with 1Password, where are you going?

Like I said earlier, I'd switch to KeePass today if the iOS apps worked better. I should just be able to hit the share button in my browser, click on the KeePass iOS app, select the login I want, and have it auto load that login info into my browser. Using copy/paste is inconvenient and insecure, using a browser built into the KeePass app is inconvenient and insecure.

 

[netnothing]

According to this: https://support.1password.com/secret-key-security/ - secret key is stored on a computer and is irrelevant of the browser. They probably use a JS to locate it on your computer if it already exists there so if he didn't format his machine prior to testing - it makes sense he was automatically logged in.

In my testing, it's stored in the browser itself. After logging in using Chrome for example, if I go to Safari the Secret Key field is empty.

I can get rid of the Secret Key field in Chrome by clearing my cookies for the site.

 

[lec0rsaire]

I still like the xkcd method. However I use several languages instead of just English. I had my Twitter and Netflix accounts attacked several times. After going to xkcd, it has never happened again.

I know some think it's no longer secure but it all depends on what words you're using. The more obscure the better.