Can 1Password be hacked?

deeptide
deeptide
Community Member
edited March 2016 in Lounge

****I am not affiliated with, maintained by, or in any way officially connected with producer of this youtube video, Running With Crayons LLC or any of its business units****

Of course like most of you, my switching cost from 1Password correlates to its utility, and for my family of five its utility is very, very high. Kudos to Agilebits! With that out of the way - Existential Concern: youtube.com/watch?v=-UZ1mHknTiM | I am sure Agilebits is aware of this videos security risk statement: Does said statement warrant a response? Has Agilebits already responded? If yes, where?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited March 2016

    @deeptide: First of all, thank you for the kind words! I'm glad to hear that you and your family are enjoying 1Password! :chuffed:

    Since you weren't specific about the "security risk statement" you're referring to, I'm betting you meant this:

    12:48 "Also, Alfred can talk to the application known as 1Password, which is a password-storing utility. I don't really recommend using 1Password only for the reason — I've always said this before — if the CIA is getting hacked by China on a daily basis, [then] I'm pretty sure it's possible for someone to hack 1Password. So that's my only reason for why I don't recommend doing that." — David A. Cox

    After going through the full 17+ minutes of the video, that was the only reference to 1Password I found (apart from the Alfred preference which defaults to not saving 1Password's clipboard data, which I very much appreciate). Pretty crazy stuff. I think this is the key statement we need to examine:

    [I]f the CIA is getting hacked by China on a daily basis, [then] I'm pretty sure it's possible for someone to hack 1Password.

    Given that this is a conditional statement, and the first part of it (the "if") isn't true as far as anyone can tell, we can pretty much throw the whole thing out: it's simply not based in fact. But that wouldn't really answer the presumed question at the heart of it all, which is a reasonable question after all: "Can 1Password be hacked?"

    It's important to keep in mind that your 1Password data is end-to-end encrypted, so you can actually store our data in the "cloud" without fear (as I and many others do), since 1Password simply doesn't depend on anything else protect your data. We've built 1Password's security with the worst-case scenario in mind — an assumption that it will at some point fall into the wrong hands — so that it remains secure even if that were to happen. 1Password is secure by design, not by chance.

    An interesting way to think of this is relative to the current legal battle between Apple and the FBI (about which there's been an interesting discussion here recently, if you're interested). The crux of that issue is that Apple is using industry standard encryption to secure user data. 1Password is based on this same encryption. And of course the FBI's complaint is that they can't crack, brute force, or otherwise decrypt the data. That should tell you all you need to know.

    Now, technically speaking, there are differences between the implementation that Apple uses for iOS and what AgileBits uses for 1Password, because one is an OS and one is an app. But suffice to say that encryption is math, and much like we had to crunch the numbers to do our algebra homework, there isn't a shortcut to decrypting data*, even with the key. And in the case of the FBI, China, or anyone who wants to get into encrypted data, if they don't have the key, they can't decrypt it. And in the case of 1Password specifically, if you use a long, strong, unique Master Password (which is further strengthened by PBKDF2), no one will be able to get into your vault.

    *There are definitely shortcuts in math, but these are known and everyone uses them. Encryption relies on this, and the fact that for many complex calculations there are no shortcuts.

    That brings us back to the government. Since AgileBits is a Canadian company, we're not subject to US laws or court orders, should they demand we produce user data, blah blah blah. But more importantly, AgileBits has access to neither your 1Password data nor the Master Password used to secure it, so this isn't something we even could provide to law enforcement, or have taken from us in some sort of attack by China, Hegimit*, or anyone else.

    *Hegimit is not a real thing. I think my brother made it up when we were kids. For our purposes here, it's a stand-in for any faraway, exotic place. I felt bad picking on just China.

    Since our data stored in 1Password is secure, that brings me back to passwords themselves. While it's certainly the prerogative of Mr. Cox or anyone else concerned to not use 1Password, there isn't really a good argument for not using any password manager — yet there are many strong arguments for doing so, especially if we're concerned about Hegiminese hackers: password reuse and weak passwords are the bane of everyone's existence online, and password managers can mitigate both of these.

    As I'm sure you know, a password manager like 1Password allows us to not have to remember our password for each site (which is what would otherwise encourage using the same password everywhere), and also to use crazy random passwords for each one. After all, if we had to remember and manually enter these all the time (and we all remember what that was like), it motivates us to use really bad ones, and less of them. This makes it easier for a "hacker" to guess them in an automated fashion, and then to use the same password to login to another account.

    That's how most accounts get compromised, with others suffering this fate from a website breach (due to poor security, human error, etc.) And then in either case, this information is often sold to the highest bidder, posted freely on the internet, or used as a stepping stone to more valuable data. Using a different long, random password for each account (which 1Password makes it much easier for us as humans to do) means that even if one account is compromised (say, a security hole is found in a shopping site), no other accounts are affected. That minimizes the damage considerably. And if you're lucky, your login credentials may never be compromised in this fashion for any site, and the crazy random password will be impossible to guess.

    So rather than risk this hypothetical situation (where a hacker from China is somehow motivated to go after our data by trying to store passwords in our brains) and putting ourselves more at risk, we can mitigate most of this expressly by using 1Password to not only encrypt the data in the first place, but also to help us to make each individual account (which is more likely to be a target of attack) more secure instead. After all, the security of individual websites isn't within our control, but there's a lot that is. :pirate:

  • deeptide
    deeptide
    Community Member

    brenty - 12 minutes 48 seconds indeed! My mistake. I would think your considerate response particularly useful for those on password app products reconnaissance. However, my concern brenty - to sharpen the point - is my so called switching costs from organizations such as AgileBits omitting actions to first mitigate then preside over the social psychological effect of an exponentially growing narrative with seemingly humble, innocuous origins. Obviously, I'm responding to this youtuber's statements as I have no knowledge of his intentions. I've been quite surprised recently by the thinking of evidently ambitious, smart people - like those animating AgileBits I'm sure - that truth will always out, without rudder or wind.

  • BeSafe
    BeSafe
    Community Member

    AgileBits has access to neither your 1Password data nor the Master Password used to secure it,

    but now with 1P Family and Teams, AB has access to data...how does that work? If i am not wrong even Apple says they could crack the data if it was backed-up on iCloud....

  • Stephen_C
    Stephen_C
    Community Member

    @BeSafe take a look at this knowledge base article (which, although it mentions 1Password for Teams, applies also to 1Password for Families):

    1Password for Teams Admin Guide: Security

    It includes the following:

    End-to-end encryption

    When you use 1Password, your data is only transmitted to us in an encrypted state and is only decrypted on your devices under your control. We never have a copy of your decrypted data. This ensures that not only is your data safe from attackers, but it’s safe from us as well.

    We have zero knowledge of your your confidential information. And because we don’t have access to your data, we can’t share it, use it, or abuse it — even accidentally.

    Stephen

  • AGAlumB
    AGAlumB
    1Password Alumni

    AgileBits has access to neither your 1Password data nor the Master Password used to secure it,
    but now with 1P Family and Teams, AB has access to data...how does that work?

    @BeSafe: That's a great point, and it's why I chose my words carefully: AgileBits never has access to your data, and this is just as true with 1Password for Teams/Families: your Master Password and Account Key are never transmitted, so while the server has the encrypted blob, no one — neither AgileBits nor an attacker — can decrypt the data to access it.

    More specifically, the Account Key is generated on your device when you first setup the account, and then only stored on devices you authorize; whereas the Master Password is chosen and known only by you. Without both of these and the encrypted blob (stored on the server and accessed by your devices), your data is truly not something that can be accessed — by AgileBits or anyone else. After all, if you lose these, even you will not be able to access it!

    If i am not wrong even Apple says they could crack the data if it was backed-up on iCloud....

    You're wrong about the specifics, but that's not your fault; it's simply confusing! As with anything, Apple can only access data they hold the encryption keys to. Apple supposedly has the ability to decrypt iCloud backups. And while you may very well sync your 1Password data to iCloud in the app or backup your entire device, your 1Password data is encrypted from the outset ("end-to-end", as Stephen_C mentioned), 1Password simply doesn't depend on the sync or backup service (iCloud or otherwise) to protect your data. 1Password is secure by design, not by chance.

    I would think your considerate response particularly useful for those on password app products reconnaissance.

    Thank you for the kind words! Any time I participate in a broad discussion like this I try to keep in mind that what I write may benefit others as well, so I wanted to take the time to cover everything — to the extent that I could.

    However, my concern brenty - to sharpen the point - is my so called switching costs from organizations such as AgileBits omitting actions to first mitigate then preside over the social psychological effect of an exponentially growing narrative with seemingly humble, innocuous origins. Obviously, I'm responding to this youtuber's statements as I have no knowledge of his intentions. I've been quite surprised recently by the thinking of evidently ambitious, smart people - like those animating AgileBits I'm sure - that truth will always out, without rudder or wind.

    Your point may have been too sharp...and flown over my head. Can you explain what you mean about "switching costs"? I think I'm missing your question here, but if you can clarify it for me I'll do my best to help with the answers! :blush:

  • BeSafe
    BeSafe
    Community Member

    Thanks for answering. Cheers!

    I must say ABits Support is just Amazing. Never seen a support system like that.

  • AGAlumB
    AGAlumB
    1Password Alumni

    Wow. Thank you for your kind words! I'm glad to be able to help. But most importantly, neither myself nor the rest of the lovely folks at AgileBits would be here without the support of you and the rest of our awesome customers. Thank you! :blush:

This discussion has been closed.