Can hackers get my 1P vault and crack it? I'm using Dropbox with 1Password

neilBneilB
edited August 2017 in Mac

Hi 8-) ,

I have a 1Password licence (not a subscription, in case that makes a difference. I use Dropbox to sync.

I read the recent update notes and see there's a way to use 1Password as an app to create 2 step authentication codes by, for example, in the case of Dropbox, scanning an onscreen QR code to "program" 1Password to create those Dropbox specific codes. Great feature.
This got me thinking, I have setup gmail and few other apps / websites for dual factor or two step authentication and, although I know it's good 'cos it's safe, it can be a right pain across multiple devices.
In my case I use Dropbox across 2 macs, an iPad and an iPhone with various apps accessing Dropbox for "sync".

My experience with gmail has been less than ideal due to various apps that want to send mail not being dual factor authentication compatible. Google have a workaround which generates a one off app specific password. Great but quite a few steps to undertake and it doesn’t always work. SO, I know dual authentication can be a bear to deal with.

So, back to Dropbox sync. It might be just as much of a PITA as google. I don't keep sensitive stuff in my Dropbox, hmm, OH BUT I DO, my 1password vault.

At long last here's my question: if someone gets a hold of my Dropbox, can they crack or compromise my 1password vault?

thanks guys


1Password Version: 6.8
Extension Version: 4.6.9.90
OS Version: 10.12.6
Sync Type: Dropbox

Comments

  • BenBen AWS Team

    Team Member

    Hi @neilB,

    To answer your question: If someone were to get ahold of your vault in Dropbox they would still need to have your Master Password in order to decrypt your data. The Master Password is never sent to Dropbox by 1Password, so unless you've done something like store it in a file there it wouldn't be possible for the attacker to obtain this information from Dropbox. They'd either have to get it from you, or crack it. If you use a strong Master Password, cracking it is improbable.

    AgileBits Blog | Toward Better Master Passwords

    I hope that helps!

    Ben

  • neilBneilB

    Hi Ben
    thanks
    I don't put my one time password in there of course so that's reassuring
    but:' "If you use a strong Master Password, cracking it is improbable." doesn't sound REAL secure though.
    I hope it's better than improbable
    have a good week
    n

  • BenBen AWS Team

    Team Member

    I think jpgoldberg did a much better job of putting 'improbable' in perspective than I can:

    https://discussions.agilebits.com/discussion/comment/385366/#Comment_385366

    Please check out his post. I think you'll find it helpful. :)

    Ben

  • neilBneilB

    Ben, nice article that. Helpful.
    I followed it to this one [https://blog.elcomsoft.com/2017/08/attacking-the-1password-master-password-follow-up/] which I found a bit hard to grasp though.
    My conclusion, a longish password is VERY hard to break. phew.

    I am presuming, then, that one long composite word (like "quattrocaraudi714") [with a few numbers] is not as good for security as multiple words with separators (like "quattro car audi 714"). No that’s not my password ;-).

    Another question arises, hope that’s OK.
    Reading about master passwords, I see I need my "Emergency Kit" (I got 1password many years ago & if I did have it I don't now) but following the instructions to access my "Emergency Kit" via "accounts" in the app. wants me to log in so leads me to a dead end - as I don't have an "account" / app membership. [https://support.1password.com/emergency-kit/] .
    I see that also means that I don't have a secret key.

    As an aside - I am finding it a bit difficult to navigate help sometimes, as it seems now to be largely for account holders rather than app licence holders with little information to distinguish the two. Great you are looking after subscribers but please don't neglect us old time users.
    BTW, this article [https://support.1password.com/emergency-kit/] makes the differentiation particularly clear so thanks for that.
    have a good week
    neil

  • LarsLars Junior Member

    Team Member

    My conclusion, a longish password is VERY hard to break. phew.

    That was, is and likely will be for some time, among the best advice available when it comes to passwords, @neilB. The main point of 1Password is for you to remember one VERY good password...so you don't have to try to remember six or seven dozen mediocre ones that were created for ease of memorization. You may have noticed we hardly ever use absolutes around here; we'd rather use "improbable" and have to repeatedly explain what we mean by that, than use "impossible" and be proven wrong someday. Not that we expect to be proven wrong; we believe your data is very secure within 1Password, and we believe we can demonstrate that.

    But we also believe that security is a process, not a product -- and it's a process users need to play an active role in. If there really was any single product you could purchase that would keep you 100% secure, 100% of the time, everyone would already own it. If any security product (1Password or anything else) gives people the impression it's impenetrable or flawless, many people would be lulled into sloppy or just plain poor security habits, thinking they had the "silver bullet" on their side. It's why we avoid phrases like military-grade encryption/security also. We want to give you the best tool we can, along with the knowledge of what it can and can't do for you, and finally, the information you need to make best use of it, instead of a bunch of marketing hype. :)

    If you've owned 1Password for several years (anything more than two), then you assuredly have a standalone license instead of a 1password.com membership. This is why you can't remember having a Secret Key (because you never had one!), and why the web login is a dead-end for you: the web login is only for 1Password memberships. It's our newest and most secure way to use 1Password, and if you'd like to read up on the differences between what a membership offers vs a standalone license, we’ve got a great run-down right here. Instructions are also available there for subscribing and even migrating your existing data to a 1Password account. If you have any questions about it, feel free to ask! And if you decide you want to continue with the standalone license/local vaults model, you're welcome to do that as well. Either way, we're glad to have you as a 1Password user! :)

  • Thanks very much,
    very helpful thread altogether, I now have a random dice generated 4 word password, and I am beginning to remember it too
    I am now off to have a look at comparing standalone with membership
    have a good week
    neil

  • Ah, the link to migrate above seems wrong, it goes to" Move items between vaults"
    here's one that works in case anyones looking : https://support.1password.com/migrate-1password-account/

    one more question, I see that a membership account works without dropbox, which is nice, as my old workhorse macbook is on OSX 10.6.8 (I have legacy SW I need to keep running) - it will stop syncing soon when dropbox support goes away. Not catastrophic as I carry my iPhone with 1password on it, but inconvenient if i need to use a lot of arcane passwords.

    So - my question - will a 1password account support compatibility with OSX 10.6.8, I am using an older version of 1password on there, compulsorily I think?

    thanks
    neil

  • LarsLars Junior Member

    Team Member
    edited September 2017

    Hi @neilB -- the march of time and progress affects us as well. 1Password is definitely not the app it was when Snow Leopard was the current version of OS X. And unfortunately in your case, that means you need at least OS X 10.10 ("Yosemite") to be able to run 1Password 6 for Mac, which is in turn required to use a 1Password account.

    I understand the need to run legacy software, but at some point, it becomes incompatible with so much else that one is left with the choice of having an entire computer dedicated to a single piece or two of software, and unable to run other, equally necessary apps. You may still be able to get Chrome or Firefox to allow you to sign into your 1password.com account via a browser (and I'm not even sure about that; Chrome has discontinued support for 10.6, 7, and 8), but you won't be able to use 1Password 6 for Mac on your Snow Leopard Mac.

  • Lars, thanks,
    yeah, what you describe is a rather familiar feeling. I'll soon be carrying 2 macbooks!
    have a good week
    n

  • LarsLars Junior Member

    Team Member

    @neilB -- you too! Wish I had an answer more to your liking, but after a while, it becomes increasingly time-consuming and problematic to continue supporting truly old versions.

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file