Understanding the security I get using the system

I had a very old version of 1 password3 for Windows & Mac that was nice in its time, but I soon stopped using it since probably due to being lazy and transitioning my life to Mac. The recent Equifax event has me thinking I should actively work to secure my information even though they tell me I was not affected. So I have a few questions:
1) My old license will not do anything since they were vintage 2008 and there is no upgrade path. My first instinct was to look for license upgrades, but as best I can tell these are no longer offered. But it seems I can get them via the Apple store.
2) It seems the subscription model is the plan nowadays which means you will be keeping all my data in your cloud. I am trying to convince myself this is a good idea. After all, Equifax is a much bigger company than Agilebits and they screwed up. On the security page, you have a lot about levels of encryption shown as nice diagrams. I was recently shocked by this password hacking video that a friend posted. I do not understand much of the stuff in the video or on your security page for that matter, but why should I be confident that if an Equifax type breach happens to my 1Password account it will not matter because the techniques shown in the video are not effective.
3) Are there safe options for me to keep my vault private using something like iCloud and would that be more secure than the Agilebits cloud. It seems all the information of the website focuses on the cloud, but is that more secure than local archives. The big downside I see for the cloud is a single break in yields massive account access while no=one is looking to find my little vault on some service I use to store it.

I put a small amount of $ into a 1Password system long ago and it seems either a subscription or upgrades every few years will be needed to keep a workable system going. Thus I should select a system that can be trusted long term. Why are you guys better than Equifax at keeping data secure?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • brentybrenty

    Team Member
    edited September 2017

    1) My old license will not do anything since they were vintage 2008 and there is no upgrade path. My first instinct was to look for license upgrades, but as best I can tell these are no longer offered. But it seems I can get them via the Apple store.

    @brucedelta: I remember those days, but a lot has changed since then! Definitely check out a 1Password.com membership, since it gives you access to all of the apps, the web interface, and does away with license management and sync configuration altogether — you simply login to your account to authorize a device and access your data:

    1Password.com

    You can try it for free for 30 days to take advantage of all of its benefits, which sounds like it may be a good fit for you, with various platforms and devices.

    2) It seems the subscription model is the plan nowadays which means you will be keeping all my data in your cloud. I am trying to convince myself this is a good idea. After all, Equifax is a much bigger company than Agilebits and they screwed up. On the security page, you have a lot about levels of encryption shown as nice diagrams. I was recently shocked by this password hacking video that a friend posted. I do not understand much of the stuff in the video or on your security page for that matter, but why should I be confident that if an Equifax type breach happens to my 1Password account it will not matter because the techniques shown in the video are not effective.

    That's a fantastic question. One thing I really love about 1Password is that in spite of all of the cryptographic math we could get into, how we protect your data is actually very straightforward: we never have the "keys" to it.

    With the standalone version of 1Password, this meant not having anyone's Master Password. That seems obvious, but it's important enough to mention. With 1Password.com, while the data is also encrypted using your Master Password, your Secret key is used to encrypt it as well. The former is chosen by you, the latter is generated locally on your device, and neither is ever sent to us, even when you sign in. So the only thing our server gets is an encrypted blob, and the only one with the "keys" to decrypt it is you.

    3) Are there safe options for me to keep my vault private using something like iCloud and would that be more secure than the Agilebits cloud. It seems all the information of the website focuses on the cloud, but is that more secure than local archives. The big downside I see for the cloud is a single break in yields massive account access while no=one is looking to find my little vault on some service I use to store it.

    I think my answer above also addresses this, but just to be 100% clear, while local vaults (which you could sync with iCloud) are by no means insecure, they do not have the added security of the Secret Key with 1Password.com. We've taken it a step farther (actually many orders of magnitude, with 128-bits of randomly-generated goodness) since we expect to be a target running our own hosted service.

    I put a small amount of $ into a 1Password system long ago and it seems either a subscription or upgrades every few years will be needed to keep a workable system going. Thus I should select a system that can be trusted long term. Why are you guys better than Equifax at keeping data secure?

    Our secret is not having your secrets in the first place. That goes not only for the security of the data you store in 1Password, but also protecting your privacy by not collecting data about you. We know we're not perfect, that mistakes can be made, and that the reality is that vulnerabilities may be found which allow someone to access our server. So with that in mind we don't store anything that could be used to get to our customers' data through us. But certainly we work very hard to keep attackers out of our systems. And apart from our own efforts, we participate in external audits and cooperate with independent security researchers to find any flaws so we can fix them.

    We take security very seriously, because frankly it's the only thing we do, and we know that we're only able to do this because of you and the rest of our awesome customers. So we work hard to ensure that we honour that by protecting our customers' — and frankly our own — data. I hope this helps. Be sure to let me know if you have any other questions! :)

  • One thing I really love about 1Password is that in spite of all of the cryptographic math we could get into, how we protect your data is > actually very straightforward: we never have the "keys" to it.`

    Based on a video I saw here that is not as big a detriment to hackers as I would have expected. I would expect this video is familiar to you, but a friend posting it on FB is what got me scared. Password Hacking Video As a piece of business advice I suggest you show and specifically address this video on your site. It seems to be making the viral rounds and to me it is scary. This video tells me I am a lot less safe than I thought and I want to make sure using one password is not just jumping from the pan into the fire.

    I used to think I was good at having a safe password, after seeing this I realize I am probably no better than average. So my goal in selecting a security system is to have a way to manage to make sure my passwords are different at each site. iPassword seems to handle this part well with the devices and browser plug in's available.

    In my mind, that means the other vulnerability I need to worry about is my vault. What I learned from this video is that the passwords can easily be reverse engineered since the crypto algorithms are public. Is this secret key what keeps my data secure? Being realistic I doubt I am much above average for password selection, but the video is a year old, so in another year the hackers will have progressed to do stuff that is more amazing while I will still remain sucky at making up passwords. How I am protected from this issue is what I am looking for an answer on and it is not clear to me. I recognize this is a relatively deep dive into a complex area that a website needs to simplify to make it digestible, so without being an expert how do I tell that I will be safe?

  • BenBen AWS Team

    Team Member

    Hi @brucedelta,

    Right, so one of the core points of 1Password is that it can generate strong and unique passwords for you that you don't have to remember. You can use a crazy long complex password like

    PYBCh^e2YbwNAmwfa#NtXpWujqgizvr4

    for your Gmail account, and then use a different strong password for Facebook, like:

    fqxUdBZ^THRPJ7f+f4mtREr

    These passwords would be incredibly difficult to crack (don't use these specific ones, as now they're public knowledge, but you get the idea). 1Password's Secure Password Generator can create one of these monsters for you for each of your accounts. So not only are they complex to crack but even if one is cracked (due to poor security on the website's part or what have you) that password won't allow someone into the rest of your accounts.

    The only password you have to remember is your 1Password Master Password. Now you should use a strong password for that as well, but since you'll need to type it fairly regularly you may want to use a words based password, such as:

    engraft along waffle ordure effete eyebrow

    The Secure Password Generator can generate these sorts of passwords as well. This is fairly easy to type, and can be memorized, but is still quite strong (or would be, again, if I hadn't just posted it on a public message board).

    What I learned from this video is that the passwords can easily be reverse engineered since the crypto algorithms are public.

    That isn't how good cryptography works. Good crypto means that even if someone knows everything about how the system works, except for the key, they cannot derive secrets (Kerckhoffs' principle). What you're talking about is "security through obscurity" which as we've seen proven time and time again is no security at all. Obscurity is generally the most easily broken component. Look at the case of CSS encryption on DVDs for an example.

    You can read more about this here:

    Kerckhoffs's principle - Wikipedia

    If you really want to deep dive on how 1Password protects your information we have a white paper that is fairly in-depth here:

    1Password Security Design White Paper

    how do I tell that I will be safe?

    Safety is a moving target. The best way to be safe is to constantly evaluate your situation and make changes as appropriate. Doing things like keeping an eye on 1Password's Watchtower notifications, and changing passwords when websites report breaches is very important.

    I hope that helps. Should you have any other questions or concerns, please feel free to ask.

    Ben

  • primeprime
    edited September 2017

    @brucedelta this is what happened to Equifax

    Krebs said that an online employee tool employed in the nation could be entered by typing “admin” as both a login and password.

    You can see the issue with the quote above

    Why are you guys better than Equifax at keeping data secure?

    Encryption @Ben posted a link to the White Paper that explains it all.

    Maybe if they used 1Password, we wouldn’t have this issue. Your data at this credit places are not encrypted at all (anyone at Equifax can see your info), unlike 1Password that has end to end encryption (no one but you can see this info).

    Equifax might be a big company, but that means nothing. They obviously did stuff wrong, knew it, sold thier shares of stock, in bed with LifeLock, and more. I’ve been reading so much about this so I can learn and help others.

    1Password had been a great tool for this issue. I froze my credit info, my wife’s, and helped my parents and my in-laws with this. One of the credit Bureau has to make a login to freeze your credit, while to other 3 (4 total) do not.

    I used Secured Notes to save all of this data. Equifax, Experian, and Innovis (a small credit agency) are on this Secured Note (PIN and link to unfreeze my credit), while Transunion has a login. When freezing your credit, you will get a PIN, and you MUST save this PIN if you ever want your credit unfrozen again (to get a credit card, new car, or a house).

    Now with TransUnion, you will be asked to use a security question, again 1Password to the rescue. You can use the note section of the login to put the security question and the answer, so this way you can lie about the answer. Tip: never be honest bout your security question, with the internet, most answers can be found on-line.

  • brentybrenty

    Team Member
    edited September 2017

    One thing I really love about 1Password is that in spite of all of the cryptographic math we could get into, how we protect your data is > actually very straightforward: we never have the "keys" to it.`

    Based on a video I saw here that is not as big a detriment to hackers as I would have expected. I would expect this video is familiar to you, but a friend posting it on FB is what got me scared. Password Hacking Video As a piece of business advice I suggest you show and specifically address this video on your site. It seems to be making the viral rounds and to me it is scary. This video tells me I am a lot less safe than I thought and I want to make sure using one password is not just jumping from the pan into the fire.

    @brucedelta: I hear you. The trouble is that the attack in that video does not apply to 1Password. So it would only add confusion (and, honestly, lower our credibility) if we promote it in conjunction with 1Password.

    I'm familiar with this "Beast" (not to be confused with the BEAST Javascript attack which is even older news) as it made the rounds in tech circles a long while ago, but I hadn't watched that particular video. It's just a lot of computing power thrown at what amounts to some math problems. And, notably, the "Password Hacking Video" doesn't even make reference to password managers at all, much less 1Password, as that's not what's being attacked. It was a bit of a slog, but here are the salient points that are in any way applicable to this discussion:

    1. Store passwords encrypted in a database
    2. Password hashes can't be reversed
    3. Can only guess them through trial and error

    This is only peripherally related to 1Password, and only in the sense that 1Password actually helps protect you against this kind of attack by (1 & 2) storing unique, strong passwords for each site in an encrypted database and — if someone were to use this attack against your Master Password — (3) by significantly slowing down attempts to guess your Master Password. "40 billion attempts per second" doesn't work on 1Password: We don't use MD5 to secure anyone's data (which is what is being attacked in the video); this is something websites (and ones with poor security practices at that) might use to hash and store your account password for comparison when you login the next time. And the software tool being used here, HashCat, is well-known, and something we've blogged about in the past. Definitely check out this article, as it will give you more context with regard to attacks which do actually target 1Password data:

    Crackers report great news for 1Password 4

    And we certainly haven't been sitting still. Part of what our customers pay us for is staying on top of this stuff and continually improving 1Password to continue to protect their data now and in the future. Even as technology improves for the bad guys, we have access to the same advanced in computing power, and encrypting data is always going to require fewer resources (money, space, tech, and electricity) than it will for an attacker, who is essentially just playing a high-tech guessing game with the help of computers. That is to say, the 10,000 PBKDF2 iterations we were using in 2014 have become 100,000+ today — and that's just one easily-quantifiable example of how we continue to strengthen 1Password against attacks.

    I used to think I was good at having a safe password, after seeing this I realize I am probably no better than average. So my goal in selecting a security system is to have a way to manage to make sure my passwords are different at each site. iPassword seems to handle this part well with the devices and browser plug in's available.

    If you're choosing your own passwords for websites, then yeah, that video is definitely cause for alarm. But the great thing is, in spite of all the fear-mongering out there, there is a lot you can do to to improve and maintain your security, and 1Password can help. We're not always in control (Equifax), but we can always be proactive and take measures to protect ourselves and our data. For every attack, we have a choice of how we respond. And in cases where you're fortunate not to be affected, reports of breaches like this can be wake-up calls: opportunities for us to do something to better cope with, mitigate, or avoid others in the future. But the first step is always using a long, strong, unique Master Password:

    How to choose a good Master Password

    And generating long, random, unique passwords for each website ensures that they will be much harder to guess:

    Change your passwords and make them stronger

    And also means that even if some awful company lets someone steal it, that password will leave any of your other accounts vulnerable. So while we don't have control over the security practices of websites (if only), 1Password helps you reduce risk by securely storing awesome, unique passwords for each which you never have to remember. Saying "the sky is falling" doesn't help anyone; improving security does. And it's within anyone's reach with 1Password if they're willing to do what it takes.

    In my mind, that means the other vulnerability I need to worry about is my vault. What I learned from this video is that the passwords can easily be reverse engineered since the crypto algorithms are public. Is this secret key what keeps my data secure? Being realistic I doubt I am much above average for password selection, but the video is a year old, so in another year the hackers will have progressed to do stuff that is more amazing while I will still remain sucky at making up passwords. How I am protected from this issue is what I am looking for an answer on and it is not clear to me. I recognize this is a relatively deep dive into a complex area that a website needs to simplify to make it digestible, so without being an expert how do I tell that I will be safe?

    Hmm. I always struggle with this because I think there's an important distinction between "simple" and "easy". I agree that it is simple to run a password cracking tool to try to guess passwords, but it definitely isn't easy to be successful with 1Password. Certainly if your Master Password is "password1" or "monkey123" you're in trouble. Those are common and trivial to try. But the great thing about 1Password is that, because you don't need to remember any others, you can make a really awesome Master Password to secure your data...and 1Password will also slow down anyone trying to guess it mathematically, so that they will not be able to brute force your data until long after we're all gone. And that's just talking about your Master Password. With 1Password.com, the 128-bit, randomly-generated Secret Key is also needed to decrypt the data. That's an additional step we've taken since we want our customers' data to be secure even if we are compromised and someone steals everything we have.

    It's definitely a complex issue with a lot to absorb, so please don't hesitate to ask any questions or clarifications. As I'm sure you can tell, I don't mind talking about this stuff. ;)

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file