Security Experts: "1Password Is Pushing Users to the Cloud"

BustedBSDBustedBSD
edited July 2017 in Lounge

I didn't anyone posting this article, so I thought I would.

https://motherboard.vice.com/en_us/article/evdbdz/why-security-experts-are-pissed-that-1password-is-pushing-users-to-the-cloud


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • brentybrenty

    Team Member

    @BustedBSD: Thanks for bringing this up! I do want to start by clarifying that, contrary to what some folks seem to think, we haven't removed support for local vaults from the apps, and anyone using that setup along with their license can continue to do so. 1Password.com has a lot to offer for most people, so that's absolutely where we're focusing our efforts currently, and what we're marketing. But existing customers don't have to move to the new service and can keep using what they've already got.

    I think that people are right to be concerned about where their data is stored. After all, it wasn't too long ago that a similarly-named password manager had a data breach.

    But storing data locally isn't a solution to this problem. Since it means missing out on most of the convenience that we're using this stuff for in the first place, most folks will throw up their arms in frustration and go pack to their Excel spreadsheets and Post It™ notes after screaming, "Forget security!"

    So with 1Password.com we've gone out of our way to increase security right alongside convenience, so people can have it both ways. Security isn't just for "InfoSec" and the geek elite; everyone deserves it, and 1Password.com makes it more accessible to everyone — including those of us who have always been comfortable managing licenses and sync configurations ourselves but are happy not to have to any longer.

    Now, 1Password has always been built with the presumption that someone can get your encrypted data, so it doesn't rely on local storage/sync for security through obscurity. But we had one chief concern when developing our own platform: our servers becoming a juicy target. And this is why we didn't introduce 1Password.com until we got Two-Secret Key Derivation in place as a solution. If your encrypted data is stolen from us, it is much harder to attack than if a local vault is stolen from your own machine or from some third party synching service. And we couldn't have improved the security of sharing without running our own service. So it's not only a win for usability and convenience, but for security as well.

    There's a lot more detail in our security white paper, but I'd like to offer a few points that summarize how 1Password secures our data:

    1. Your 1Password data is encrypted locally on your device before it is transmitted.
    2. The server receives only an encrypted blob.
    3. Your Master Password is never transmitted.

    You might think I'm talking about 1Password.com specifically there, but that's the case no matter what 1Password setup you use — the only difference being that 1Password.com data is also encrypted using the 128-bit randomly generated Secret Key, which is also never transmitted to us. So there's an additional layer of security there as well that you won't get with local vaults — or other services.

    Indeed, when you use 1Password, AgileBits never has access to your data, regardless of the setup you choose. Even with 1Password.com, your data is encrypted on your device, so all the server ever ends up with is an encrypted blob. And since the Secret Key is created locally, your Master Password is only known by you, and neither is ever transmitted to us, only you have the means to decrypt the data.

    This way, even if someone gains access to our servers and dumps the full database (we've designed 1Password.com with this in mind), they simply don't have what they need to decrypt it, as each individual user alone has the keys to their data. So an attacker won't have that and can't get it from AgileBits. So while there's a lot more that goes into making all of this work smoothly, this is something that I think all of us can appreciate.

    But apart from our own efforts, we participate in external audits and cooperate with independent security researchers to find any flaws so we can fix them, to prevent even encrypted data from being stolen. I hope this helps. Be sure to let me know if you have any other questions. Cheers! :)

  • @brenty Thank you for the lengthy comment. This seems to be the company line from what I was reading from other sources.

    I had some time to reflect on your comments, and I would like to quote Marty Hellman (from Diffie-Hellman fame): "A large key is not a guarantee of security."

    I'm watching this video from Jeffrey Goldberg and Julie Haugh, and I'll have to think about this:

  • brentybrenty

    Team Member

    You're welcome! That's absolutely true. Frankly, it's up to you to protect the keys to your data. "With great power comes great responsibility," as they say. :sunglasses:

This discussion has been closed.