Have there been any security/data breaches reported or detected in the 1Password "cloud"?

dforer
dforer
Community Member

Have there been any security/data breaches reported or detected in the 1Password "cloud"?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:Have there been any security/data breaches reported or detected in the 1Password "cloud"?

Comments

  • Lars
    Lars
    1Password Alumni

    Welcome to the forum, @dforer! No. I assume you're asking this out of an appropriate sense of caution about your data on our servers. That's good! You should indeed be thinking critically about your own security. However, when we created 1password.com accounts, we knew it would eventually be a nice static target for all sorts of miscreants. So we take multiple precautions to prevent intrusion into the 1password.com servers. It would take too long to go through all of those here, but it's also in one sense not relevant, because the most important protection we took is making sure that we never have your data in anything but encrypted form, and that we never have the power to decrypt it. That means: your Master Password and Secret Key are never transmitted to us in any form, and therefore even if someone were able to bypass all our other protections and "break into" the Amazon AWS servers we use for 1password.com accounts, the only thing they could steal would be encrypted blobs of data.

    Thats where your your Secret Key comes in. We use a unique process called 2SKD (Two-Secret Key Derivation) to combine the Master Password you choose with the randomly-chosen Secret Key you were assigned when you created your account, to strengthen the actual secret used to derive the de/encryption key that secures your data. The Secret Key is generated on your device and never transmitted to us, so in the event that WE are hacked (instead of you being hacked directly on your end), the attacker could not simply guess your Master Password and access your data; (s)he would also need that Secret Key...which they wouldn't have and couldn't get from our servers, since we never have it.

    If you're interested in a good overview of 1Password security model, you can find it here. And if you really want to dive into the nitty-gritty, I'd recommend the full 1password.com security white paper. Hope that's helpful! :)

  • dforer
    dforer
    Community Member

    Thank you, Lars. Very reassuring. So is it safe to say that any kind of breach or intrusion into my 1Password data would need to occur on my local, personal level... computer, iPhone, iPad, etc.? Would someone be able to hack into my local, personal system and obtain these passwords and other data in my 1Password vault?

  • Lars
    Lars
    1Password Alumni

    @dforer - if that's the impression I gave you, then I didn't communicate it clearly enough. We certainly like to think we've made it quite difficult for attackers to get your data from the 1password.com servers, but we're also realistic enough to realize that nothing's impenetrable. That's why 1Password has always been designed with the assumption that an attacker has already gotten a copy of your data (or, in this case, somehow manages to get it from our servers, despite our own best efforts to prevent that).

    But you're correct that there's a difference in how difficult it would be to "crack" your data, depending on specifically where an attacker obtained the data from. If they get it by defeating all our protections and stealing it from our servers, both your Master Password and your Secret Key are protecting your data. But since your Secret Key is present on any device on which you run 1Password, that means if an attacker gains either remote or physical access to a device of yours (say, through outright theft), then they will already have a copy of your Secret Key and in such a scenario, only your Master Password protects your data.

    That said, this is how 1Password worked for most of its existence before the creation of 1password.com accounts: you created data on your own local device, which was secured by a Master Password. And in all that time, we never had any reports of a user's encrypted data being breached or "cracked." But in such a case, it does depend on how good a Master Password you create, which is why we've always gone to substantial lengths to urge users to take the time to create a good, strong Master Password.

    1Password, set up with a strong Master Password that's not shared with anyone else or disclosed in some other way, will provide a VERY high level of protection for your most-important data. But it can't secure every aspect of your computer. You can be targeted and socially engineered ("spear phishing"), and if a skilled attacker gains the ability to run arbitrary code as root on your device, there is little we could do from within the 1Password app that could prevent it.

    Whether someone can "hack" into your personal computer remotely and gain such root access is an open question. That depends to a large extent on the precautions and measures you take to keep yourself secure. So follow accepted security practices like not using untrusted wi-fi networks without a VPN and never clicking on links or (especially) attachments on websites or in emails you weren't expecting to receive. Even more than practicing good "computing hygeine", however, your chances of being thusly targeted depends to an even greater degree upon what kind of "value" target you are to hypothetical adversaries. If you are Edward Snowden or a US Senator, or the like, you might very well have a threat profile that includes very sophisticated adversaries targeting you specifically and directly. But fortunately, most of us (myself included) don't face these kinds of threats. The question worth asking when assessing your own risk profile and threat model is: how juicy a target am I? If you're a normal person who doesn't have a nine or ten digit bank balance or some other strategic value, chances are pretty good that unless you personally irritate a high-level hacker in the course of your real life you'll never be the target of this kind of direct attack.

    That's not to say you shouldn't behave as if you might be the target of such an attack; each person has to determine their own comfort level with the measures they've taken to keep themselves safe(r) online. I'm only trying to get you to step back and assess how likely such a scenario truly is. It's a bit like car theft: for most people, locking their car doors and maybe having a commercial car alarm system is more than enough to deter or foil the casual, "smash and grab" car thief. Yes, there are high-powered, very sophisticated car theft rings out there who could probably defeat or find a weakness in such defenses...but why would they bother to do that if you drive a Camry. If you're driving around a $2M McLaren Speedtail, it might be worth it to take additional measures that the Camry owner wouldn't need...but only you can answer what makes you feel most comfortable, and what's worth the effort. In any event, with a strong Master Password created by you, 1Password can protect your data in all but the worst circumstances (like your computer being compromised by a remote attacker who can install a keylogger or rootkit). And unless you ARE the kind of person who a sophisticated hacker would take the time to seek out and personally target, using 1Password together with commonsense security practices should keep you safe. Hope this is helpful! :)

  • dforer
    dforer
    Community Member

    Most helpful, Lars. What a thorough and thoughtful response to my "paranoia". The only thing that prompted my initial question, is that there has been some anomalous behavior by the system that acts as a portal to my investments custodian and, since they were unable to provide a satisfactory explanation to date, I was starting to delve into "possibilities" on my own. Even though there has not yet been any evidence of a "break in", nor any unauthorized transactions, I started looking into any possible "points of entry" into my password vaults, etc. Thanks for your reassurance and all the time you spent on one single client/subscriber. I love 1Password!

  • Lars
    Lars
    1Password Alumni

    @dforer - thanks for the kind words! If you're noticing unusual behavior - especially network traffic - then it's worth trying to do a mental catalogue of whether you've clicked on a link that in retrospect seems fishy to you, or whether a family member or co-worker who has access to your device might have done so. If you're pretty sure you've not had any of that kind of activity on your Mac, then it's a lot more likely that any traffic you don't understand will turn out to be benign. The instances of attackers targeting a specifically-chosen person to be the targets of focused inbound attacks are rare. Most attacks take the form of social engineering that are wide-net: they'll try to entrap as many people as they can sucker into taking some action that exposes them to malware.

  • dforer
    dforer
    Community Member

    Excellent insights and advice, Lars. Thank you again for your reassurance. To use your words, I'm quite confident it "will turn out to be benign".

  • Lars
    Lars
    1Password Alumni

    :) :+1:

This discussion has been closed.