Legacy support for 1Password 6

I do not intend to upgrade past Mac OS 10.12, as this is the last version that does not require "rentware" instead of purchased software, in most of the design and other software (including possibly 1Password) critical to my use. I do not view 'cloud-based' computing and storage as secure. See https://www.propublica.org/article/like-voldemort-ransomware-is-too-scary-to-be-named and https://www.us-cert.gov/ncas/tips/ST19-001

Could someone at 1Password say something about the company's security measures in on-line data storage and transfer processes? It seems this is a topic no one wants to have to read nor write about, and everyone should.

Thanks,
Dwain Wilder
editor, The Banner
https://www.thebanner.news


1Password Version: 6.8.1
Extension Version: Not Provided
OS Version: OS X 10.12.6
Sync Type: no online sync

Comments

  • DanielP
    DanielP
    1Password Alumni

    Hi @dwain0wilder,

    I do not intend to upgrade past Mac OS 10.12, as this is the last version that does not require "rentware" instead of purchased software, in most of the design and other software (including possibly 1Password) critical to my use.

    If you are talking about 1Password 7, you can use it on macOS Catalina without a subscription if you prefer.

    Could someone at 1Password say something about the company's security measures in on-line data storage and transfer processes? It seems this is a topic no one wants to have to read nor write about, and everyone should.

    We love talking about security. Indeed, security is exactly why we built 1Password in the first place ;)

    Without some specific questions, I would like to recommend starting from our security page: it offers a high-level view of what we do to secure data on 1Password.com. That page also links to a documentation page on our security model, which has some more details about it, including what sort of encryption we use and other defenses that we have put in place.

    But if you want the nitty gritty details, I highly recommend reading our security white paper: this has all the details on how we secure data, including the mathematical explanation behind it. At the time of writing, it's more than 80 pages long, so I am confident that you will find all the answers you are looking for in it.

    And of course, if you have any specific technical questions about any of the topics covered in these resources, please feel free to ask them and I will be happy to answer them for you.

    ===
    Daniel
    1Password Security Team

  • dwain0wilder
    dwain0wilder
    Community Member

    Thanks, will check these references out!

    I still have a problem why anyone would not prefer storing such crucial data on one's own device, usually protected in one's home by Constitutional rights against unwarranted search and seizure to an extent not available on the web, where it is subject to FCC rulings and special scrutiny by the intelligence establishment of the U.S. —as well as hackers world wide.

    Could you please explain the advantages of storing such data in a network where even our own defense and intelligence establishments find themselves hacked? Encryption is fine, but I would not embed a diamond for ready access in an immovable object to which I had the only key and then deposit it in a den of thieves, at a time when government intrusion into private data amounts to thievery. The value of such a strategy escapes me, especially if it done for mere convenience.

  • DanielP
    DanielP
    1Password Alumni

    @dwain0wilder:

    I still have a problem why anyone would not prefer storing such crucial data on one's own device, usually protected in one's home by Constitutional rights against unwarranted search and seizure to an extent not available on the web, where it is subject to FCC rulings and special scrutiny by the intelligence establishment of the U.S. —as well as hackers world wide.

    If the only way to access one's data were through a warrant, I could agree with you. The thing is, policies and laws can only protect you so much. The real data protection comes from one thing, and one thing only: encryption.

    If encryption is done well (more specifically, if end-to-end encryption is done well), it doesn't really matter where your data is stored. It could be on your own device only, or on a NAS, or on some online cloud, but encryption works the same way no matter how you decide to store your data. If you are the only one with access to your keys (which is the case in end-to-end encryption), nobody can access your data without those keys, even if they somehow managed to get a copy of the data itself.

    Indeed, we built 1Password with the idea that we could be hacked: it would be unrealistic (and to be completely honest, unfair) to say that there is no way anyone could ever access 1Password data. The question is not whether this is possible or not (we always have to consider that it is indeed possible), but it's rather what protections are in place if that happens. And the answer, once again, is encryption.

    From this point of view, especially looking at 1Password, storing your data on 1Password.com is actually safer that keeping it on your own device: this is because your data is encrypted not only with your Master Password, but also with a Secret Key, which makes the encryption stronger, and a brute force attack against your credentials practically unfeasible. We did the calculations some months ago, and using a three-word Master Password together with the 128-bit Secret Key required something in the order of magnitude of a few million years to crack, or something along those lines. I must have the original calculations still somewhere around here; if you are interested in seeing the math behind all this, please let me know and I will be happy to look for those notes.

    Encryption is fine, but I would not embed a diamond for ready access in an immovable object to which I had the only key and then deposit it in a den of thieves, at a time when government intrusion into private data amounts to thievery.

    Encryption is based on mathematics, and mathematics don't lie: this is why you can trust the technology, even if you don't necessarily trust the people. If you use a strong Master Password, and your data is additionally protected by the Secret Key, there is currently no way to brute force it with current computing power. It is certainly your prerogative to distrust the whole cloud environment, but encryption is really what offers you the real protection. Everything else is accessory.

    Now, having said this, I should probably also add a note for completeness: a lot of this comes down to your threat model. If your concern is that three-letter agencies are coming after you, I am afraid I don't have a good answer for you. But if this is the case, your risk surface is large enough that the location where you decide to store your information (in the cloud or on your own device) will probably not matter that much. 1Password is probably one of the safest links in your security chain (if not the safest), so if someone were really interested in targeting you, and you specifically, I would argue that there are much quicker and simpler ways to go about doing that, and which don't involve attacking the encryption of your data.

    ===
    Daniel
    1Password Security Team

  • dwain0wilder
    dwain0wilder
    Community Member

    Thank you, Daniel,
    Much to think about in you reply. Yes, I am a climate crisis activist, and my website is attacked by a revolving collection of more than ten countries (including the U.S.) every week, hundreds of times. I don't have anything of direct interest to the ABC agencies, but there is much interest in many quarters in discrediting such activists and blocking or spamming their online assets.

    Thanks again for your time and attention. We live in parlous times.

  • DanielP
    DanielP
    1Password Alumni

    @dwain0wilder:

    I see what you mean. And I agree, security is a collection of practices, and password management is just one of those pieces. If you run a website, you have a whole different set of challenges to look at, as you discovered yourself already.

    I also managed to locate the discussion from our Chief Defender Against the Dark Arts about our latest password cracking competition. You can see the calculations here and here, in case you are interested in knowing how much an attack like this would actually cost with current technology.

  • dwain0wilder
    dwain0wilder
    Community Member

    Thanks! So glad I can rely on 1Password. Your time and attention much appreciated.

  • On behalf of Daniel you are most welcome. :)

    Ben

This discussion has been closed.