AgileBits security protocols

MikeMcFarlaneMikeMcFarlane Junior Member
A lot of the recent high profile hacks, eg Dropbox, seem to have happened when a company systems or employee's computer is compromised rather than an individual users logon details being cracked. Also given that more people are using password managers, getting access to the computers/systems of the password manager developers must be a pretty juicy target.

I understand the keychain is encrypted and only accessible by me using my master password. What are the risks of malicious code being inserted into 1password programs or apps?

What security 'protocols' do AgileBits use on their systems to prevent themselves being hacked or compromised in other ways e.g. social engineering?

If you would prefer not to comment, or in only the vaguest terms I will understand, but you are normally very open and don't seem to believe in security by obfuscation, so I thought I would ask as I couldn't see anything on your site about it.

Comments

  • jpgoldbergjpgoldberg Agile Customer Care

    Team Member
    Hi,

    Actually the recent Dropbox "hack" was a case where individuals' passwords were discovered because those people used the same passwords on other sites (that were compromised). You can read about it here:

    http://blog.agilebits.com/2012/07/31/password-reuse-dropbox/

    I think what you may be thinking of is the case where Mat Honan's Apple ID account was taken over through social engineering of Apple when you ask what we do to prevent such things.

    The most important thing to keep in mind is that we don't have very much information about users at all. Your encrypted 1Password data lives on your machines. You may use Dropbox for syncing it, but we never see it. 1Password is a product (which we actively support); it is not a service that depends on our servers.

    If you purchased any of our products through our online-store then we have a record of that purchase. (We do not have full credit card details) and depending on which payment service was used, we may not even have the billing address. If you make your purchase through the Mac App Store or the iTunes store, then we have absolutely no knowledge of you whatsoever. (We get regular counts of sales broken down by country from Apple, but we get no information about individuals.

    If you have emailed our support email address, we have records of those email conversations. If you signed up for this discussion forum, we have information about your activity here and the IP address that you connect from and the email address you used when signing up. If you've signed up on our support system, we have that kind of information there.

    So that is all of the information we might have for people. For the large majority of 1Password users, we have no information about them at all.

    If someone forgets a password for the forums or for our support system, and the built in password reset mechanisms don't work. (Say, someone has changed their email address), then we just ask them to create a new username. It's no big deal. We do not need to know whether your real name is Mike McFarlane or whether that is a pseudonym.

    Now for our customer database (about purchases), we never reveal information. But people can ask to have their email addresses updated. I will acknowledge that there is some scope for social engineering to trick us with this, but in order to do so bad guys would already have to know as much about the target as we do. As I said, we have very limited information about purchasers there. The worst they could do, I think, is get a license code. This would be our loss, and wouldn't affect the person whose identity they faked.

    One of the reasons that moving to the Mac App Store appeals to us is so that we won't have to retain any information about individual customers other than through the support system.

    We also protect our internal communication mechanisms. Other than making sure that all of our systems are up to date, using secure servers, and having very very strong and unique passwords (well, we would, wouldn't we?), there is nothing special.

    Again, the main point is that when you are running 1Password, we are out of the loop for your security. We could be hacked to death and it wouldn't affect you (other than our ability to provide support and updates).

    Cheers,

    -j
  • MikeMcFarlaneMikeMcFarlane Junior Member
    Thank you for the detailed answer Jeff, informative and reassuring.
This discussion has been closed.