How secure is 1password?

meshywulf
meshywulf
Community Member

Looking for a new password manager since Dashlane did away with support for their desktop app, I prefer both desktop and browser extensions. I've emailed the 1Password support crew and peppered them with questions and I'm down to a few choices. I want to like 1Password and it's ticking many boxes for me but then I noticed something during all my research into various managers.

This article here - https://hackernoon.com/psa-lastpass-does-not-encrypt-everything-in-your-vault-8722d69b2032 is about LastPass granted but when I noticed icons popping into 1Password as I am trying it out it got me curious. I know that 1Password is supposed to be zero knowledge and all that, but well, I'm probably being paranoid, but when it's your digital life you kind of would like to know all things before you jump.

Anyway, not to try and make this a TL/DR, any suggestions or what have you on this subject would be most appreciated. Thank you.


1Password Version: 7.6.791
Extension Version: Not Provided
OS Version: Windows 10
Sync Type: Not Provided

Comments

  • [Deleted User]
    [Deleted User]
    Community Member

    You're not being paranoid, but for most people this is more of a privacy issue than a security one.

    Unlike Lastpass, 1Password encrypts all your data locally before upload to their servers, including the URLs. However, the rich icons come via 1password.com, the requests are not totally anonymous and third parties are involved. 1Password promises not to store any personally identifiable information, but they cannot control what the third parties do:

    https://support.1password.com/rich-icons-privacy/

    You could turn-off rich icons for all apps on your device, but then you need to think about your DNS look-ups, bookmarks and browsing history. So probably not worth the bother unless you use a VPN, stop using bookmarks and delete your browsing history after every session.

    For most people, setting a decent device password should be sufficient to prevent local attackers nosing around. However, those concerned about nation state actors could use a VPN and/or store sensitive websites as Secure Notes rather than Logins.

  • ag_ana
    ag_ana
    1Password Alumni

    Hi @meshywulf! Welcome to the forum!

    I have asked our security team to get back to you, they are the best to answer this sort of questions :)

  • meshywulf
    meshywulf
    Community Member

    Thank you, I'd be interested in their answer as well. Missingbits pretty much covered it with their information and the link they provided to more information about it. Basically as long as I don't mind too much about people knowing where I go on the net and as long as the accounts can't be compromised unless I goof everything should be okay. I keep a pretty strict security regimen and no one but me has access to my devices so I'm pretty well covered as long as I have good programs that help me stay safe.

    I get the sense that the person who wrote that article was more upset about LastPass not being transparent about things rather than the rich icons themselves. According to that link from missingbits you are being very transparent about what all is going on, which is much appreciated.

    I hate leaving Dashlane (especially being a Premium for life account that I never have to pay for), but with them discontinuing their desktop app I sadly must go as I use both desktop app and extension.

    Only two real annoyances with your program so far, and one was solved (the ability to sync the app and extension so that I don't have to sign in to the extension every time I open my browser, which I do several dozen times a day, please don't get rid of that ability, that would be awful), and the having to sign into the app every time I boot my PC. One being solved and one just an annoyance really (and I totally understand the reasoning behind it, it'll just take some time to get used to is all) pretty much sums it up.

    Currently testing about half a dozen different managers and doing more research, but I keep coming back to yours, so yours is probably the one that I'll finally go with. Good program, good people behind it, good customer service, and good reviews all speak for themselves. Please keep up the good work. Thank you very much.

  • Lars
    Lars
    1Password Alumni

    @meshywulf - hey there. Lars from the Security Team here. I don't have much to add to what missingbits already said; the page they linked you to is the correct one. For people who prefer the greatest degree of privacy, turning off Rich Icons is the way to go. Our design team has created some pretty nice generic icons which will simply use the first two letters of the site, if you don't have Rich Icons turned on; some people actually prefer them. Or you can always copy/paste your own icons into the item in edit mode in 1Password 7 for Mac.

  • meshywulf
    meshywulf
    Community Member

    Thank you for the information, I did a bit more digging and went back over everything and even re-checked my Dashlane, it was using rich icons as well and I wasn't even aware of it and I've used it for years and have had no issues. Total duh moment.

    If your program is as secure (and all the reviews and such say it is) I'm pretty much sure everything is okay. Technically I could still use Dashlane but without the desktop app I'd have to invent a few new workarounds, which is why I'm looking for a new password manager.

    Thus far, other than a minor annoyance and learning curve I'm really starting to like your program, I've already subscribed and we'll see how it goes. Again, many thanks for everything.

  • Lars
    Lars
    1Password Alumni

    @meshywulf - you're quite welcome! Thanks for subscribing and definitely feel free to ask any questions you might have. You may also be interested in our support pages, which contain a great deal of information and often even videos of how to accomplish common tasks in 1Password. :)

  • jmjm
    jmjm
    Community Member

    @missingbits wrote:
    store sensitive websites as Secure Notes rather than Logins.

    Do you mind clarifying this for me...thanks.

  • meshywulf
    meshywulf
    Community Member

    There is a section in the left menu for secure notes. That's what missingbits was referring to. You can make a secure note rather than a regular log in entry. That would bypass the rich icons and everything. Bit of a long way around however because you couldn't use autofill. You'd have to open the app, get to a particular secure note and copy/paste everything over to log in. That's only if you were really worried about the rich icons not being encrypted and it's more a privacy issue as everyone was saying.

  • [Deleted User]
    [Deleted User]
    Community Member
    edited February 2021

    @jmjm as @meshywulf said you just store the details in a Secure Note type item rather than a Login type item.

    In the browser add-on/extension formerly known as 1Password X you can create a new Secure Note as follows: click on the 1Password icon in the toolbar; click on the "+" symbol to the right of the search box; click on Secure Note in the list. This will take you to 1password.com where you can enter the website name as the title and the username and password in the body as free format text.

    When you need to log-in to the website: click on the 1Password icon in the toolbar and enter in to the search box the website name or some other text you know is contained in the Secure Note. Select the relevant Secure Note from the list on the left and copy and paste the details you need from the details on the right. I use this for Windows apps, BitLocker passwords and the like to avoid the need to open the desktop app.

  • jmjm
    jmjm
    Community Member

    Thanks @meshywulf and @missingbits. (I currently do use "Secure Notes" for a few miscellany PINs and PWs, I just hadn\t thought about its "better" security due to the lack of rich icons).

  • [Deleted User]
    [Deleted User]
    Community Member

    Glad you found it useful. I think its better in terms of privacy, but not necessarily in terms of security because you need to use copy and paste. So you're not protected from phishing and could be tricked into pasting the details into a bogus website. 1Password's autofill of Login items protects you from this by checking the domain before offering an item for autofill.

  • jmjm
    jmjm
    Community Member

    This "security/privacy thing" is never clear cut is it?

  • meshywulf
    meshywulf
    Community Member

    No, it never truly is. However if 1Password is using roughly the same security as Dashlane the security is definitely there, which I'm sure they are. I've used Dashlane for years with zero issues, the only reason I'm moving away from it is because they are doing away with the desktop app, which I use more than the browser extension. So there's that. 1Password and Dashlane are roughly similar in several ways, UI layout and so on. I've subscribed to 1Password and so far I am happy with my decision.

    And you are quite welcome.

  • Lars
    Lars
    1Password Alumni

    @jmjm - using Secure Notes as repositories for login/pw combinations is certainly less usable due to the lack of filling and saving, but as missingbits mentions, it's also measurably, significantly less secure due to having to rely upon the system clipboard for all your login actions. Not only could you be tricked into filling your credentials on a malicious site where 1Password could not be, but malware has much easier access to the system clipboard than it would to the process of save, fill or even drag/drop. You're free to use 1Password how you like, but this is absolutely a step back in both convenience and security.

  • jmjm
    jmjm
    Community Member
    edited February 2021

    Not only could you be tricked into filling your credentials on a malicious site where 1Password could not be....

    Thanks @Lars for the follow-up. So you don't have to worry about me ;) I can tell you that all that put in SN are PINS and PW for non internet 'stuff' ie gate lock combination, pws for pw protected files etc

This discussion has been closed.