another breach of lastpass user data / pwds etc all cloud based
https://techcrunch.com/2022/11/30/lastpass-goto-breached-customer-information/
How can we be assured 1Password is not subject to these (one of many similar and historical)? Thank you.
NOTE: I would have posted in 'SECURITY' but there is no such topic
Comments
-
Hi @aceebee I'll be happy to explain how 1Password keeps data safe...
1Password membership accounts / data are protected by multiple layers of security. First, data is encrypted end-to-end which makes it impossible for anyone to learn anything by intercepting the data while it's in transit. Only the account owner has the tools to decrypt the data (account password and Secret Key - which are never sent to us).
Additionally, our authentication protocol Secure Remote Password is your defense against someone who can break TLS and listen to the communication between you and our server. A 1Password account uses the SRP handshake protocol to authenticate without sending the account password or Secret Key over the internet, so they can't be stolen in transit.
You can find additional details about our security model here: About the 1Password security model and for more in depth details here: 1Password Security Design.
We also have our $1,000,000 bug bounty reward. We put our money were our mouth is, that is how confident we are in our security our user data. More here: The $1 Million Password Hacking Challenge.
-- Catherine 🙂
0 -
So the interesting part for me in that incident:
LastPass chief executive Karim Toubba said in a blog post that an “unauthorized party” recently gained access to some customers’ information stored in a third-party cloud service shared by LastPass and its parent company, GoTo.
And there's also a link in there to this blog post from AWS about LogMeIn utilizing them as their cloud partner for certain records: https://aws.amazon.com/jp/blogs/modernizing-with-aws/how-logmein-migrated-a-billion-records-online-from-oracle-to-amazon-aurora-and-achieved-sub-millisecond-response-time/ (LogMeIn belongs to GoTo, which LastPass also belongs to.)
So where does 1Password store our data? Also on AWS? https://aws.amazon.com/jp/blogs/startups/customer-focus-turned-1password-into-a-2-billion-business-with-aws/ What makes it better than LastPass if they're using the same partner?
0 -
All vault data is end-to-end encrypted locally on your device which means that even if our servers were breached all that the attackers would have is encrypted gibberish that is useless and unreadable. An attacker would need both your 1Password account password and Secret Key to decrypt the data within it. We use AWS to take advantage of their superb data redundancy and disaster recovery.
If you're looking for a deep dive into our cryptography and security then I recommend reading our Security Design white paper.
-Dave
0 -
Hey. So, I'm gonna ramble here again about why this concerns me with respect to 1Password. Disclaimer first: I'm a long time customer. I currently pay for the subscription because I want to support 1Password, BUT, I use 1Password 7.x because I don't want my vault stored in the cloud.
So, I think 1Password has done a top-notch job of designing and securing the cloud data. I believe, based on reading the white paper, that--assuming there are no flaws in the implementation--it is impossible to gain access to un-encrypted user vault data in the cloud. That's not my concern.
My concern continues to be that the vault storage itself is a juicy target. Maybe nothing can be done with it today if it could be exfiltrated. But, 15 minutes from now? 5 years from now? If a flaw is found in the encryption methods, or compute technology advances enough, then it may be possible to decrypt the exfiltrated vaults.
My fear here is that I have so much private data stored in my vault that it would be hard to mitigate that kind of potential damage. I would prefer to not have my data stored in a giant pot-o-(gold)data pile. I realize that this partially security-through-obscurity, but the reality is that for someone to get my encrypted vault today, they would need to attack me specifically, find the vault, and either be targeting that or happen on it and know what it is. And as noted, as of today, it is worthless to them. Would they keep it? Would I be targetted for it? Seems unlikely to me.
I would sincerely like 1Password to reconsider a way for p̶a̶r̶a̶n̶o̶i̶d̶ dedicated users such as my self to keep their vaults locally synchronized in future versions.
Thank you if you waded through all that.
0 -
Thank you for your thoughts! Everyone's threat model will be different so it's important that you use the services that fit your particular threat model.
I've personally been using 1Password.com to store all of the important data in my life for a long time (and years before I started working for 1Password as an employee). For me, the fact that all information is end-to-end encrypted locally on my device using industry-standard, and battle-hardened, cryptography is what won me over. 1Password uses 256-bit AES encryption which is used by organizations and governments to secure all sorts of information that needs to be kept secret.
My concern continues to be that the vault storage itself is a juicy target. Maybe nothing can be done with it today if it could be exfiltrated. But, 15 minutes from now? 5 years from now? If a flaw is found in the encryption methods, or compute technology advances enough, then it may be possible to decrypt the exfiltrated vaults.
If the industry-standard encryption that is in use today was broken in the future then I suspect that your 1Password vault may not be the first thing that would be targeted. All traffic in-transit secured by TLS, and at-rest storage like medical and financial information stored by banks and hospitals, would suddenly be exposed. If encryption was broken there would be no need for someone to attack your 1Password vault in order to get a login for a website, they'd be able to get your data from the website itself. Why break into your 1Password vault to get your banking information when an attacker could break into your bank itself?
Regarding bringing back standalone vault our founder Dave wrote a post here about our decision: The future of local/standalone vaults
That being said, if your threat model is such that you'd prefer a local solution then the team would like to hear from you. Please fill out our self-hosted survey so that we can learn more: Self-hosted 1Password kick-starter
-Dave
0 -
Thank you for the thoughtful reply. I sincerely appreciate it.
You raise a good point about in-transit traffic, but especially the point of at-rest data for other high-value targets. I had not considered it from that angle. (BTW, I do store encrypted back-ups of my vault in the cloud. So, those copies would be vulnerable the same way as the other at-rest data data you mentioned. Again, though someone would have to find it first.)
Thank you for the pointers. I have read Dave's blog post, and I have previously filled in the self-hosted survey.
I'll have to re-consider my p̶a̶r̶a̶n̶o̶i̶d̶ position.
Thank you again,
-- Darin0 -
I think the more concerning issue with the LastPass incident that hasn't been discussed here is their dev environment was compromised and source code stolen. I was speaking with some colleagues today and mentioned if I was a LastPass user, I would definitely drop them. With the source code in the wild, if there are any exploitable bugs, they will be fully taken advantage of, leaving the entire LastPass platform vulnerable.
With that in mind, is anyone at 1Password able to comment publicly on security precautions taken to protect the actual development of 1Password as a platform? With security software such as password managers, I think users automatically assume the security would be up to the same standards of a large financial institution, with constant auditing, intrusion detection, pen testing, etc. I'm assuming some of these basics were not in place at LastPass if a single developer's credentials caused this level of data theft, with multiple corrections on actually how much data was stolen because apparently they didn't even know!
Thanks for reading!
0 -
Before I jump into answering your question @Funky_D I want make sure we mutually understand a few things. First, this is a hard conversation to have in public because no matter what controls we implement, there will be folks who are not satisfied with those controls for various reasons. Second, we are able to see our risks and compensating controls from a perspective that others cannot, so please consider this when reviewing our choices as we may not agree on all the details. Third, we believe in transparency with regard to security, which is why we publish our Security Design Whitepaper and our Security Assessments. Finally, any controls we discuss here are subject to change at any time as we continue to evaluate our risks.
Remember all customer data is end-to-end encrypted with keys only you can access, meaning the primary risk to your data would be an attacker who is able to push changes to our codebase, which modifies how we handle customer secrets and in turn allows them to be compromised. The question we need to answer is,
What would it take for an attacker to inject malicious code that could compromise our cryptography?
- They must gain access to our source code versioning system.
- To connect to the versioning system you must be a member of our Google Workspace and you must have an account on the system itself.
- Both the Google Workspace and versioning system accounts require strong, unique passwords and MFA. Our policy requires a randomly generated password stored in 1Password and does not allow SMS based MFA.
- They must get their code merged into our repo
- Code changes require collusion from at least two developers, or more if working in security-critical parts of the codebase.
- In addition, all code that makes changes to authentication or cryptography must be reviewed by the Security Engineering team.
- They must get their code pushed to production.
- All code must go through our automated testing and QA processes before it can be pushed to production/stable.
- New features that make material changes to our authentication or cryptography are tested by third-party application security testers before they are pushed to production.
A few additional notes
- We are a remote first company meaning our users are not on a shared network so a compromise of one developer does not automatically imply the compromise of multiple developers, which would be typical in non-remote companies.
- We do not store sensitive secrets such as signing keys in our versioning system, they are stored in our Secrets Automation system or otherwise encrypted to minimise the risk of those secrets being accessed by unauthorized persons.
- In addition to the controls listed above, we also implement a variety of other controls, such as intrusion detection, automated anomaly detection for logs, extensive alerting, and others.
- We operate under the assumption that our source code may be leaked at any time and build our processes to minimize the number of security issues we introduce and to make sure they are caught as early as possible.
0 - They must gain access to our source code versioning system.
-
We are a remote first company meaning our users are not on a shared network so a compromise of one developer does not automatically imply the compromise of multiple developers, which would be typical in non-remote companies.
You probably meant “employees” instead of “users” in this sentence?
On the other hand, they hopefully eat their own dog food, so they are users indeed… 😉
0 -
This has continued to show why 1 Password is and always has been the perfect rock solid option for a password manager, especially these takes on the how it works.
0 -
@shaywood, a belated thank you for sharing some of the behind-the-scenes processes you have in place to ensure the integrity of 1Password. I didn't doubt you were taking all precautions necessary within reason, but it's nice to see confirmation of some of your security processes.
0 -
It gets worse: LastPass confirmed that hackers have the vaults and are going to brute-force them https://techcrunch.com/2022/12/22/lastpass-customer-password-vaults-stolen/
When will 1Password be next? Come on, bring back standalone vaults!
0 -
This content has been removed.
-
1Password has never been hacked, and we're confident that we can resist any attempts to hack us. In fact, we're confident enough to offer a USD $1 million bounty to anyone who can:
☞ Strengthening our investment in customer security with a $1 million bug bounty
Further to that, your 1Password account is protected by more than just your account password. The key that actually encrypts your data (the Account Unlock Key) is made up of both your account password and your Secret Key.
Because you need to memorize your account password, it can only be so strong – about 40 bits of entropy on average. Your Secret Key doesn’t need to be memorized, so it can be much stronger. It has 128 bits of entropy, making it infeasible to guess no matter how much money or computing power an attacker has available.
— About your Secret Key (emphasis mine)
To be able to retrieve your 1Password data from 1Password.com, an attacker would need to have your email address, Secret Key, and account password. If you've turned on two-factor authentication for your 1Password account, they would also need a one-time password generated by something like Google Authenticator, Authy, or another app, or a hardware security key like a YubiKey or Google Titan Key.
☞ Turn on two-factor authentication for your 1Password account
Even if an attacker was able to get a copy of your 1Password account data, they'd still need both the Secret Key and account password to unlock it (see Account Unlock Key above), even for an offline attack. Since the Secret Key is 128 bits of random numbers and letters, a dictionary attack (trying to crack it using a list of common passwords) would be useless, and an attacker would have to brute-force it, which would take a dedicated attacker billions of years, even with a supercomputer cluster to help them.
The security of your 1Password account doesn't rely only on the strength of your account password, since most of the heavy lifting is done by the Secret Key. All this means that 1Password accounts are more secure than standalone vaults, which were protected only by a Master Password, with no Secret Key and no option of two-factor authentication.
You can learn more about our security model here: About the 1Password security model.
For (much!) more information on how 1Password keeps your data safe, you can take a look at the 1Password Security Design White Paper (PDF).
Please let me know if you have any questions about any of the above, or anything else relating to 1Password. :)
0 -
I appreciate the amount of transparency here as someone who moved over from LastPass to 1Password oh, about twelve hours ago. I think there will always be a theoretical flaw in a cloud-based storage solution for passwords. However, that has to be weighed against the fact that the best PW software is one you will actually use every day. The self-hosted ones, or the ones stored locally sound great, but I want to be able to access passwords across multiple devices more or less seamlessly, and this is currently the only model for doing so. I'm moving to 1Password not just b/c of the breach, but b/c LastPass has been so bad at messaging what happened and what I should do as a user.
So could someone brute force by 26 character lastpass Pw (or my 1Password one)? Mathematically its possible, but unlikely. I also have 2FA on the most critical individual accounts. Will I always be taking on risk? Yes, but I think I've mitigated it to the greatest degree possible.
0 -
Great discussion :-) I would like to validate my understanding about 1Password:
My assumption - based on the whitepapers and this thread - is that even the meta data like username, phone, description, etc. are completely encrypted with Secret Key and Account Pw. Is this correct?
Thanks!
0 -
That's right. All of the information within an item is encrypted and we have no knowledge of it. Both your account password and the Secret Key are used to derive the Account Unlock Key which actually encrypts your data.
As support staff, we can see a limited amount of metadata about an item, such as:
- a universally unique identifier (UUID), which looks like
fsbyftiuzfww53jattgrfcvqda
(The item's actual title is encrypted.) - the item category (Login, Credit Card, Identity, etc)
- date created and modified, and dates of versions in between
- the UUID of the vault it's in
- whether or not the item is a Favorite
- whether or not the item has an attachment (but we can't see the attachment – not even its filename or file type)
Hope that helps, but if you have any questions, I'll be happy to answer them. :)
0 - a universally unique identifier (UUID), which looks like
-
I think the key point made by the 1Password team is that the long secret key makes decrypting the vault essentially impossible even if someone managed to get access to the data. Really, that’s true and will remain true.
It’s far, far more likely someone steals your laptop/iDevice and gets access that way. Nothing protects you from own weak passwords or pass codes. Having a local vault won’t help you there.0 -
This is very true. There's so much information on our devices that isn't 1Password data which is still sensitive. And just to be extra clear, customers should still use as strong an account password as they can remember – four or five words is advisable.
0 -
I have a few questions as someone considering moving over from Lastpass (and having done some subsequent, but perhaps incomplete reading after.)
My understanding is that part of the way in which Lastpass was attacked was that they did not fully isolate their development environment (accessible by social engineering on employees) from their production environment where they stored the actual vaults. Do you know if these are separate in 1Password? Are there any protections against similar social engineering attempts at 1Password or compartmentalized access?
My understanding is that PBKDF2 was recommended to increase to 300,000 iterations for SHA256 in 2021 by OWA. 1Password still uses 100,001 like it has for years. I realize the secret key adds extra entropy, but this still seems not ideal. I was wondering if there were any plans to increase the iterations or allow users to do this. Or alternatively to upgrade to SHA512 or even better Argon2 or scrypt given that SHA256 is starting to show its age.
Is there any possibility of (in the future) decentralizing the storage of the vaults or somehow minimizing storage time in the server? It just seems that someone breaking in and then having the encrypted vault on hand for everyone and every website, which they can then just mass test master passwords against is kind of unlucky. Or alternatively to enable some way of automatic rolling suggested password resets?
Do you allow/support email aliases for registration? One concern is the exfiltration of all of the emails from Lastpass + addresses that enable targeting.
Do you ever retain the urls in plaintext, even temporarily, to download favicons? My understanding is that Lastpass retained them permanently and bitwarden temporarily.
Finally, do you ever do Red Team type exercises designed to test against the sort of scenario Lastpass went through? That sort of exfiltration, rightly or wrongly (at least with the plaintext urls) is kind of a possibly company ending event.
0 -
My understanding is that part of the way in which Lastpass was attacked was that they did not fully isolate their development environment (accessible by social engineering on employees) from their production environment where they stored the actual vaults. Do you know if these are separate in 1Password?
Yes. We operate a total of 12 separate environments: 3 regions (US, Canada, EU) with 4 phases each (production, staging, testing, development).
See @shaywood's comment above about our development security: https://1password.community/discussion/comment/667610/#Comment_667610
I was wondering if there were any plans to increase the iterations or allow users to do this. Or alternatively to upgrade to SHA512 or even better Argon2 or scrypt given that SHA256 is starting to show its age.
We're looking at moving to a new key derivation function, and have been for a little while. We're doing the due diligence on this and making sure we don't hurry the process to make sure it's done securely and with minimum disruption. There's nothing to announce about that just now, but work is going on internally in that regard.
Is there any possibility of (in the future) decentralizing the storage of the vaults or somehow minimizing storage time in the server?
We're not planning this at this stage. To even obtain the encrypted blob of your 1Password data, an attacker would have to supply the email address, Secret Key, and account password for your 1Password account. (If you have two-factor authentication turned on, they would need a one-time password or a hardware security key as well.)
This encrypted blob cannot be decrypted without both the account password and the Secret Key – the Account Unlock Key which actually protects your data is derived from a mixture of both of these.
The Secret Key is a 128-bit key, making it infeasible to crack, so even with a weak account password, the Account Unlock Key can't be cracked. Because it's used for authentication and decryption, we safeguard not only against someone decrypting your data, but even getting the encrypted blob in the first place. Breaking the blob up into multiple pieces wouldn't be adding any more effective security at that point.
When you say "minimizing storage time in the server", could you tell me a bit more about that? 1Password needs to hold your encrypted data to sync it and store it so I'd be interested to see what you're requesting here.
Do you allow/support email aliases for registration? One concern is the exfiltration of all of the emails from Lastpass + addresses that enable targeting.
You can use whatever email address you like for your 1Password account, even one with + symbols, such as you might use with Gmail. You could use a Fastmail Masked Email address, an iCloud Hide My Email address, a SimpleLogin address - whatever works best for you.
Do you ever retain the urls in plaintext, even temporarily, to download favicons? My understanding is that Lastpass retained them permanently and bitwarden temporarily.
We describe the security impact of using rich icons in this article from the 1Password Support website: About rich icons and your privacy.
Finally, do you ever do Red Team type exercises designed to test against the sort of scenario Lastpass went through? That sort of exfiltration, rightly or wrongly (at least with the plaintext urls) is kind of a possibly company ending event.
1Password undergoes routine penetration testing from outside companies, and we publish the results of them here: Security audits of 1Password.
Our security model is visible to anyone to wants to see it. We publish a white paper going into full detail about it: 1Password Security Design White Paper, PDF.
We also offer a USD $1 million bounty to anyone who can break 1Password's security: Strengthening our investment in customer security with a $1 million bug bounty. If anyone could find a vulnerability in 1Password's security, it would be worth a million bucks for them to tell us. :)
I hope that answers your questions fully, but please do let me know if I can be of any further help.
— Grey
0 -
This content has been removed.
-
1Password could easily provide a more secure alternative by just allowing standalone local vaults again.
It's really bad that they force us to use their servers, and it gets worse when you try to access the billing page, you have to provide your e-mail, secret key, and password! Basically revealing access to all your vaults just to get to the billing page.
0 -
@fabianfabian This is info you're using to access your billing info on 1Password.com, See GreyM1P's above post about what support staff can see and remember all your data within 1Password is end to end encrypted.
0 -
@tomatoshadow2 End to end encryption is useless if the attacker has all the keys, the billing page requires me to enter all my keys online, this was never needed with the old 1Password, only the encrypted vaults were sent over the wire, never the keys.
1Password should plan for a breach of the vaults, and guess what, they do! That's why everything is encrypted.
And similar to that they should plan for a billing page login breach also, but they don't. A Billing login page breach means your keys are compromised. This could never happen in older version of 1Password because the keys never left our devices, it was a deliberate design decision, they chose to sacrifice security to push their cloud offerings.0 -
@fabianfabian Remember for an attacker to even get access on your billing page on 1password.com, they would need your email, account password and secret key. Also, when your signing into the your account on 1password.com, 1Password will only fill the login associated to that info, so this is also a great way 1password can help protect you from fake phishing pages trying to get your info.
0