How do you protect against zero-days or bugs?

[Deleted User]
[Deleted User]
Community Member

Hello,
your move towards storing details in the cloud and making them accessible via a web interface makes me increasingly uncomfortable, maybe you could convince me otherwise :)

Here is my concern:

  • 1password due to the nature of 'who you are' are a massive target for attack.
  • It seems to me that by storing information in the cloud and (in addition) making them available via web clients your are massively increasing your attack surface. (I understand that both are not necessarily connected, and I understand that you only decrypt locally)

While I have full trust in you applying best security practices and also having a solid security model (white paper), what I'm worried about is unknown unknowns: how can you be confident that considering the risk inherent in your service, you can prevent exposure through zero days or an engineer making a mistake and by this compromising access to data?

My point is this: if your system becomes compromised all users' data is at risk.
If, however, as before, we were able to store our data locally, or, say in the cloud on a server of our choice, then a potential attacker would have to also compromise these systems, rather than just 1password.com.

What am I missing?

Thank you in advance for clairfying


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided
Referrer: forum-search:security

Comments

  • [Deleted User]
    [Deleted User]
    Community Member

    Maybe just to add one other point: I understand from some of the threads that it was a commercial question to discontinue local vaults (I understand not many users were using them). If my assumptions above are correct, are you not putting users' data at risk in terms of prioritising commercial benefits?

  • Hi there @mb1347

    I'll come to your last point first:

    are you not putting users' data at risk in terms of prioritising commercial benefits?

    Standalone vaults were protected only by a Master Password, which you had to be able to remember. The actual encryption key that protected the data was made stronger or weaker purely based on how strong the Master Password was.

    However, 1Password accounts are more secure, because they have extra layers of security in the form of two-factor authentication to even retrieve the encrypted data, and the Secret Key which is combined with your account password to derive the Account Unlock Key which actually encrypts your data. It's important to note that even with two-factor authentication for your 1Password account turned off, the Secret Key still provides You mentioned our 1Password Security Design White Paper already – this contains more information about the actual derivation of that key, from page 34 onwards, if you're interested in the details of how that happens.

    You might also find my colleague @shaywood's comments about how we secure our development environments useful in this context: https://1password.community/discussion/comment/667610/#Comment_667610

    Anything that 1Password relies on to work is fully audited by our Security and Engineering teams. Any changes to 1Password which could have security implications are also pentested externally for transparency, and our pentest results are published on our 1Password Support site here: Security audits of 1Password.

    You also mentioned:

    1password due to the nature of 'who you are' are a massive target for attack.

    This is true, but with an important caveat: 1Password is not a general-purpose cloud storage service like Dropbox, iCloud, Google Drive, OneDrive, or anything similar. We don't store your photo library, the contents of your hard drive, your emails, text messages, contacts, calendar events, bookmarks, or anything like that.

    We store your 1Password data and that's all, so our access controls and encryption are hardened specifically because we know it would be tempting to hackers, rather than in spite of it. The Secret Key and two-factor authentication help serve as a deterrent – hackers will know that getting your 1Password vaults won't get them the contents, and that cracking our encryption isn't technologically feasible. It'd be much easier for hackers to go after other "softer" targets where the data held isn't encrypted, or where they may already have valid leaked credentials for victims.

    It seems to me that by storing information in the cloud and (in addition) making them available via web clients your are massively increasing your attack surface. (I understand that both are not necessarily connected, and I understand that you only decrypt locally)

    Realistically, this isn't any bigger of an attack surface than a cloud storage provider, all things considered. All the providers I listed before have web interfaces as well as apps, and maybe even APIs. (Please note: this isn't a comment about their security – merely a comparison of how they can be used.) Our robustness comes from our security model, rather than limiting the ways our customers can use our product. Security through obscurity isn't real security, after all.

    Hopefully this addresses your concerns, but I'll be happy to answer any questions or provide more detail if you'd like. :)

    — Grey

  • [Deleted User]
    [Deleted User]
    Community Member

    Hello
    I appreciate the detailed response, and I take many of your points.
    Having said this, I know a number of people who were victims of the recent Lastpass hack. So these things happen (no matter how diligent you secure your environments and how many pen tests you run). Now all of them trust the strengths of their master passwords but are still changing all passwords, just in case the hackers who are now in possession of those vaults happen to crack the occasional vault.
    Yes, I understand that that is mathematically 'unlikely' if you use strong encryption.
    I also understand that security by obscurity isn't the best approach, certainly not if you are someone 'famous'. But, in the case of a nobody like me, no hacker will know where my vault is stored, and if (again a feature 1password is missing imo) you could give it a random filename / extension, would't even know which file to specifically target, IF it was stored at a location of my choice.
    Also, I could decide to keep the data local only.

    As I said I appreciate all your points, but I feel that somehow by removing this, for the more paranoid :) of us, who've worked with engineering teams who are just human and will make mistakes, a bit of additional security would be good.

    Tbh really honest if I did't feel 'locked in' (pain of switching) I would switch to another service that allows non centralised storage. For now I will remove all banking and other highly critical areas from the 1password vault. < I'm sharing this purely for you to understand that I am one of your customers who is not totally happy and might switch eventually. I might be in the minority of

  • The Secret Key is the key difference here (pardon the pun).

    Secret Key - What Is It And How Does It Protect Users?

    Now all of them trust the strengths of their master passwords

    A strong account password is important, but it isn't the only protection for your data with 1Password.

    But, in the case of a nobody like me, no hacker will know where my vault is stored, and if (again a feature 1password is missing imo) you could give it a random filename / extension, would't even know which file to specifically target, IF it was stored at a location of my choice.

    If a hacker is determined enough to get this far, figuring out which file is your password database would be trivial.

    a bit of additional security would be good.

    That is exactly what the Secret Key provides.

    Tbh really honest if I did't feel 'locked in' (pain of switching) I would switch to another service that allows non centralised storage. For now I will remove all banking and other highly critical areas from the 1password vault. < I'm sharing this purely for you to understand that I am one of your customers who is not totally happy and might switch eventually. I might be in the minority of

    Strictly local vaults, as they existed in the past, aren't part of the plan for the future. With that said — we've built our systems with the fact we could be breached in mind.

    We don't want you to feel locked in. 1Password offers export options if for whatever reason it isn't your cup of tea. Our intention isn't to hold you in our ecosystem against your will.

    How to export data from 1Password

    Ben

This discussion has been closed.