1Password cloud security reassurance - am I right?

TravelSD
TravelSD
Community Member

So today there was more news about a competitor's password manager's cloud that was compromised. Attackers grabbed a point in time copy of the partially encrypted password vaults. They claim most sensitive data was encrypted, but not ALL (like URLs). From what I've read, it seems that now that the attackers have a point in time copy, they can perform an offline master password attack to try and break into the offline vault. Doesn't matter if the user has 2FA or changed their master password on the web.

I'm a happy 1Password user and from my basic understanding of the layers of 1Password security, a similar attack would be harder with 1Password. My understanding is:

1) ALL vault data including URLs is encrypted in the 1Password cloud.
2) Even if attackers got a cloud snapshot of a vault, AND managed to guess the right master password, they would still need to recover the secret key to decrypt the vault.

There may well be other layers of security, but it seems compromising 1Password vaults is a harder task. Is my understanding correct?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided

Comments

  • neilb422
    neilb422
    Community Member

    I'm curious as to this answer as well, as someone who used that compromised service and is migrating over the 1P (after needing to change a bunch of passwords!). I did see 1P's Twitter account confirm #1 - all URLs are encrypted

  • Alastair Bor
    Alastair Bor
    Community Member

    Definitely would like to hear from 1PW on how their service would be affected by a similar type of breach... what mitigations are in place to avoid the problems that befell their competitor, their competitor's customers, etc.

  • anthonygreen
    anthonygreen
    Community Member

    I was concerned when 1password announced they were deprecating local vaults, requiring you to adopt their online storage solution with future versions.
    Seems that concern was not misplaced. Storage is a secondary feature to password generation and a user should be able to choose which they opt for: Dropbox, GDrive, AWS S3 and move to whichever provider provides the more secure service …

  • Zaka7
    Zaka7
    Community Member

    I too have seen the tweet confirming URL's are encrypted. And data cannot be decrpyted without both the Master Password AND Secrete Key, neither of which are known by or ever sent over the internet. When I was reading reviews this is the reason I picked 1password over others. Their security seemed far better, yes it meant the odd feature was lacking, but for me that was well worth it. I genuinely think it's as safe as it can be.

    As for the local vaults vs cloud vaults argument that will always be a concern to some, but It goes back to your threat model. If you're someone who is likely to be targeted then a service like KeePass is probably best, as the standalone vaults being stored on services like dropbox, leave them just as open to an attack. But for everyone else I think cloud based is the way forward, using on multiple devices is far more beneficial for most. And lets be honest, even though the LastPass breach is bad, no actual vaults have be accessed and if strong master passwords have been used they are highly unlikely to ever be, and as users of 1PW we have the Secret Key on TOP of this protection.

  • Hi @TravelSD

    In answer to your questions:

    1) ALL vault data including URLs is encrypted in the 1Password cloud.

    Yes. I'd suggest having a look through What we (don’t) know about you | 1Password from our Blog, which goes into a bit more depth.

    2) Even if attackers got a cloud snapshot of a vault, AND managed to guess the right master password, they would still need to recover the secret key to decrypt the vault.

    Correct! Your 1Password account data is encrypted with the Account Unlock Key. It's made up of both your account password and your Secret Key. Without both of those things, the data cannot be decrypted at all.

    This is a great opportunity to remind everyone to keep a copy of your Emergency Kit somewhere safe with your account password written on it, because we can't reset your account password or Secret Key for you! We don't have the keys to decrypt your data, and we don't want them – they're yours and yours alone.

    ℹ️ For those who are interested in the mathematics here, your Secret Key is a 128-bit key, and a decent (and still memorable!) account password is about 40 bits of entropy. There's more information about this from our Principal Security Architect, Jeffrey Goldberg, here: How Strong Should your Account Password be?

    Brute-forcing the Secret Key on its own (which is the tougher of the two) would take billions of years, even with a supercomputer dedicated to the task. Dictionary attacks won't work since the Secret Key is a randomly generated string.

    As such, even if you chose an absolutely terrible account password, such as password123, you'd still be protected by the Secret Key. (And you should also change it immediately.)

    The Secret Key is one of those things that we've designed specifically to address the concerns people have about storing their sensitive data with us. Even with two-factor authentication for your 1Password account turned off, you still have the protection the Secret Key provides.

    Two-factor authentication on your 1Password account prevents unauthorised people getting the encrypted data from your account in the first place, and the Secret Key and account password make up the encryption itself.

    The older standalone vault system didn't have the Secret Key or two-factor authentication so the security of those vaults relied entirely on a strong Master Password. This meant that security leaned on a very human element. Our current security model provides a much more robust protection.

    There's more information about that here: About the 1Password security model.

    I'll also be happy to answer any questions anyone has about our security. :)

    — Grey

  • TravelSD
    TravelSD
    Community Member

    @GreyM1P Thank you so much! So very glad I trusted 1Password many years ago and continue to be a happy customer. Security architecture does matter, and a lot!

  • @TravelSD – You're very welcome. Glad I could help. If you, or anyone else, has any questions about our security (or anything else 1Password-related), I'll be happy to help out. :)

  • JAC3467
    JAC3467
    Community Member

    See this thread in the "Mac" forum, as this issue affects all:

    https://1password.community/discussion/129161/the-future-of-local-standalone-vaults/p1

This discussion has been closed.