Can 1Password comment what they do differently following the LastPass breach?

Huuuze
Huuuze
Community Member

LastPass provided an update following their recent breach and the news is alarming for those customers. The URLs of their websites were stored in the clear and vaults have been compromised in the leak. Brute force attacks are undoubtedly underway, becoming a nightmare for their customers.

I'd like to hear from 1Password how they're doing things differently (or the same). Is any portion of our personal content stored in the clear? What does 1Password do to ensure the same thing does not happen to their customers?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided

Comments

  • Hi there @Huuuze

    There's a full rundown of the visibility of what's in your 1Password account here:

    What we (don’t) know about you | 1Password Blog

    As you'll be able to see in that blog post, we can see very limited information about your items and vaults but not the actual content, and no information in your items is stored in cleartext.

    Please let me know if you have any questions or would like more detail about anything in particular. I'll be happy to help out. :)

    — Grey

  • Reystarr
    Reystarr
    Community Member

    Does 1Password keep backup copies of our vaults on a cloud service like LastPass? That is actually the biggest concern— that hackers can find a way to download the backup copies and apply brute force to crack our master password. I have several hundreds of passwords in my vaults and it would be extremely painful to change them all including OTOP.

  • fabnavigator
    fabnavigator
    Community Member

    Just to be very specific, storing items in cleartext wasn't the issue with LastPass. Their entire databae was encrypted. But someone was able to get the keys to that encryption. At that point, only certain fields like passwords and secure notes were still protected by the users master password.

    So the question is, is all of the content in out vaults secured with our secret keys and primary password?

  • XIII
    XIII
    Community Member

    Just to be very specific, storing items in cleartext wasn't the issue with LastPass. Their entire databae was encrypted.

    The backup of the vaults was encrypted, but vaults themselves do contain data in clear text (such as URLs):

    The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.

    Source: LastPass

  • Hi folks!

    I'm going to answer as directly as possible here, with yes/no answers, to avoid mincing words.

    Does 1Password keep backup copies of our vaults on a cloud service like LastPass?

    Yes.

    That is actually the biggest concern— that hackers can find a way to download the backup copies and apply brute force to crack our master password.

    The Secret Key is what is different here, and what prevents against this sort of attack:

    About your Secret Key

    I have several hundreds of passwords in my vaults and it would be extremely painful to change them all including OTOP.

    Unfortunately, if you've been storing those items in LastPass, that would be the recommended course of action at this point. Any time you suspect a secret has been compromised, the only solution is to invalidate (change) that secret. This is why it is also important for employers to change the passwords former employees had access to.

    So the question is, is all of the content in out vaults secured with our secret keys and primary password?

    Yes.

    I hope that helps!

    Ben

  • fabnavigator
    fabnavigator
    Community Member

    It does. Thank you.

  • Happy to help. 🙂

    Ben

  • Reystarr
    Reystarr
    Community Member

    Thank you Ben! The use of both the secret key and master password TOGETHER is the differentiator and that gives me some comfort that even if the backups are compromised, it is highly unlikely they can guess both to decrypt the vaults.

    Oh and I don’t use Lastpass. I’m 1Password forever. :)

  • Mycenius
    Mycenius
    Community Member
    edited December 2022

    Much of what LastPass have publicly said and released in their statements is misleading and designed to obfuscate - obviously they are trying desperately to downplay how badly they managed this and how poor their system and security really is. AFAIK only 1Password and Bitwarden have had zero known intrusions to date of their systems (incl. cloud/online vault storage). Deliberately holding off until Christmas Eve to publicly acknowledge the breach is inexcusable enough (when customers/users have lost 6+ weeks of time that they could have updated their passwords, etc, in) but to exaggerate how secure the stolen vaults are is worse (you would be lucky if 10% of their customers have their default minimum 12-character high-entropy passwords or better - a lot of those vaults will have 'password' or '12345678' or 'nigel' or similar as their master passwords)!

    This is also the 7th Major Intrusion they have had to their systems/network/storage in the last ~12 years) - there is a pattern there... (and how many more minor ones or ones they have not publicly admitted have occurred?)

    Also, some further reading/commentary on the LastPass breach for those interested (and who have not seen this previously): Jeremi M Gosney at InfoSec.

  • jonnyt80
    jonnyt80
    Community Member

    I have been using LastPass as my password manager for years but given the recent security breach and the way it has been handled I'm thinking of switching password managers and 1Password is one of the ones that has been recommended. However, before I decide on a new password manager I thought I should ask a few questions based on my experience with LastPass and questions I have around the security of my data.

    1. Is there any blog posts or information on what 1Password would do if something similar happened and customers password vaults were stolen?
    2. Does 1Password store any unencrypted data in the password vaults? One of the things I was shocked to learn was that some of the data in the LastPass vaults such as the URLs are not encrypted - I always assumed that any data stored in my vault would be 100% encrypted.
    3. If something similar did happen and a backup of the password vaults was stolen how secure would it be? From looking into the LastPass incident it looks like if someone manages to crack the Master Password then they'll have access to all of your data - would it be the same with 1Password or is there any additional security on the backups to prevent this i.e. 2FA?

    Thanks for any help or advice that people can offer on this.


    1Password Version: Not Provided
    Extension Version: Not Provided
    OS Version: Not Provided
    Browser:_ Not Provided

  • jonnyt80
    jonnyt80
    Community Member

    Also, how easy is it to migrate data from LastPass to 1Password?

  • MMirabito
    MMirabito
    Community Member

    @jonnyt80, after reading LastPass community forums I concluded that LP is pretty much MIA or on vacation.

    I moved from LastPass to 1Password family on Friday mind you I was using it since 2013 and as a paying customer since 2015.
    The vault was imported with no errors including my daughter’s in under 5 seconds (1Password has an import feature and LastPass is one of the options).

    A few days later I removed auto-renewal on LastPass. I am keeping the account for now, but I have deleted all entries on the vault.

    In deciding what to use I also looked at Bitwarden but went with 1Password (Note it's more expensive for the family plan). But IMO I found the GUI I bit easier on my eyes, Bitwarden was way too flat and bland.

    One item I could not find the concept of folders in 1Password. They have tags similar to gMail. On the other hand Bitwarden has folders like LastPass. Regardless I have adopted to filtering. Still trying to get used to how the features have been implemented but overall, I am pleased so far.

    Hope this helps
    max

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    What's most important is what we do differently before a breach. We have designed 1Password so that in the event of a breach we could truthfully say that the data that we hold is uncrackable and that things like the item URLs and titles are encrypted.

    https://blog.1password.com/not-in-a-million-years/

  • Answered here

    Merged! Thanks. :)

    Ben

  • Mycenius
    Mycenius
    Community Member

    FYI if people haven't seen it already - LastPass data breach led to $53K in Bitcoin stolen, lawsuit alleges, related to the August breach, filed in US. Posted the details & link here for those interested.

This discussion has been closed.