The recent attack on LastPass and the arguably successful stealing of LastPass vaults has attracted a lot of attention. Certainly also in the 1Password community.
I have been using 1Password for four years now with a 1Password family membership. At the time, the reason was a successful hack in my family that enabled identity theft with financial damage.
The LastPass security incident has me personally concerned and a bit unsure if storing passwords in password services is really a good idea. While 1Password has never had such an incident, what if this changes?
Of course, I know that everything is strongly encrypted. Additionally, a 128-bit strong secret key is required to decrypt the vaults. This is a good reason to choose 1Password, especially in this industry. But what if supercomputers can break the encryption?
Perhaps I am exaggerating a bit. Nevertheless, a queasy feeling remains.
My question now is whether 1Password will now integrate more security systems to make it even more secure? You always have to be one step ahead of criminals. How does 1Password ensure that something like with LastPass can never happen? Will 1Password change anything in its security strategy? Will the source code of the security architecture be published?
I still feel safe with 1Password, that hasn't changed, but these are thoughts that go through your head when you hear about the LastPass story.
Looking forward to answers
1Password Version: 1Password 8
Extension Version: Not Provided
OS Version: macOS Ventura 13.1
Current supercomputers and the expected supercomputers of the next decades cannot break state of the art encryption.
It requires a hypothetical computer that is able to perform the time intensive cryptographic computations in zero time. It's estimated, a quantum computer is able to do this. However, currently there is no real quantum computer in existance. They are being developed, but they don't work yet. These are not simply very fast computers - they need completely different algorithms and programs to use their special speed. Drafts for such cryptographic breaking algorithms exist, but all very theoretical.
It will be years from now, may be even decades, and the first thing that will pop up with them would be some scientific proof that it's really possible to crack current encryption, if that's really possible. It would not be your personal 1password account that will be cracked first, I'm 100% sure of that. It will be very technical proof of concepts in a clean environment, not some ready-made cracking tool that instantly decrypts the whole internet.
The industry will have years to develop so called post quantum cryptography algorithms to solve that, if it's possible, so it's an issue for the medium or far future. As of today, and probably for the next few decades, your data will be safe with traditional cryptography. If your (our!) data is safe after that with post quantum cryptography, nobody knows today. If it's not safe any more, it's not safe for everyone, everywhere, no matter the tool he uses.
It's important to remember that 1Password is not a static product. For proof of this, you can look at how far its come in the last several years in terms of its storage format. Agile Keychain, as strong as it was back in the day, was simply not enough to handle modern day threats. It had limitations and weaknesses, and so 1Password users were migrated to the OPVault format starting in 2012. Once 1Password accounts were introduced in 2015, additional security features like the Secret Key were added into the mix. The continued evolution of 1Password keeps it ahead of the threats of the day, and well prepared for the future. 1Password accounts, especially, are a major advantage, as you no longer need to worry about manually upgrading a vault in order to make sure you're using the latest vault format.
On the subject of supercomputers, it may be worth a refresher on just how strong the Secret Key is when it comes to the encryption of your data. As mentioned in this blog post on the subject:
Running a guessing attack on encrypted 1Password data would not be "impossible" because an attacker would somehow lack the ability to do so. They could certainly try it. It would be impossible because they would be limited by the amount of money in the world and the amount of time left until the sun burns out with which to run their attack. It may also be worth having a look at this comment on quantum computing, as that's a common subject that comes up here.
Thank you :) @Zatara214
@Mattis – You're very welcome. :)
One more thing, even when it's a small thing: How can I enable TPM? My PC supports TPM and I am already using stuff like Bitlocker. The last checkbox is greyed out. Windows Hello is also enabled, obviously. @GreyM1P
TPM 2.0 is enabled and supported.
Folks, please stop saying it's impossible to break state of the art encryption. What was state of the art yesterday could be outdated today.
The fact of the matter is that encryption can be broken as quickly as on the first try. Someone wins the lottery despite the odds against it. My state has at least 4 lottery games. Most states have multiple, then there are multi-state lotteries. While we all think it's impossible that WE will win the lottery, the fact is that someone does win almost every day, in every state.
There could be 4 billion combinations that are required to decrypt something, but if the first permutation hits, it's done. So whatever the odds/combinations are they are the maximum case, as if it literally took the last permutation to crack it. Statistically, it will be neither the first nor the last - BUT IT COULD BE.
So please stop saying it's impossible. There are at least several state governments hard at work improving both decryption and encryption methods. Throwing money at companies and/or hacker groups. Let us hope that 1Password continues to evolve and improve security, because as we have all learned by now it doesn't matter if you're Target, Equifax or LastPass.
Enable One Time Passwords for all your accounts that support them. 1P has supported this for a long time. Complain to business you use that are still using just SMS texts, or not even this.
All the best.
I was able to successfully toggle these settings off and back on again, so it's probably best if we help you with this issue by email.
Attach the diagnostics to an email message addressed to
With your email please include:
You should receive an automated reply from our BitBot assistant with a Support ID number. Please post that number here. Thanks very much! :)
I understand what you're saying here, and it's definitely true that everything would be cracked eventually given enough time, money, computing power, and other resources, but 1Password's security is on a _galactically _different scale, and although the numbers involved are mind-bogglingly huge, it's important to make the comparison.
⚠️ Warning: Very long post, and large-number mathematics ahead! 🤓
A real-world example of "unlikely, but not impossible":
The main Lotto game of the National Lottery in the UK (where I'm from) has
49balls. You'd need to match all six balls to win the jackpot. That sets the number of possible outcomes of the draw to
49*48*47*46*45*44, which is
So, the odds of winning are just a little bit worse than
1 in 10 billion. And yet, as you mentioned, someone does win most weeks, which is unlikely but not impossible. (Wouldn't be much of a game if it was impossible!)
How this compares to 1Password's cryptography
Now, considering that the Account Unlock Key which performs the actual encryption and decryption of your 1Password data is an AES-256 key of
256 bits, that's
2 × 2 x 2 x 2 ...and so on, multiplying 2 by itself 256 times.
For a 256-bit key like ours, there are a possible
That's just a bit over
115 quattuorvigintillion, which is slightly easier to say. (Let's be generous to our hypothetical attackers and round down to 115, instead of up to 116.)
Guessing the Lotto numbers is already unlikely, but within the realms of possibility at about
1 in 10 billionas we saw above.
10 billiontells us that cracking the Account Unlock Key on the first try is roughly
11.5 million trillion trillion trillion trillion trillion timesharder than winning the Lotto, something we already considered very unlikely but not impossible.
What does that mean in practical terms?
The fastest known (to me, anyway) supercomputer at time of writing is Frontier, at Oak Ridge National Laboratory, in Tennessee, USA. It can perform about
1 quintillioncalculations per second.
☞ ℹ️ 1 quintillion is 1,000,000,000,000,000,000 or 1 billion billion on the short scale.
Let's say Oak Ridge are very nice to us and allow us free (as in both no-cost and unrestricted) use of their supercomputer. (They'll just have to put their research work on hold for a bit.)
☞ It would actually take more than 1 calculation to try each possible key, but let's again be generous and say that 1 calculation = 1 key tested.
115 quattuorvigintillion keysto test at a rate of
1 quintillion keys/secondwould still take
1.15 × 10^59 secondsto try them all. (1.1579×10^77 / 10^18)
To put that in perspective, that's
3.644 × 10^51 years, or put another way, about (260 million trillion trillion) times longer than the known universe has existed (~13.7 billion years).
Taking an average, it would take about half that time to find the key, but we're still talking about unfathomably long times to check them all, and an unfathomably low probability that the earlier checks would find it.
On this scale, as our Principal Security Architect, Jeff Goldberg, says in his blog post, Secret Key: What is it, and how does it protect you?:
Although it can seem like hubris to talk in absolutes like this, the mathematics bear it out.
OK, but what the account password is weak?
This is something important to bear in mind. If you use a competitor that doesn't use a Secret Key like we do, you only use your email address and a password to sign in to your vaults and decrypt your data. So, it follows that if you chose a terrible password like
pencil69, it wouldn't take long to just try lots of passwords until one of them works. This would be no different from cracking passwords for any other website.
1Password is different: because we also use the Secret Key, that adds randomness (entropy) to your account password since both are used to derive your Account Unlock Key. The Secret Key is 128 bits long, so we know that at minimum, the "seed" for your Account Unlock Key is at least 128 bits.
Let's suppose that cracking your account password is trivial (maybe you reused it from somewhere else, which you definitely shouldn't do!) and someone wants to sign in to 1Password.com as you. Let's assume they have your email address and your account password. They don't have your Secret Key, and cracking a 128-bit key by brute force would still take 5 trillion years (on average) using the Frontier supercomputer flat out, doing nothing else.
I hope all of the above shows how much of the heavy lifting in 1Password's security is done by the Secret Key, and why we shouldn't only rely on recommendations to our customers. We can't just tell customers to use a strong account password and hope for the best. We can't just increase the number of rounds we perform in our key-derivation function and cross our fingers. The Secret Key adds another dimension to the problem of cracking 1Password's security which makes it unappealing for anyone to try.
It's great to see how much our community is engaging with how 1Password keeps their data secure. I'll be happy to answer any questions anyone has. :)
Fun thread and excellent explanation, @GreyM1P!
Just for kicks, I did the math using the power of the collected Bitcoin network, currently clocking in at a humble 249,504,173,713,255,600,000 hashes/sec, or ~250 times the speed of the Frontier supercomputer.
TL;DR you're still not going to be around to watch it find the key:
115,792,089,237,316,195,423,570,985,008,687,907,853,269,984,665,640,564,039,457,584,007,913,129,639,936 keys / 249,504,173,713,255,600,000 hashes/sec = 464,088,786,628,439,555,051,575,642,811,566,489,488,416,056,535,001,026,158 seconds.
This equals 14,716,158,885,985,526,225,633,423,478,296,755,754,959,920,615,645 years, or 1,074,172,181,458,797,534,717,768,137,101,952,974,814 times the age of the known universe.
Even dividing that number by 2 to yield 7,358,079,442,992,763,112,816,711,739,148,377,877,479,960,307,822 years on average, we're still talking 537,086,090,729,398,767,358,884,068,550,976,487,407 times the age of the known universe.
Don't hold your breath. :)
This is one of those conversations in which everyone is right.
@Piggy is correct that "impossible" is technically not the right word. It is "possible" that Elvis has been living on Mars and teaching native Martians how to gyrate their hips even though they don't have hips. It is "possible" that the earth is flat, held up by four elephants on the back of a Giant Star Turtle. It is "possible" that I can unstir the cinnamon I put into my oatmeal by reversing the direction of my stirring. Those are possibilities which we can call negligible.
But @piggy is, I believe, making a different point and is not talking about possibility at that level. Basically, it is possible that the designers of these cryptographic systems are wrong about about stuff or it is possible that our implementation is buggy in ways that can be seriously exploited. These are possibilities that we do need to take seriously.
But when taking them seriously in making our security choices, we need to contrast with alternatives. If encryption is broken (tomorrow) in ways that wreck the security of 1Password, then it would also be broken in ways that make the passwords stored in 1Password irrelevant, as all of the things that we use passwords for would also be broken. And because the security of 1Password's synching mechanism is stronger than (most) alternative synching mechanism, a cryptographic vulnerability that badly undermines ours is also going to hit the alternatives.
Is cryptography possible?
Mathematicians have not managed to prove that cryptography is possible at all. And this applies to all cryptography, not just the fancy public key stuff. But we make the choice to rely on cryptography every day (whether you use 1Password or not). Even if you never do anything online1, you depend on cryptography. For example, your bank uses cryptography to make payments and deposits into your account whether you use online banking or not. So if cryptography is fundamentally broken, the fate of 1Password is going to be among the least of anyone's problems.
The point here is to consider the kinds of threats Piggy is talking about about affecting 1Password synching and look at how they affect the whole eco-system. If you are worried about an asteroid hitting your house, the solution is not to move to another house.
Cryptography breaks slowly
We've seen once trusted cryptographic systems break over the past decades. And the good news is that, at least for well-implemented systems, the breaks have all been slow. They do not break all at once, going from fully trusted one day to fully exploitable the next. Other than the key size (which was a known deliberate weakness) of DES, it took decades to uncover other weaknesses (typically based on the small block size). MD5 had been deprecated for years before an actual, real-live, exploit against it was used in the wild. And cryptographically relevant quantum computing is getting further out in the future.
Bad things happen, but ...
So, yes. Bad things can happen. Bugs and design errors can and do happen. And so it's good to take that into account when we use the word "impossible". But the choices that we make given the nature of possibility is about relative. 1Password offers strong protections against the consequences of a breach that LastPass does not. That doesn't mean it is impossible for bad things to happen if we get breached, but it does mean that bad things are enormously less likely.
Be sure the thank the person who printed this out for you to read on paper. ↩︎
Of particular note I've become very interested in the PBKDF2 'iterations' failure at LP (to me these are truly horrific and in some ways almost worse than the actual loss of possibly every single customers encrypted vault & personal data). I posted about that separately, here and asked LastPass Iteration Failures: Can you verify the PBKDF2 Iterations used on your 1Password Vault? So won't repeat gist of the post here.
But perhaps one simple change that may be in the near future roadmap with 1PW is a possible increase from the current PBKDF2 100,000 count to something higher - the (nominal) recommended iteration count is currently 310,000 (as many may know, for FIPS-140 at least), but due to how the secret key addition works with 1PW this might not be necessary (yet); right? But perhaps an increase of a lesser amount is? I'd be interested in where the 1PW's teams thinking around this is; is it something under consideration?
I just wanted to add here that regardless of the great difficulty of breaking encryption, there is the social engineering factor. According to an article in today's NY Times, "intruders had gained access to its cloud database and obtained a copy of the data vaults of tens of millions of customers by using credentials and keys stolen from a LastPass employee." Could you speak to how difficult it would be to sweet-talk a 1Password employee into revealing "credentials and keys" sufficient to access and unlock customer data?
I think it is more likely that we'll end up with a new KDF vs increasing PBKDF2 iterations.
1Password employees cannot decrypt your data. The only way to decrypt a customer's vault is with their account password and Secret Key, neither of which are ever transmitted to us.
From About the 1Password security model:
I hope that helps!
👍🏻 👍🏻 @Ben
Phew! That is a very long thread but so informative. Thanks everyone! :)
I'm happy that you found the thread useful and informative. 😊
For those not aware - Possibly first lawsuit against LastPass related to the August breach has been filed in US. Posted the details & link here for those interested.
My password was a mix of 26 computer generated characters with upper, lower, numbers and symbols.
The two key factors affecting the ability and time to crack are length and strength (entropy):
I checked the entropy of a password similar to mine at the following websites and the entropy ranged from over 100 to 180:
The latter one also estimates the crack time using various attack scenarios and guesses per second with the time ranging in decades and up.
There is also a chart which shows the time to crack based on the entropy score (up to 120) and the number of guesses per second from 10 thousand to 100 trillion here:
Does anyone know how the number of iterations affects the time?
As far as I remember, doubling the number of iterations for PBKDF2 doubles the time required for cracking. It's not a high gain going from 100000 to 300000 - it's only tripling the time. Given Moore's Law that computing power about doubles every 18 months, this is a not very long lasting enhancement. To truly overcome computing power growth, a new key deriving function is required with orders of magnitude more computing power to crack. Or just a few more characters in your password with currenct kdfs.
@Tertius3 is correct -- the gains achieved by massively increasing the number of rounds of PBKDF2 suffer from the "diminishing returns" phenomenon. That is: you get less and less by such large increases, but because both incorrect Account Password entries (fails, cracking attempts) and your correct entries (unlocking your data via entering the Account Password) must go through these rounds of PBKDF2, the increase in computational overhead (and therefore slowness of "feel" in the unlocking UX) increases to the point of annoyance (and I suppose, if you cranked it up enough or had a weak enough CPU, to the point of unusability). And there is a much better way to increase the entropy of your Account Password: add another character. Generate it randomly, of course, but the protection stemming from the increase in entropy gained by adding a single character to an existing Account Password far exceeds the gains from additional rounds of PBKDF2.
Indeed. There is also some suggestion now that Quantum computers can break major encryption method, researchers claim - while not proven for certain, even if not we can't be too far from that state, so the eventual flow on effect down the line will mean moving to newer encryption logic is a better use of time and effort in the long term anyway:
If you're interested then our Principle Security Architect has previously posted some thoughts regarding Quantum computing here: Is 1P taking the threat from quantum computing serious these days? — 1Password Support Community
I haven't been online here at all this year, so happy new year 2023!
I have two questions that have nothing to do with encryption, but are not so big that I think it needs a new thread. Earlier today I was remotely helping a family member with his Mac who had been using Windows for decades, this brought these questions to my mind.
First, a topic that has something to do with security. When you log in to 1Password.com with your 1Password account, you have to enter your email address, your secret key and your master password/account password. So far so good. But I was wondering why no dots appear when you enter the secret key? The secret key is in plain text in the text field. If a screen transfer is running, then after that it would no longer be a secret key, it would just become a key. 😅
(I had the Mac screen transfer active with my family member, which allowed me to see the screen including the Safari window with 1Password.com).
For me personally, it's a security risk because the secret key could be spied out, just by a simple screen transfer. Maybe one also forgets to end the video conference and then logs into 1Password.com. Obviously, it doesn't help if you then display the banking passwords, because even 1Password cannot stop that. But it is absolutely necessary that the Secret-Key appears in dots when you enter it. (The account password only appears in dots). 🔒
Second, a topic related to recovery: Why is 1Password 8 only able to restore deleted items only from the past thirty days? When I signed up for an 1Password membership five years ago, I was super happy about the feature to be able to restore deleted items from the last 365 days. I noticed that restoring from the last 365 days is still possible through 1Password.com, but not via 1Password 8. Neither for Mac nor Windows or iOS. I would really appreciate, if AgileBits would bring this functionality back to the current 1Password.
May this post receive attention by an AgileBits employee.
Looking forward to hear answers.
The second topic doesn't really fall within my specialty, but the first one sure does, so I'll address that. Funny enough, though, I think we can actually break that down into two separate points:
1. Malware, or the unexpected monitoring of your device
2. The function of your Secret Key
Let's start with the first one. We shouldn't assume that every screen reader is malicious, but it does have the potential to be used maliciously. I'll stick with malicious ones for the most part, and get to your example after that.
Malware of any flavor is sort of a broad topic. The compromise of your operating system certainly provides the room for a successful attack. 1Password is a software application, and given that, it relies on the integrity of the hardware, firmware, and operating system on which it runs. The compromise of any of these things has the potential to do a lot of damage. We could assume that this screen reading malware only has permission from your operating system to read your screen and send it over a network to some unknown third party. But we shouldn't. We should assume the worst. And the worst case scenario is root access. It's been said before by @jpgoldberg (somewhere... there are so many long posts in here) that once an attacker has gained root access to your computer, it is no longer your computer. Mitigation for this type of threat involves keeping your operating system, web browser, and applications up to date. If you feel more comfortable using an additional anti-malware solution, you may. But 1Password itself is not an anti-malware solution.
Your example of leaving a video call with a family member open actually leads me into my next point: the functionality of the Secret Key. I typically summarize it by saying that the Secret Key is meant to protect you from us. That is its only purpose. Protection from us includes everything from our own eyes on your encrypted data (we are the ones storing it) to a breach of 1Password's servers. With that in mind, as long as we (1Password, the company) don't have it, it's doing its job. I wouldn't go so far as to make your Secret Key entirely public, but your Secret Key is not your account password. They work together, but they do have different purposes.
With this in mind, even if you assume that the family member that you forgot to hang up on is malicious (frankly, you should have hung up on them, they deserved it), that family member would still need a copy of your encrypted data and your account password in order to acquire and decrypt your data. The exposure of your Secret Key over this call would certainly be icky, and you'd certainly have the opportunity to change it, but it does not put you in immediate danger.
If your primary concern is a scenario in which someone somehow acquires both your account password and Secret Key, but not a copy of your encrypted data (as would be the case if you broadcasted yourself typing them both out in plaintext while sharing your screen), you may also choose to enable two-factor authentication with your 1Password account, as that's the specific scenario that it's meant to cover.
Hey @Zatara214, thank you so much for your reply, I really appreciate it. Yes, my family member has already two-factor authentication enabled for his 1Password account, but I was surprised after all, that the Secret Key is shown in plaintext while entering it.
Which effort would it cost, to add a button to the login page that makes the entry visible? Like an eye icon? You should hide the Secret Key in the login procedure by default and unhide the entry by clicking the eye icon. I would really appreciate that.
Looking forward to hear answers to my second topic.
Well, I should say that this isn't a decision that comes down to me. It's entirely possible that one or more of my colleagues on 1Password's security team will disagree with me on this point. But I see the Secret Key being exposed by default as a matter of usability. In fact, similar things can be found elsewhere. For example, the fact that your Secret Key consists of groups of characters separated by dashes comes entirely down to usability. The dashes are not there to add to the Secret Key itself. As mentioned (currently on page 12) in 1Password's Security Design white paper, they exist to make it more human-readable and easier to enter into the 1Password clients when needed.
I'd imagine that this is done because the Secret Key remains a huge hurdle to those that are new to the concept of password managers in general, never mind ones that are new to 1Password specifically. I have appreciation for the fact that not everyone is an enormous nerd that thinks about nothing but security and privacy all day like I am. People like stuff to be easy, and if it's not, they won't use it. As I've said elsewhere, there exists a very delicate balance between usability and security. Making real, proper security accessible to anyone and everyone is really tough sometimes. It's our job to maintain that balance as best we can so that everyone can benefit.
Thanks @Dave_1P - I'll definitely read through that thread - don't think I have noticed it previously!
Sounds good! I'm happy that my linking to the thread was helpful. 🙂
I'm late getting to this, but wow, what an interesting, open, and deeply technical conversation. I'm considering switching from LastPass to 1Password, and this security discussion is right on point for me. I'm just starting to play with 1Password, and I have a couple additional questions:
When do I enter the Secret Key? Is it the first time I install the Extension in a new browser or run the app on a new machine? What about on phones? Will I ever have to re-enter the Key? (just need to know how accessible the key needs to be)
This question was kind of asked earlier but not answered: My reading-between-the-lines of the LastPass incident is that an individual employee got phished and gave up his/her internal system account info. The hacker then logged in to the account and grabbed data from internal servers that the user had access to - apparently encrypted vaults, plus unencrypted customer info such as names, addresses, email addresses, etc. Leaking this other info is bad and could potentially give the hacker clues to the vault passwords.
So, two questions:
2a. What safeguards does 1Password have to prevent employee phishing incidents like this?
2b. Is customer data stored on internal servers as encrypted so a hacker couldn't use it if they got it?