Is 1Password preparing a report on lessons from the LastPass breach?
I thought I knew what "zero knowledge" means, and I thought it was the gold standard for security. From the LastPass security breach, it seems there may be different degrees of zero knowledge security, and even zero knowledge password managers may store key backup or other data on third party servers.
Is 1Password preparing a report on lessons learned from the LastPass breach, including full transparency to 1Password customers on how 1Password's practices are different from LastPass's practices, and whether 1Password stores any data on third party servers? I appreciate that 1Password.com utilizes a Security Key in addition to a Master Password, but I am still wondering if any similarities exist between LastPass's practices and 1Password's practices and, if yes, how 1Password is better protected than LastPass from a similar breach.
I am concerned because I have always been a standalone license user, and I recently moved all of our family's passwords to 1Password.com's cloud.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided
Comments
-
Hi @VT1P, thanks for these questions. I can understand your concerns, and am happy to help.
First, there are a few basic principles that underpin our approach:
We lean into privacy. This is partly a philosophical choice (privacy is good) but it also has security implications: if we don't have your information, we can't lose control of it in a breach.
We rely on strong encryption - really strong encryption - to secure your data. This makes your data inaccessible to anyone who doesn't have your account password and Secret Key, including us.
But, to your point, that's only true if there isn't fine print attached to it, right? Like, if we only encrypt some of your items, or leave other aspects of your data unprotected, then it's not really as simple as "lean into privacy and rely on strong encryption." Fortunately, everything in your 1Password database - logins, secure notes, you name it - is all encrypted. Our colleague Zak goes into detail on this here.
When it comes to how your non-secret information is handled generally, and what we know and don't know about you, I can recommend our privacy primer. The most information-revealing thing a typical 1Password customer will do, when needed, is to send us diagnostics so that we can help with troubleshooting. Information on what's shared in those diagnostics is covered here.
Regarding our infrastructure, we rely on Amazon Web Services (and actually have a little-known public page for it!). While these are third-party servers, your information as always is encrypted end-to-end with keys that only you possess. We never have your account password or Secret Key, and thus have no ability to back them up anywhere.
I am still wondering if any similarities exist between LastPass's practices and 1Password's practices and, if yes, how 1Password is better protected than LastPass from a similar breach
This is a fair question. We share some similarities, in the sense that both companies use cloud services to sync encrypted data across devices, but a big (critical) difference-maker is the Secret Key. It just makes the math of breaking 1Password's encryption way, way more infeasible. I hesitate to comment further on Lastpass' specific situation other than to say that we've imposed substantially higher requirements on what we consider the secure encryption and handling of data to be.
However, our principle Security Architect, Jeffrey Goldberg, just wrote a blog post about the LastPass breach, and how our approach to encryption compares.
With that said, we understand that there's no such thing as absolute security. We'll be continually revisiting our security controls and assessing risks as they come up. If you're interested, @shaywood shared some insightful background earlier this month on what it would take to compromise our cryptography.
Further Reading
If you'd like to have a look at the fine-grained specifics of our implementation, the 1Password Security Design whitepaper can be found here. The "Beware the Leopard" section contains candid information on risk and the limits of our current approach.
Finally, I should mention that our apps and services are routinely audited by independent security firms (we had 6 such audits in 2022 alone). Those reports are also public.
0 -
PeterG_1P,
Thank you for your comprehensive response to my questions. I always felt very comfortable with my standalone license and vaults, which stayed on our encrypted computers. Now we have switched to a 1P.com family account. It is working very well for us, but we are relying on 1P's highly-regarded reputation for cloud security. I have no expertise to differentiate between "bulletproof", "best in the industry", and "better than LastPass, which recently failed". Clearly, we have placed our trust in 1P. I am sure 1P recognizes this and takes great care to assure it is well placed.
0 -
Hello @VT1P,
As you may have seen, we have written a blog post that highlights unique facts about our design that keeps you safe if we were ever to be breached.
https://blog.1password.com/not-in-a-million-years/
On Zero Knowledge
In that, I didn't say anything about their use of the term "Zero-knowledge". By many definitions, 1Password's authentication protocol (based SRP) is ZK. We have avoided calling it that because the term "Zero-knowledge" often implies specific ZK techniques, which are not used in Password-Authenticated Key Exchanges (PAKEs) such as SRP. So while PAKEs are ZK, we've been reluctant to use that term as it often suggests different techniques.
I am not aware of any credible definition of ZK that would apply to my current understanding of LastPass's authentication protocol, but I don't claim expertise in their protocols and I have not sought out their explanation of why they consider it ZK.
Again, my focus was on their erroneous claim of "millions of years" and on how 1Password could truthfully say that if we were to suffer from a similar breach.
0
