General security question from newbie

victrolux
victrolux
Community Member

As a new user of 1PW I am obviously overjoyed that I am able to keep so much data securely locked in one location. But the cautious side of me also worries that I can keep so much important data in one location... that if someone were able to hack into the application they would have everything and I mean everything.. my logins, my passport, my credit cards my deepest darkest thoughts.

I understand that nobody can open the application without my master password. But what I'm wondering about is, if my laptop is stolen and someone can access the 1PW data files can they hack into the code in the database and still manage to get my data?

I realize the answer to this question would have to be, "Absolutely not!" But can you describe to me in "newbie terms" why this is not possible?

Thanks

Comments

  • bjspiers
    bjspiers
    Community Member

    I had/have the same concerns, it's quite a thing to put all your very expensive eggs in one basket, my worries were lessened by the replies here http://discussions.agilebits.com/discussion/23360/new-to-1password-cloud-security-data-recovery-questions#latest

    However, whilst my bank accounts are in 1pw they are mostly 2 page logins and the second page login remains in my head (for now), so if 1pw was hacked they would still need half the log in. I'm sure I am still being over cautious but...........
    Barry

  • Jasper
    edited April 2014

    Hi @victrolux,

    Your Master Password is always required to access your locked data.

    From the moment we designed the data format, we ensured that it was able to withstand an attack should your data fall into the wrong hands, either as a result of a sync service breach or if someone physically stole your computer. As such, we use AES encryption with PBKDF2 key strengthening to protect your sensitive 1Password data as well as many other mechanisms to stop an attacker from ever accessing your information and we detail this here:

    Security of storing 1Password data in the cloud

    So, as long as you use a secure master password that you don't use elsewhere, your 1Password data is incredibly safe (even when stored on a service like Dropbox). If you're not sure about the strength of your master password, please do take a look at our blog post on this:

    Toward Better Master Passwords

    I can't think of many better ways to show just how strongly 1Password protects your data than by pitting it against the pre-eminent password cracking tool John the Ripper. We did exactly that:

    1Password is Ready for John the Ripper

    Please let me know if you have any other questions or concerns!

  • victrolux
    victrolux
    Community Member

    Thanks Jasper. To clarify what I am asking...

    I realize this semi-informed question exposes my complete lack of understanding of how all this works. But I'm just trying to wrap my newbie brain around the concept that the data file cannot be cracked into the matter how it's accessed. I understand the importance and the function of the master password. My understanding of it is that the master password is important when you come through the "front door". What I'm wondering about is how the master pw prevents someone coming through the back door or busting out a wall from the side and seeing all the data raw unexposed without the need of a master password.... Is the data file itself able to be cracked open in a way that does not follow the rules?

    Maybe if you explained how encryption actually works... Or maybe I should go learn this before I ask such questions!

    Thanks

  • Stephen_C
    Stephen_C
    Community Member

    Put simply, your data is encrypted by a key generated from your master password. If anyone gets possession of your 1Password database they can obtain access to it only by giving the master password, which will then decrypt the database. (That's a gross simplification, but that's as I understand it in essence.)

    Stephen

  • Megan
    Megan
    1Password Alumni

    Hi @victrolux,

    I'm glad to hear that you are thinking seriously about the security of your 1Password data! That's what we like to see. :) It sounds like you've already got some great advice, and some links to the best places to learn more, so I'll just try to elaborate a bit on what's already been said:

    My understanding of it is that the master password is important when you come through the "front door". What I'm wondering about is how the master pw prevents someone coming through the back door or busting out a wall from the side and seeing all the data raw unexposed without the need of a master password.... Is the data file itself able to be cracked open in a way that does not follow the rules?

    Front door/back door/side door... it's really not important whether an attacker tries to access your database directly through the 1Password app or if they find your 1Password.agilekeychain file and try to hack it directly. Your data is always encrypted using the fancy algorithms that @JasperP mentioned above, and an attacker would need to crack your Master Password to get access to the key to decrypt your data.

    I hope this clears things up, but we're here if you have any further questions!

This discussion has been closed.