iCloud Security

Options
Aeskulapio
Aeskulapio
Community Member
in Mac

Having investigated the recent celebrity hacks of iCloud backups that led to photos being leaked I've learned that iCloud files are not encrypted and that two factor authentication is not "on" for the iCloud files. This raises a concern about the security of the 1Password Vault sync through iCloud. Could you please address?
is the sync file encrypted by 1Password?
If I want to turn off iCloud sync until Apple has addressed these security issues do my existing devices vaults get deleted?
How could I turn off iCloud sync and delete the iCloud file without deleting the vaults on my devices?

thanks

Comments

  • littlebobbytables
    littlebobbytables
    1Password Alumni
    edited September 2014
    Options

    Due to the use of Agilebits newer file format, if you sync via iCloud your entire vault is always encrypted (URLs and something else isn't in the older format still being used if you use Dropbox*). Agilebits don't rely on encryption supplied by any of the sync services, they're only repositories for the already encrypted data.

    If my understanding from reading posts by @jpgoldberg‌ are correct, the idea is to assume somebody has access to an off-line copy of your vault and work from there to decide what it takes to ensure only the owner can access the contents i.e. it doesn't matter if iCloud is compromised now or in the future.

    *What they're saying is in the not too distant future all versions of their software will be aware of the new format and will exclusively use that instead. Its current usage is for reasons of interoperability. Hopefully I got that right @Megan‌ ?

  • prime
    prime
    Community Member
    Options

    I think you can delete the files but just deleting the account on you Mac. Then just re-log into you iCloud account if you use other services. Now this is where a strong password would have helped them and 2 step verification. I've her they got it originally by a brute force attach, but now reading they (hackers) did a forget my password rest and just answered the 2 of the 3 security questions (with 2 step verification, you don't use the security questions anymore). If you're a celebrity, everything about you is out there to be able to answer these questions.

    I have read on here that they do encrypt the file before if goes anywhere.

  • Stephen_C
    Stephen_C
    Community Member
    Options

    What @littlebobbytables‌ says in the first paragraph of his post is correct. The fundamental point is that even if someone obtains access to your 1Password vault (whether on iCloud or anywhere else) they won't be able to do anything with it unless they have your master password. The whole vault is (or vaults are, if you have more than one) encrypted with a key derived from your master password. That is why it's important to have a strong master password.

    Stephen

  • prime
    prime
    Community Member
    Options

    Now didn't they add an iCloud sync for the password so they sync too? I don't remember the whole thing, but I have restored from an iCloud back up a few times and still needed my master password.

  • sjk
    sjk
    1Password Alumni
    edited September 2014
    Options

    Hi guys,

    @Aeskulapio: You asked:

    is the sync file encrypted by 1Password?

    @Stephen_C‌ and @littlebobbytables‌ have answered that (thanks!):

    What @littlebobbytables‌ says in the first paragraph of his post is correct.

    You also asked:

    If I want to turn off iCloud sync until Apple has addressed these security issues do my existing devices vaults get deleted? How could I turn off iCloud sync and delete the iCloud file without deleting the vaults on my devices?

    You can disable iCloud Sync and delete 1Password data from iCloud (iOS) without removing any 1Password data from your devices.

    To do it on the Mac, first run File > Backup and click Backup Now in the main 1Password application to create "safety net" backup. Then select the Sync tab in the Preferences window, click Disable Syncing…, and enable the Delete data from iCloud option before clicking Disable Sync:

    There are two data stores in 1Password 4. One for the internal database, which is everything that is inside 1Password. The other is the sync store, downloaded from your remote cloud or your sync tools. 1Password 4 syncs between those data stores.

    @prime‌: You asked:

    Now didn't they add an iCloud sync for the password so they sync too?

    In 1Password for Mac, this change was made in version 4.3:

    • Now when you change your Master Password, it will sync to your other devices

    This is correct:

    I don't remember the whole thing, but I have restored from an iCloud back up a few times and still needed my master password.

    Similar to what @Stephen_C mentioned, your 1Password data essentially always remains encrypted, wherever it is stored and synced, until it's unlocked with your Master Password. It's never synced unencrypted.

    @littlebobbytables: You wrote:

    If my understanding from reading posts by @jpgoldberg‌ are correct, the idea is to assume somebody has access to an off-line copy of your vault and work from there to decide what it takes to ensure only the owner can access the contents i.e. it doesn't matter if iCloud is compromised now or in the future.

    That's the basic idea. :)

    *What they're saying is in the not too distant future all versions of their software will be aware of the new format and will exclusively use that instead. Its current usage is for reasons of interoperability.

    If you were interested in more details about the rollout of the new format, including where it is already used today, please see:

    Rolling out the 1Password 4 keychain

    If you have any other questions or concerns, please let us know and we would be happy to answer and assist you!

This discussion has been closed.