Traveling--how to login while on the road

I'm going overseas and will remain there for a period of 4 month.

I have a single user license for windows.

My question is what is the most secure and simplest way(s) to continue using 1password
to login to my preferred sites and access my information while I'm overseas?

«1

Comments

  • svondutch
    svondutch
    1Password Alumni
    edited November 2014

    Dropbox is your friend.

    Are you bringing your laptop? If yes, then you can install 1Password onto it.

    Otherwise, you can use 1PasswordAnywhere.

  • raahh
    raahh
    Community Member

    Hi,
    no laptop. I'll be backpacking and don't want the extra bulk/weight. I am, however, thinking of bringing a netbook or tablet.

    I'll look into this 1passwordanywhere and dropbox option. I'll test it here before leaving.

    In terms of security and ease of use, do you think it would be best to install 1Password on a netbook or use dropbox from a tablet?

  • RichardPayne
    RichardPayne
    Community Member

    Shouldn't matter, as long as the netbook isn't a Chromebook. Just Dropbox and the appropriate flavour of 1Password and you're good to go. 1PasswordAnywhere is just an html page inside the keychain that let's you read the data directly from the Dropbox website.

    If you're taking a device then you might as well use it.

  • DBrown
    DBrown
    1Password Alumni

    @raahh, be sure you're using the default .agilekeychain format for your vault, rather than the optional .opvault format (which doesn't include the 1Password.html file and other elements required for the 1PasswordAnywhere feature).

    @RichardPayne is correct that the device you use to access 1PasswordAnywhere is irrelevant—your 1Password data is as secure as your master password is difficult to guess. (You are using a strong master password, right? :) )

  • RichardPayne
    RichardPayne
    Community Member

    @RichardPayne is correct that the device you use to access 1PasswordAnywhere is irrelevant—your 1Password data is as secure as your master password is difficult to guess. (You are using a strong master password, right? :) )

    With 1PasswordAnywhere your data is only as secure as your Dropbox account. If someone gains write access to that then they can maliciously corrupt the html file to steal your master password.

  • DBrown
    DBrown
    1Password Alumni
    edited November 2014

    they can maliciously corrupt the html file to steal your master password

    Do you have proof of this?

    I ask because it directly contradicts everything I've been told about 1PasswordAnywhere.


    Update

    Dev tells me that a "bad guy" with write access to your Dropbox account could replace the 1Password.html file with a version that would simply send the master password to that person when you submit the "unlock" form.

    That means your 1Password data is, as @RichardPayne put it, as secure as your Dropbox account, which makes it like any other file stored in Dropbox (assuming the person who gains access to your Dropbox account has the programming skills to hack 1Password.html).

    Sometimes I think we might've named the software TwoPasswords. ;)

  • DBrown
    DBrown
    1Password Alumni
    edited November 2014
  • DBrown
    DBrown
    1Password Alumni
    edited November 2014

    ...and here's a blog post that contributed to my misunderstanding:

    Your Master Password is your defense [against] Dropbox breaches...

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    Hello @raahh!

    I went overseas for "one year two at the most" and returned 12 years later. Happy travels to you. I'd like to comment, clarify, and offer some perspective on this discussion.

    Use transcribable passwords

    One option for you, if you do not wish to use 1PasswordAnywhere is to carry a portable device and use 1Password for Android or 1Password for iOS.

    The difficulty is that if you use random passwords (as you should), you may find yourself having to transcribe something like nF]pYAALNuTxms6QFXkDBx8T. That simply isn't feasible.

    But there is a solution. Before you travel, update the passwords that you expect to need most often to things that are easier to type and transcribe. 1Password for Windows can generate Diceware-like passwords. These are strong and easy to type and transcribe. So this way, you can look these up on your mobile device and type them where you need to.

    Putting 1PasswordAnywhere issues into perspective.

    As noted, using 1PasswordAnywhere has different security properties than using the 1Password program.

    1. 1PasswordAnywhere's security breaks if an attacker gains write access to your Dropbox account.
    2. 1PasswordAnywhere's security depends on the security of your connection to Dropbox. So an SSL/TLS compromise can also be a vector.

    But these are perfectly acceptable risks for many people. Indeed, that is typical of web-based password managers. Web-based password managers are (typically) vulnerable to an attacker gaining write access to the server or to the data in transit via an SSL/TLS failure.

    1Password is not a web-based password manager and so 1Password does not face some of the threats that web-based password managers face. But 1PasswordAnywhere is the exception. When you use that feature you face some of the same kinds of threats that are typical of web-based password managers. Let me quote from the article I just linked to

    The exceptional 1PasswordAnywhere

    >

    1PasswordAnywhere is an optional, but useful, feature for many users of 1Password. It is useful when you don’t have 1Password itself with you. If you

    synchronize your data with Dropbox using the Agile Keychain Format, you will have a file within your Agile Keychain folder called 1Password.html. That file contains the JavaScript necessary to give you read access to your 1Password data stored on Dropbox in your Agile Keychain.
    >

    1PasswordAnywhere is as secure today as the day we introduced it. Its security has not diminished in any way. But it does remain an exception to much of what I have said above. It does involve a great deal of cryptography in JavaScript; it is an instance where you do enter your 1Password Master Password into the browser, its security relies on TLS/SSL in a way that the rest of 1Password does not, and it is subject to active attacks (data tampering) in ways that the latest version of 1Password is not.

    Again, let me stress that 1PasswordAnywhere remains as secure as ever. But because it is cryptography in JavaScript delivered over SSL/TLS and stored on a third party system, it faces threats that other uses of 1Password do not face.

    So one way to look at the choice about whether to use 1PasswordAnywhere or not is to consider that foregoing 1PasswordAnywhere gives you extra security. That is, you can look at the security level of 1PasswordAnywhere as a base-line. That might be a more useful perspective.

  • svondutch
    svondutch
    1Password Alumni
    edited November 2014

    What @jpgoldberg‌ says.

    A couple more things:

    1. We're phasing out 1PasswordAnywhere. opvault (our future database format) does not include 1PasswordAnywhere.
    2. The NSA has access to your Dropbox. Are you worried about the government hacking into your accounts? Do not use 1PasswordAnywhere.

    Thanks!

  • svondutch
    svondutch
    1Password Alumni
    edited November 2014

    Your 1Password data is safe in Dropbox (even from the prying eyes of the NSA), provided you...

    1. have a strong master password, and
    2. are not using 1PasswordAnywhere
  • reck
    reck
    Community Member

    I've only just noticed I can select the format of the vault when creating them. My vaults are currently using the older .agilekeychain which must have been the default when I created them.

    Would you mind explaining a bit more about the vault formats?

    1. What are the benefits of the new format (.opvault) over the .agilekeychain format?
    2. How do I change my vaults using the older format into the new format?
    3. Why is .agilekeychain still around?
  • svondutch
    svondutch
    1Password Alumni

    What are the benefits of the new format (.opvault) over the .agilekeychain format?

    opvault is more secure because everything is encrypted (including item titles).

    How do I change my vaults using the older format into the new format?

    You cannot convert your agilekeychain to the new format (yet).

    Why is .agilekeychain still around?

    Because not every platform supports opvault (yet). We're waiting for Android to catch up.

  • reck
    reck
    Community Member

    Thank you, direct and to the point.

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    There are times when it is very important to distinguish among various forms of access. All of the issues involving 1PasswordAnywhere, require the attacker to be able to change your data either on Dropbox or in transit. If the attacker can only read the data, then all is well.

    So when @svondutch‌ says,

    The NSA has access to your Dropbox. Are you worried about the government hacking into your accounts? Do not use 1PasswordAnywhere.

    we should keep that distinction between read access and write access in mind. It is clear that the NSA and FBI have easy read access. So far there are no indications that they have write access. (I would not be surprised if they do have that capacity, but if it were frequently used it substantially raises the possibility of detection.)

    Individuals have to make their own choices about what threats they are concerned about, but I do want to make it clear what sorts of attacks exist against "crypto delivered over the web" as is the case with 1PasswordAnywhere.

  • svondutch
    svondutch
    1Password Alumni
    edited November 2014

    @goldberg Edward Snowden has not told us whether the NSA has read access or read-write access. If you want to error on the safe side, then you should assume they have both.

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    PRISM is all about (easy) read access. So write access would have to be from a program we have heard nothing of. I'm not saying that they don't have write access, but it would be something "new" if this were something routinely available to them.

    I certainly assume that US LEAs can get write access in individual cases. Just as they can install "implants" and such into your own hardware.

  • reck
    reck
    Community Member

    Edward Snowden has certainly rattled a few cages with this. I now just assume anything I put in the cloud, including my gmail, can be read by government departments if they so wish. I don't see anyway around this unless you start using something like Truecrypt to encrypt your data, but there's even suggestion that that is now compromised due to the sudden closure by the devs.

  • raahh
    raahh
    Community Member
    edited November 2014

    woah. I hadn't checked the forum for the past week. This turned complicated pretty fast ... :D

    So having a very strong Dropbox password is a must. I don't think I like to use 1PasswordAnywhere...so my option would be?...

    @DBrown, I'm using the .agilekeychain format. Good tip though, I didn't even know there were different formats.

    and yes, using a strong master password :)

    You say the device I use is irrelevant. Even using a PC at an internet cafe? aren't 'key logger' software a security risk?
    Ideally that's what I would like to do is avoid taking a netbook/tablet with me on my travels and just use internet cafes. But probably not
    the smartest way to go about this.

    Let's say I take an Andoird tablet with me, do I then need to purchase another (separate) license?
    Right now I have one Windows license.

    @jpgoldbern. Thank you. Wow! 12 years, that's quite the adventure. Too many places to visit. Let me know if you have a blog of your travels.

    Thanks for the input. It sounds like there are quite a few things to consider if I"m going to use 1PasswordAnywhere.

  • DBrown
    DBrown
    1Password Alumni
    edited November 2014

    The alternative to using 1PasswordAnywhere (that is, to viewing your 1Password data through a web browser at your private dropbox.com web site) is to install 1Password on your mobile device. I believe you get the Android version in the Google Play Store for free, with an option to "in-app purchase" various pro features.

  • raahh
    raahh
    Community Member

    Let's say I install the 1Password Android app on my phone. Is there anyway someone can extract my Dropbox password if the phone is stolen or lost?

  • DBrown
    DBrown
    1Password Alumni
    edited November 2014

    None that I can even imagine, @raahh, but I have no familiarity with Android. I'd recommend asking in the 1Password for Android forum to get the expertise your question deserves.

  • [Deleted User]
    [Deleted User]
    Community Member

    @raahh‌

    aren't 'key logger' software a security risk? Ideally that's what I would like to do is avoid taking a netbook/tablet with me on my travels and just use internet cafes. But probably not the smartest way to go about this.

    I agree, I would never use 1Password in any form on a public computer, or any computer that I don't control. However I think you can still use public computers for logging in to individual accounts, if two step verification is possible and enabled for that account. Of course, then you must use passwords that are easy to remember for those accounts. Using Diceware as suggested seem like a good idea in that case.

    Let's say I install the 1Password Android app on my phone. Is there anyway someone can extract my Dropbox password if the phone is stolen or lost?

    Dropbox never stores its password on your phone (or your computer). You enter your Dropbox password during setup, but after that it creates a "security token" that is used for authentication. You can test this by changing your Dropbox password on the Dropbox website: your Dropbox app will continue to work and update your files despite the password change.

    If your phone is stolen or lost, you should instead go to https://www.dropbox.com/account#security and revoke access to that device and/or app.

  • DBrown
    DBrown
    1Password Alumni

    Thanks, @Xe997‌!

  • raahh
    raahh
    Community Member

    Thank you for your help everyone. I will keep your tips and suggestions in mind.

  • DBrown
    DBrown
    1Password Alumni

    Great! Let us know if you have any other questions.

  • Peter_Pappas
    Peter_Pappas
    Community Member

    I have questions:

    Using 1P must mean I am using .agilekeychain. I am also using Dropbox.

    Does this mean the html access risk is automatically there for me regardless?

    I am not using 1PasswordAnywhere and don't know anything about it yet.

    What I have read so far here is 1PasswordAnywhere has a back door that I wasn't aware of. The simple question is, how do I close or secure it?

    Peter

    PS To use the other format do I need to start from scratch, maybe using copy and paste?

  • svondutch
    svondutch
    1Password Alumni

    @Peter_Pappas 1PasswordAnywhere does NOT have a back door. If you're not using 1PasswordAnywhere, then you have nothing to worry about.

  • Peter_Pappas
    Peter_Pappas
    Community Member

    Thanks :)

    Not to beat the point to death, what has me concerned (or thinking) is if I am using .agilekeychain as the database, and someone breaks into my Dropbox somehow, are the mechanisms in place to use 1PasswordAnywhere to hack me?

    I guess I should add I don't know is 1PasswordAnyWhere a program that is separate or something you turn on inside 1P.

    Mr Brown, where do I read on this :)

    Peter

  • svondutch
    svondutch
    1Password Alumni

    if I am using .agilekeychain as the database, and someone breaks into my Dropbox somehow, are the mechanisms in place to use 1PasswordAnywhere to hack me

    @Peter_Pappas not until you yourself enter your master password into 1PasswordAnywhere.

    I guess I should add I don't know is 1PasswordAnyWhere a program that is separate or something

    https://guides.agilebits.com/1password-windows/4/en/topic/using-1passwordanywhere

This discussion has been closed.