Why should I buy 1Password?
Hi,
I've done a lot of reading up about 1Password lately and I am thinking about buying it. Maybe one of you guys can convince me to make the purchase ;)
As of now, I feel like I do not need 1Password the following reasons:
By using "Secure Password Check" on Kaspersky, I came up with 4 passwords that would take 100,000 + centuries to crack by brute force, and yes, I have them all memorized no problem.
Not being able to memorize a bunch of different passwords would be the reason for me to buy 1Password correct? The only extra security I would then be getting from my purchase would be the "Fill and Go" feature, but how much security is that really adding? And what if I just stay logged into my social media and other sites all the time, then I wouldn't even need the "Fill and Go" feature. Is that dangerous or unsafe to stay logged in?
I have a macbook laptop running Mac OS X Mavericks and an android phone. I understand that 1Password is currently in beta on this "Fill and Go" feature with android.
Thoughts? Why would buying 1Password make my Computer and Android device safer?
Comments
-
Hi @Daniel_KB
I'm going to make the argument for a password manager in general.
Computer security and the attempts to bypass it evolve over time. At one point the focus was on ensuring your computer was free of viruses and malware that would try to sniff out passwords as you used the machine. A much more profitable vector these days is to compromise a server in the hopes of discovering login credentials for thousands of users. We assume every site we register with takes good security measures but what the news tells us is sometimes they're incredibly lax with our data.
Now what does it matter if somebody breaches something like your favourite news site where you log in just to get a personalised front page, slashdot for example. It's annoying but what have they gained access to?
More often than not it isn't that account they care about, it's the fact that people faced with remembering a geometrically number of passwords are forced to reuse if they rely on their own memory. So they can take your login details for that unimportant site and try them at all the sites they'd really like to gain access to. A password manager, any password manager allows you to create individual passwords so that a single site being compromised doesn't mean a session of panicked password changes because one password potentially allowed them access to so many places.
The core strength of a password manager is in having it remember hundreds of unique and truly hideous passwords. As strong as your passwords are, are they as strong as, for example
c*2Vg-!tDA71E/8l/cr,n(@eZIUz@P? Quite frankly I curse when I'm forced to type any of my passwords out because they're so bloody awful even typing is a pain and each site is getting something unique like that.For me that's the key selling point. Even if I didn't have access to functionality such as fill and go I'd still consider a password manager invaluable and in fact I did as 1Password 3 couldn't work with the Opera browser.
Why 1Password over other password managers? This comes down to preference. I wanted a password manager where I'm on control of my data so no server stored approaches and from a reputable company as you have to trust their program. Being that I'm a Mac user I don't see that I shouldn't have something that looks nice while still achieving its core duties (argue all you like, you're average linux program is not pretty) and I wanted something available on the platforms I care about which are OS X and iOS. I've been a fan of 1Password ever since I was a customer using 1Password 3 and when the time came along to upgrade to 1Password 4 I happily paid.
I've not answered all of your questions but I'd hope I've given you at least one strong reason why any password manager is a very good idea.
0 -
You pretty much just wrote out what 1Password does, which I am fully aware of. As I wrote in my initial post, "I have done a lot of reading up about 1Password," so yes I know it generates a long, difficult password for each and every site you have an account for.
Is my password as strong as the one you posted? Probably not. But like I also said in my post, my 4 master passwords would all take 100,000+ centuries to crack by a brute force attack. So maybe that password takes longer to crack, but who cares because it makes no difference.
I am also not concerned that "one password potentially allowed them access to so many places." This is the purpose of me compartmentalizing my 4 master passwords in a way that if one got hacked, they would not be able to go to sites like Amazon, Facebook, Twitter, my email account, or whatever other common website with that same password.
I actually had only 2 questions and you answered neither of them. One of them being - 1.) What added security am I getting from the Fill and Go feature and 2.) Is it dangerous to stay logged into websites and if so why?
Put simply, if I have these 4 Master Passwords that I can remember, what reason do I have to buy 1Password and why?
Anyone else?
0 -
In a nutshell...
1) I do not believe that you can memorize passwords that "would all take 100,000+ centuries to crack by a brute force attack."
2) The bad guys are not going to use brute force. Instead, they will use some sophistication.
3) I do not believe this statement at all: "This is the purpose of me compartmentalizing my 4 master passwords in a way that if one got hacked, they would not be able to go to sites like Amazon, Facebook, Twitter, my email account, or whatever other common website with that same password."
Of course, you're welcome to believe whatever you wish.
0 -
Plato
1.) You probably don't even know what Kaspersky is, but yes, they are a very reliable source and according to their password checker it would take that long.
2.) If they are using some sophistication other than brute force, then is 1Password doing something to prevent that?
3.) Yes, that's why I would create 4 different passwords. 1 of them for the less common, unimportant sites. 1 For banking, 2 for email accounts, 1 personal, 1 for other stuff.
0 -
My opinion on Daniels's original two questions, plus one observation:
What added security am I getting from the Fill And Go feature? This feature provides additional protection against phishing attacks by helping to guarantee that you are signing on to legitimate websites. Other than that, this feature is simply a productivity aid. You have to decide whether that offers value to you.
Is it dangerous to stay logged into websites, and if so why? If you practice good computer security (e.g., lock your computer so co-workers cannot access it when you step away, have a good password on your smartphone with a short timeout period), I would say it is not dangerous to stay logged into websites.
My observation: As Daniel says, many products (Kaspersky, 1Password, Lastpass, Dashlane, OneSafe) have good generators that create strong passwords. But a lot of hacking attacks do not rely on password-cracking. The online company that you do business with (a bank, a store, a forum) has to store your password on their servers so that they can verify your identity when you next sign onto their website. You would think that companies store their customers' passwords in a secure manner, but many do not. If a bag guy obtains access to the company servers, they now have your password. If a bad guy acquires one of Daniel's 4 master passwords in this manner, the bad guy now has access to the other websites where Daniel uses that same password. If Daniel can live with that, then ok.
0 -
Thank you pomme4moi for you response.
For 1. could you explain a little more to me... I don't fully understand why Fill and Go guarantees that I am signing on to a legitimate website. As I understand it, you save your website login URL in 1Password and it takes you there when you click Login. If I am typing in the same URL to the browser, what is the difference?
2.) Yeah, as long as my computer and phone are in my hands at all times, it seems that staying logged in would actually be safest, because then you don't have to worry about key loggers when you re-type your password or phishing attacks as you alluded to. If staying logged in does make me more vulnerable to hackers, someone please elaborate.
I appreciate you adding in your observation about how online companies store passwords on their servers and how that works. Always good to learn something new. I would have hoped that online companies such as banks and stores are more secure in storing our passwords then a website like a forum.
0 -
But like I also said in my post, my 4 master passwords would all take 100,000+ centuries to crack by a brute force attack.
Here it sounds like you are using only 4 different passwords across all of your accounts? If that is the case I'd highly recommend reading this article:
I would have hoped that online companies such as banks and stores are more secure in storing our passwords then a website like a forum.
You might be surprised. Schwab only allows for 6-8 character passwords and does not allow symbols:
0 -
bwoodruff
I definitely find some of these password creation rules and the lack of protection surprising. Good article. If you read my previous comments you'll see that I wouldn't have the issue posed in your first article - because I would have a separate password for banking only, any hack to my other accounts not provide a re-usable password to access my banking.
0 -
I suppose if your bank is the only account you care to protect and you only use one bank [no separate login for credit card? mortgage? retirement account? auto loan?] then you're all set.
But most of us deal with a whole slew of sites we wouldn't want compromised if any other were and as such need a unique password for each.
For example: my Apple ID is associated with my credit card information. So it'd be bad if someone could get into that. Likewise for my Amazon account [and any number of other online retailers]. I have a handful of credit cards, and each has a different password. I also have a couple different bank accounts at different banks. And my auto loan is handled under yet another login. Oh! And my login with the IRS... And how about email? Jeeze, that'd be bad... So right there I have at least 10 different logins that I want secure unique passwords for so a compromise of any one doesn't mean a compromise of the rest. Maybe you are able to keep all of those in your head, but I know I certainly can't, so I use 1Password.
0 -
bwoodruff
Right. 1Password gives you a way to have a bunch of very strong passwords without remembering them. It encrypts the data very strongly (AES 256) so that data in which your passwords are stored are safe. I was just wondering if there is any other added security I am getting from it. From the comments so far its seems no.
Also, it sounds like you may be saving your credit card information on a bunch of websites. That in itself is dangerous because if that site gets compromised then boom they already have your credit card information. Better not to have these websites 'remember' your credit card number and instead take the extra time to enter it in when you need to make a purchase.
0 -
Hi @Daniel_KB,
Thanks for the feedback! It sounds like you've already made up your mind, but in case you're still looking for information:
1Password gives you a way to have a bunch of very strong passwords without remembering them. It encrypts the data very strongly (AES 256) so that data in which your passwords are stored are safe.
That seems like a good way to summarize the base functionality of 1Password! :) It does a lot more than that of course, although it sounds like you're strictly interested in the security side of the equation. In that case, if you haven't already seen this, I recommend taking a look at this knowledgebase article on the Security Design in 1Password, which goes into more detail about the other numerous security benefits. Perhaps the features there are what you're asking about?
A security feature in 1Password that I don't believe is mentioned on that page is Watchtower. We have information on how that features helps with the security of your data here.
As for password managers in general, here's a link to a great article that offers both a rationale for their use and an overview of how they can help: http://www.troyhunt.com/2011/03/only-secure-password-is-one-you-cant.html
Our customers use 1Password to safely store a variety of information they want to keep safe, not just unique website passwords. Ultimately, it's up to you to determine if 1Password will be helpful for you, and the best way to do that is our free 30-day trial.
You've already read a lot about features included with 1Password. If you have any questions about specific features, please let us know. Thanks!
0 -
Also, it sounds like you may be saving your credit card information on a bunch of websites. That in itself is dangerous because if that site gets compromised then boom they already have your credit card information. Better not to have these websites 'remember' your credit card number and instead take the extra time to enter it in when you need to make a purchase.
I don't necessarily disagree, but not all retailers give you that option or make transparent what information they are storing.
0 -
[Note: This post has been edited by @jpgoldberg]
In a nutshell...
1) I do not believe that you can memorize passwords that "would all take 100,000+ centuries to crack by a brute force attack."
2) The bad guys are not going to use brute force. Instead, they will use some sophistication.
3) I do not believe this statement at all: "This is the purpose of me compartmentalizing my 4 master passwords in a way that if one got hacked, they would not be able to go to sites like Amazon, Facebook, Twitter, my email account, or whatever other common website with that same password."
Of course, you're welcome to believe whatever you wish.
0 -
You have to make your own choices. And it sounds like you are fairly determined to stick with the course that you have chosen. And it won't come as a surprise that I disagree with parts of your assessment.
Password strength meters are unreliable
I do not know the details of Kaspersky's Secure Password Check, but I do know something about password strength meters in general. Indeed, I'm a bit of a radical among password analysis community in that I happen to believe that the notion of "password strength" is not incoherent. Most people who study this stuff believe that it isn't even coherent to try to talk about the strength of a password, much less try to calculate it. But despite my heresy about defining strength, I do agree with the expert community that there is no feasible way to calculate the strength of a human-generated password.
Here is the reason why there is no feasible way to calculate the strength of human generated password:
The strength of a password depends on the system that was used to generate it.
And what happens when you enter password into one of those strength meters is that it takes a wild guess at what system you used to create it. It's guess is almost certainly wrong.
For example, most checking systems, if they see something like "1988" within a password will just treat it as string of four random digits, yielding an entropy of 16 bits. But we see it is possibly a birthdate. Adding a birthdate to a password probably only adds three bits or so. Likewise when something sees a password like "TisztaSegges" it might say to itself, "hey, there is upper and lower case in here, so I should treat this as 12 mixed case letters. What it probably won't notice is that the upper case is only used at the beginning of syllables. So the mixed case is only adding (at most) one bit per syllable. And it probably won't recognize that it is just a misspelling of a word in Hungarian.
Now perhaps the strength meter you used does check for the specific things I mentioned I know that zxcvbn does look for numbers that look like dates, but it still gives a whopping 51 bits to "TisztaSegges". And of course I could more and more things that a strength meter would have to check for.
One test of the strength of a password generating system
If your system is strong, then you should be comfortable telling the world what the system is. But if it's strength depends on keep the details of the system secret, then it is weak. For example, if the strength of the AES encryption algorithm depended on keeping the details of the system secret, we would never trust it.
I am not asking you to reveal your system in public. This is because I doubt that it is as strong as you think it is, and you are still using passwords that were created by your system.
Password reuse
If what others have said have not persuaded you of the problems of password reuse, then I don't think I can add much.
But here is something recently in the news. A blast furnace in a steel mill in Germany was destroyed because at least one person in the company used the same password on the production systems that they used on a system for which it was easier to capture passwords.
Anyway, I do not expect to persuade you at this point. But I do hope that what I've said here will be among the things you consider as you make your own security choices. Whatever you choose, I wish you the best.
0 -
I definitely have not made up my mind about using 1Password. If I had, I would not be spending my time on this forum. I am trying to learn more about internet security and am playing devil's advocate here too. Maybe one of you two could help answer some of my previous questions?
1.) How does 1Password help prevent phishing attacks? If I get an email with a link in it, I already know not to click it. I'd just type in the URL into my browser itself. Is this not the same exact thing that 1Password is doing? It's just taking you to the saved Login URL saved in 1Password correct?
2.) Why not just stay logged into all my websites? Is that unsafe and if so why?
3.) I see a lot of new features in 1Password 5, but I am running OS X Mavericks and need to wait for a while longer until I upgrade to Yosemite. Apple still provides security updates to Mavericks...does 1Password still provide security updates for 1Password 4 as it does to 5? I could live with less features, but I wouldn't want to have less security. Also, does the new 'Fill' feature work in android with Google Chrome, or is it still only for 1Password's Browser in android? It seems that this feature is inconsistent in android by what I've read from the user comments in the Google Play Store. I have a Nexus 5 phone and would like to have the same security and convenience as I would on my Macbook Pro (security is the only thing I really care about though).
4.) Lately I have read about the many various ways hackers hack (e.g. - Fake wireless access point, cookie theft - even from SSL encryption, bait n switch, file name tricks, etc.). With all of the different ways out there to be hacked, how much safer does 1Password REALLY make me on the internet, when it is only helping prevent 1 of those methods - a brute force attack. (Again, playing devil's advocate here, would love to get your opinions on this)
Thank you both for your input, answers, and opinions. That's why I came here in the first place. Drew_AG I like that Watchtower feature, that definitely counts as some added security.
jpboldberg - There's no writing in that steel mill article that says password re-use was the cause for the hack, but anyways, I 100% understand the concept that if I re-use a password, then any other website I use with that same password is in danger of being compromised as well. No need for any further elaboration on this.
0 -
- If you're being extremely careful then 1Password won't offer any additional protection from phishing. For users who might be misled though the fact that 1Password won't offer a particular Login item when they think they're visiting the right page would hopefully be an indicator.
- Others may have a different opinion. I just don't like keeping cookies beyond a single session. If you leave your computer unattended I know it is possible to swipe a cookie and use it elsewhere.
- Apple may support previous versions of their OS but their own App stores are more limited. Once 1Password 5 was released it cut off all opportunities to issue any updates to 1Password 4 via the Mac App Store. The same goes for the iOS app (I don't know Android well enough). As we still make 1Password 4 available on our own site it remains possible that we issue an update there for our Web Store users.
- It's not just about stopping a brute force attack but also limiting the damage if somewhere you use is hacked. Given how many passwords any given site holds they're viewed as a much richer target and sometimes have shocking security. No password manager is attempting to protect you against most of those tricks, the primary goal of the password manager is to stop simple passwords and password reuse.
Others may want to add their own responses and I haven't responded to any of your Android questions as I simply don't know the OS well enough to do so. The way I view 1Password (and any password manager) is that it is one tool in a person's arsenal and isn't designed to be a one-stop shop for all your security needs.
0 -
Hi @Daniel_KB
I'm sorry that I made presumptions about your intentions. My mistake.
1.) How does 1Password help prevent phishing attacks? If I get an email with a link in it, I already know not to click it.
If you can be sure that you never land on a phishting site, then 1Password's anti-phishing protections are not relevant for you. Although email is a common way to trick people into landing on such sites, it isn't the only way.
For example suppose that an attacker compromise a site which links a phishing site. Suppose my dog Molly is visiting TreatsRUs.com and there is a link to Paypal to pay for her treats. IF TreatsRUS.com has been compromised by Patty (my other dog), then the Paypal link to actually be to a site under Patty's control. If Molly fills in her Paypal password on Patty's site, Patty will now have Molly's Paypal password and can order her own treats at Molly's expense.
(My dogs don't always get along with each other)
I'd just type in the URL into my browser itself. Is this not the same exact thing that 1Password is doing? It's just taking you to the saved Login URL saved in 1Password correct?
1Password is doing more than that. It can be used to take you to a site and fill for you, but it also can fill on sites no matter how you navigated there. And that is where anti-phishing comes in. No matter how you navigated to a site (whether through 1Password, clicking on a link in some spam email, or following a link from elsewhere, or typing it in yourself), 1Password will not fill if detects a mismatch.
Even if you always type in addresses, there is chance that you will make a typo and fall victim to a typo squatter.
But if you are careful, you may never land on a phishing site, and so in that case, 1Password anti-phishing mechanism won't be relevant to you.
2.) Why not just stay logged into all my websites? Is that unsafe and if so why?
There is a huge area of debate about the practice in general, but I think that it is worth pointing out that high value sites, such as online banking, will log you out after a time. For low value sites, long term cookie authentication may be sufficient safe, but it clearly isn't safe (or available) everywhere.
3.) I see a lot of new features in 1Password 5, but I am running OS X Mavericks and need to wait for a while longer until I upgrade to Yosemite. Apple still provides security updates to Mavericks...does 1Password still provide security updates for 1Password 4 as it does to 5?
This is a really tricky issue. As @littlebobbytables pointed out, the Mac App Store places some constraints on this, but we can't pass the buck either as there are some (messy) ways we could have done this.
One thing we've observed (and learned through our own experience) is that when making improvements that depend on a new SDK, trying to keep things also working for the older version leads to serious problems. One of the big contributers to the problems with OpenSSL that we've seen in the past year are a consequence of it "needing" to run on 16-bit Windows.
That was an extreme example, but we had our own issue when we switched from OpenSSL to CommonCrypto in for 1Passowrd for iOS 2011. We are able to make the transition smoothly because the newish versions of iOS had what we needed in the crypto libraries. But at the last minute we opted to support older iOS versions and ended up ripping out a security feature to keep things running without having to fully resurrect the OpenSSL crypto library.
Anyway, you can wait until your move to Yosemite, and you have the option to use 1Password 4.
I used to be annoyed by Apple's policy of trying to force developers to push for latest system only, but the more that I've seen what the alternative leads to, the more I have come to agree with them.
Also, does the new 'Fill' feature work in android with Google Chrome, or is it still only for 1Password's Browser in android? It seems that this feature is inconsistent in android by what I've read from the user comments in the Google Play Store.
This actually illustrates part of the point I was making with the previous question. The new Android fill feature is restricted to Lollipop only. It cannot be done securely prior to Lollipop.
4.) Lately I have read about the many various ways hackers hack (e.g. - Fake wireless access point, cookie theft - even from SSL encryption, bait n switch, file name tricks, etc.). With all of the different ways out there to be hacked, how much safer does 1Password REALLY make me on the internet, [...] (Again, playing devil's advocate here, would love to get your opinions on this)
There are lots of things that 1Password doesn't protect against. And we simply don't have the data to know how the threats that 1Password against compares to the things that it doesn't.
But also note that some of those other things that you mentioned are threats that are mitigated by 1Password. For cookie theft, I refer you back to your question number 2. For the SSL problems, the damage that they do are much more limited if you don't reuse passwords. I'm not sure what you mean by "bait and switch", but perhaps some of our anti-phishing mechanisms provide some defense against those.
[...] when [1Password] is only helping prevent 1 of those methods - a brute force attack.
1Password is not just protecting against brute force attacks on passwords. It is providing a tool that makes it much easier to reduce password reuse and many other ways that passwords can be captured. It also makes logging into websites much easier.
jpgoldberg - There's no writing in that steel mill article that says password re-use was the cause for the hack,
There was a phishing attack on an employee's network password, and that employee used that same password for managing the production system.
but anyways, I 100% understand the concept that if I re-use a password, then any other website I use with that same password is in danger of being compromised as well. No need for any further elaboration on this.
OK. I feel that password reuse is a larger problem than weak passwords. 1Password doesn't make the password reuse problem go away. You still have to do some work, but it enables you reduce password reuse, and eliminate it for new site registrations.
0 -
The ease of changing password is another benefit of 1Password software.
For example I recently noticed a little note on certain website to the effect that the passwords might have been compromised with recommendation to change the password immediately.
Specially on Mac version this password change amounts to navigating to the website password change section and following password change directions. 1Password takes care of the rest. On iPad there is little more "jumping" around to make sure the new password is properly stored, but in either case I usually could change any password under a minute.
If I had to come up with a new password on my own, I'm sure I would spent more time just thinking about it :)
0 -
Hi @Fairgame,
Thanks for sharing your thoughts here! This sure has been a fascinating thread to read, with a lot of great advice. I agree, changing passwords is a lot easier with a password manager on your side: no need to memorize another password, and no need to fuss about create that password based on your particular system, because 1Password just generates a random jumble for you! :)
0
