If Agile Bits 1password has a security flaw, is Agile Bits accountable?

paropoly

Hi,
I'm trying to work out the accountability of 1Password in the case that there is a security flaw in the application itself. Given that AB offers services such as holding bank details, there is a substantial risk if the application itself has security flaws. Does AB then have the obligation to take financial (or other for identity-sensitive material) responsibility for any compromise? Where can I learn more about this? How would AB support its customers in this situation? Or for example, if I use 1Password for my company security and the application is hacked, what guarantees or obligation does AB then have to me or my company as their customer?

MikeT

Hi @paropoly,

Thanks for writing in with great questions, I'm glad to hear you want to look at protecting your data with 1Password for your company.

Given that AB offers services such as holding bank details, there is a substantial risk if the application itself has security flaws. Does AB then have the obligation to take financial (or other for identity-sensitive material) responsibility for any compromise?

I just want to make very clear that AgileBits does not hold or store any of your data. 1Password is a local encryption program that stores all the data you enter into 1Password in an encrypted data format that is only stored on your local drive by default, it does not leave the computer. Thus, you still have to provide additional protections to your company on top of 1Password, 1Password is only a small tool in the overall security framework to build for the company. In addition, you can choose to sync 1Password data via local Wi-Fi network or via cloud services that has their own security guidelines.

As for security, our encryption standard and data formats are available for everyone to investigate, it is available here: https://support.1password.com/opvault-design/

This allow security researchers to investigate how your data is stored on your local drive.

If there is a security issue and we encourage everyone to let us know via support+security@agilebits.com, we will respond immediately and issue updates to fix this. As we do not provide any services or hold your data, in order for the security issue to have a widespread impact, your systems also have to be compromised or your cloud service accounts first before reaching your 1Password data. We do not have obligations nor do we claim that we can protect your data against compromised systems, we can encrypt your data but there is no way to prevent attackers from guessing the master password after they have your data copied or uploaded off your network.

Also, we protect all of your data the same way, they're all important and the content matters not, we encrypt them all at the highest level possible. You can find more about how we do this: https://support.1password.com/secure-by-design/

Where can I learn more about this?

You can find all of our security and privacy related articles here: https://support.1password.com/security/

How would AB support its customers in this situation?

We will provide assistance with updating 1Password to fix the security issues and in any other ways related to the 1Password product.

paropoly

Thanks Mike for the insights :)

MikeT

Hi @paropoly,

You're absolutely welcome, please do shoot us any questions you have and/or if you need assistance, we'd love to help out to make sure 1Password fits exactly what you need it to do.

paropoly

Hey i was wondering, while we are chatting, is there any usb kind of device for biometric scanning that can work for the master password? I know the newer devices have this functionality, it just seems useful because using the master password can be cumbersome ..

MikeT

Hi @paropoly,

Not at the moment, we had something like this in the past but we had to revoke it.

It might be possible in the future to use 1Password on your mobile devices with fingerprint scanner to unlock 1Password on your computer but we have to do a through risk assessment to make sure this is secure.

For now, don't make your master password so complicated that you would have frequent issues with it. Instead, make a diceware style of password with a random string of words. Find out more here: https://blog.agilebits.com/2011/06/21/toward-better-master-passwords/

paropoly

Thx Mike

paropoly

Is there a way to create my own categories? E.g., 'Forums' vs 'Pay Sites'? I only see the categories in new item list but there is no way to distinguish between sites that have a credit card associated with them versus say forums.

AGAlumB

@paropoly: No custom categories, but it's certainly a feature we'll consider adding in a future version. However, you can use tags to help with some of that kind of organization in the mean time. Thanks for letting us know you're interested though! :)