Extra Security for 1Password (because it's target no1 for hacker)
Dear Agile Team,
“If I store all of my passwords in the same place, I’m just asking to be hacked!”
- Intel, Mac OS and several browser got a lot of attention in the last month because of security bugs
for hacker password manager are target No1 on systems
1Password seduces users to trust even their 2-factor (banking) codes into the vault
- I bet a lot of users trust 1Password with their whole life (full banking accounts and so on)
- in times of Crypto Currencies real money will be stored into 1Password
-> Google and other Cloud Provider adding up extra security layer to their accounts (even https://www.yubico.com/ certificates are possible)
1.) Times are changing and guess it's time for Agile to add extra security layer to 1Password!
2.) I am happy about your ideas how to give 1Password extra layer of security (changing default vault folder?) ...
(see this question for professional user, who are okay if things get technical or usage more difficult)
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
Dear Agile Team, “If I store all of my passwords in the same place, I’m just asking to be hacked!” Intel, Mac OS and several browser got a lot of attention in the last month because of security bugs for hacker password manager are target No1 on systems
@theElvis: That isn't really the case. "Hacking" implies that there's a shortcut one can take, but the encryption 1Password uses to protect our data works very differently than CPU microarchitectural features such as speculative execution and parallelization, which the Spectre and Meltdown vulnerabilities are based on. It's really an apples and oranges comparison. Let's not conflate the two. More significantly, if you've updated your OS, you've probably already got mitigations for the vulnerabilities which have been demonstrated — perhaps at the expense of a little performance, but a slower boat that floats is better than a fast one with holes in it.
1Password seduces users to trust even their 2-factor (banking) codes into the vault
We definitely don't do that. We're a family company. ;)
I bet a lot of users trust 1Password with their whole life (full banking accounts and so on) in times of Crypto Currencies real money will be stored into 1Password -> Google and other Cloud Provider adding up extra security layer to their accounts (even https://www.yubico.com/ certificates are possible)
But in all seriousness, we store our most important stuff in 1Password too, so we're very motivated to secure it. The thing is, 1Password's security isn't based on authentication the way your examples are; it's based on encryption. That means that your Master Password is of the utmost importance, and I know that can sound scary. But unlike a lot of things in life, that's something you have control over.
If you're using the standalone 1Password app(s), that's all you have, and frankly it's enough provided you use a long, strong, unique Master Password. But with 1Password.com, the Secret Key adds an additional layer of security (since this 128-bit, randomly-generated string is also used to encrypt the data), since we want to ensure that 1Password.com members' data is secure even if someone is able to steal the encrypted database from us. That way they cannot perform a brute force attack against 1Password.com members' Master Passwords.
1.) Times are changing and guess it's time for Agile to add extra security layer to 1Password!
This doesn't at all follow logically based on your comments above, but we're always working to make 1Password more secure.
2.) I am happy about your ideas how to give 1Password extra layer of security (changing default vault folder?) ... (see this question for professional user, who are okay if things get technical or usage more difficult)
However, we're not going to do the "security theater" thing. Changing the default location of the vault folder is truly "security through obscurity"; someone who has enough access to your machine to get it in the default location can just as easily do so if we try to "hide" it somewhere else. And, more importantly, 1Password does not rely on hope that no one can find it: it's designed to withstand attack even when someone has access to your data. And our 1Password data is end-to-end encrypted, so 1Password doesn't depend on the sync service to protect our data either. 1Password is secure by design, not by chance.
The specific kinds of attacks certainly change over time, but that doesn't change the fundamental truth: our security is only as strong as the weakest link, and that will be us. After all, only you and I can ensure that we use a long, strong, unique Master Password to protect our data, and that we do not give it to anyone else. And if mine isn't as strong as I'd like it to be, I have the power to change that and up my security. You too can up yours. Cheers! :)
0