How secure is 1Password

jimpan
jimpan
Community Member
in Mac

I have discovered that there are forensic tools able to crack passwords of 1Password vaults. So I am concerned and curious how secure is 1Password.
https://www.passware.com/kit-forensic/filetypes/

Passware is a forensic tool manufacturer and although it is an expensive product and high end, I see this being cheap if a hacker wants to exploit secure systems like 1Password. It is merely a tool of the trade so to speak.

So today I thought to myself, let me move my vaults from Dropbox over to my local Mac and I will just simply sync via WLAN for my family members.

WLAN works OK, but there is an issue that I did discover.

It appears that the primary vault is always called a primary vault and cannot be renamed. This causes an issue, because when I want to sync my son's vault for example, his iPhone is also called Primary vault. This causes his passwords to be merged into my primary vault rather than creating a new vault on the Mac. This is a bummer because now I have to go through my primary vault and delete his items.

I know that there is a 1Password for family, but want to avoid that because it appears that you also have to be online.

Anyway, if you could provide feedback with regards to:

  1. How secure is 1Password
  2. How should I address the WLAN if I am going to move away from DropBox.

Thanks.
Jim

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • Lars
    Lars
    1Password Alumni

    Welcome to the forum, @jimpan! Thanks for the questions. As you might imagine, there's no easy and straightforward answer to the question of "how secure is 1Password" -- it very much depends on a number of factors, some of which we can and do control, others are out of our control (like how strong a Master Password you choose). But the overall answer is: very. If you'll notice at the site you mentioned, it refers to "brute-force" as the only option for 1Password, and calls this option "slow." I suppose that's accurate, in the sense that anything that's not quick can be considered slow, but a more accurate term would have probably been "glacial."

    "Brute force" means that they've found no easy shortcuts around the encryption in 1Password or its implementation, and therefore they must resort to trying literally every single combination of characters, one at a time. This is aided greatly by the use of their (apparently proprietary) algorithms to make hundreds of thousands or even millions of guesses per second. But that's in turn slowed by our own use of PBKDF2 to slow guessing attempts. Here's a link to a post I wrote in March regarding how long it takes to crack your Master Password, provided you use a good one.

    I'd recommend our security model page as a great place to learn about how we keep your data safe in 1Password, and if you're wondering specifically about the additional security we use in 1password.com accounts, read about the Secret Key or, if you're into the technical details, the full 1password.com security white paper. Let me know if you have any questions.

This discussion has been closed.