Bravo @ AgileBits
Must say: Thanks and congratulations to the AgileBits team for making 1Password for Families a reality, especially so soon. Following the launch of Teams beta so many of us early adopters took to the forums asking for exactly this! Relieved and thrilled to see they got the pricing just right for our family, so we'll definitely be converted to subscribers going forward. Also very appreciative of the early adopter bonuses you're offering to us all, far more than I was hoping for! Waiting patiently for the tool to convert our Team to Families. Cheers.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
This is pretty cool, and more options. My issue is... Last pass...
LastPass had the vaults taken (still protected) though a hacking. How is 1Password going to make sure this doesn't happen to them? I know LastPass does use 2 step verification also, will 1Password for Families do the same?0 -
In what incidents were the LastPass vaults stolen?
I know there were some (possible) breaches, but I don't think the encrypted blobs were taken.
0 -
http://www.pcworld.com/article/227268/lastpass_ceo_exclusive_interview.html
http://lifehacker.com/lastpass-hacked-time-to-change-your-master-password-1711463571
Just some of the links and I think this is the 2nd time it has happened to them.
I think as long as your master password is long, hard, and can't be cracked, you're ok. Maybe someone on here can explain it better.
0 -
As far as I understand these articles and from direct communication from LastPass (I already was a customer during both incidents) I believe the encrypted blob (containing a user's passwords) was not stolen.
You are right though that with a strong password one should be safe.
In the case of LastPass 2FA would not help if the hackers did get the blobs; 2FA is only used to get access to the LastPass service/website. If hackers did get the blobs (which does not seem to be the case), they have them locally and don't need to access the website any longer.
I'm not sure how the new 1Password Account Key fits in to this. It might help to make sure that your blob is encrypted with a strong key. Since AgileBits does not have the key, hackers hacking their website don't have it either and would also have to get that key from your machine or you (phishing?) before getting to your passwords.
0 -
My recollection about setting up Families last week was that there was a graphic showing that the encryption key was synthesized from both the master password and the account key. Both are required to decrypt the data. If you are on a machine that you have added to your Families account, that machine remembers the account key, and you only have to reenter your master password. But if you are on a machine that isn't authorized, you need both. AgileBits doesn't ever know or keep either one.
0 -
What you've described is essentially correct. The Master Unlock Key is based on both the Master Password and the Account Key.
The Account Key ensures that the Master Unlock Key is based on at least 128 bits of entropy -- random information a remote attacker would have to determine by brute force. This is the primary protection against large-scale remote exploits, such as having our entire database disclosed. User email addresses are stored in our database without encryption, which must be the case since we need to look up a user before we can begin securely communicating. For a targeted attack against a single user's data, either the Master Password or Account Key would have to be determined, assuming the other were acquired by some means.
0
