To protect your privacy: email us with billing or account questions instead of posting here.

Is a breach like LastPass' possible with 1Password?

Options
Mork
Mork
Community Member
edited March 2023 in Memberships

I believe that 1Password is much more secure than the multiple breaches reported (most recently yesterday) with LastPass. However, I wanted to confirm that nothing like what happened with LastPass is possible with 1Password due to your enhanced security. I'm not looking for a link to your security whitepaper, just a high level check. Thanks.

1Password Version: latest
Extension Version: Not Provided
OS Version: 13.2.1
Browser:_ Not Provided

Comments

  • Dave_1P
    Dave_1P
    Options

    Hello @Mork! 👋

    Thank you for the question! Can you clarify which specific breach you're referring to? That would help me to better understand and explain how 1Password guards against that specific sort of threat. 1Password's architecture and security systems are designed to protect against a wide variety of threats.

    As a start, 1Password's unique Secret Key architecture sets it apart from others in the password manager space. An attacker would need both your account password and your Secret Key to decrypt and access your account. Without both your account password and Secret Key, even if an attacker was to breach our other defences, they would only see encrypted gibberish.

    We also undertake regular intensive security audits to make sure that our security systems and design are secure: Security audits of 1Password

    Let me know if there's a specific attack surface that you're concerned about and I can speak more to that. 🙂

    -Dave

  • Mork
    Mork
    Community Member
    Options

    Appreciate your reply.

    The breach in question is the one that's been in the news over and over: lastpass.

    Here are a couple links:

    https://www.wired.com/story/lastpass-breach-vaults-password-managers/
    and
    https://www.theverge.com/2023/2/28/23618353/lastpass-security-breach-disclosure-password-vault-encryption-update

    Scary stuff.

    Thanks

  • Dave_1P
    Dave_1P
    Options

    @Mork

    Thank you for the clarification. 1Password is designed to protect the privacy and security of your data even if we are breached. While 1Password has never been breached we've prepared for that worst case scenario so that 1Password ensures that your data remains secure.

    All of your vault information is end-to-end encrypted and the heart of our system is the Secret Key and account password which together are used to decrypt your data. 1Password's dual-key encryption is unique whereas many other password managers just use a single user-chosen password to protect user's vaults. Even if attackers did manage to bypass our various security and intrusion detection systems and steal a user's encrypted 1Password vault from our servers that encrypted vault would be gibberish and unreadable without that user's account password and Secret Key.

    In other words: even if we are breached, our design ensures that your data is protected, encrypted, and unreadable to an attacker.

    We also encrypt metadata. Things like vault names and website URLs are all secured using the same end-to-end encryption that protects your passwords. If anyone were to obtain your encrypted vault they would have no idea about what you're storing inside of that vault.

    Our Chief Technology Officer has a great blog on the subject here: How 1Password Keeps Your Data Safe, Even In the Event of a Breach

    I hope that helps.

    -Dave

  • Mork
    Mork
    Community Member
    Options

    Thanks Dave!

    With all the latest issues with last pass I just wanted to ask.

    I noticed that when logging into the 1P website, you have to enter all the credentials. I'm assuming you don't actually transmit all those.

    Thanks for your terrific reply.

  • Dave_1P
    Dave_1P
    Options

    @Mork

    Good question! When logging into 1Password.com (or the apps), your account password and Secret Key never leave your device and they are never sent to us. Instead, we use the SRP handshake protocol (SRP) to authenticate your account without ever sending your account password or Secret Key over the internet. You can read more about SRP here: How Secure Remote Password protects your 1Password account

    Let me know if you have any other questions. 🙂

    -Dave

  • Mork
    Mork
    Community Member
    Options

    Sounds good to me! :)

    Thanks Dave.

  • Dave_1P
    Dave_1P
    Options

    It's my pleasure. 😊

    -Dave

  • crua9
    crua9
    Community Member
    Options

    @Dave_1P

    But what about brute force?

    Lets assume a hacker gets the files on the cloud and copies it so now it's an offline attack from there out. Can't the hacker brute force their way in?
    How does the secret key protect against this any more than something like bitwarden's system? Where they have a 0 knowledge system.

    Would it take longer? Does the secret key make it impossible?

    Lets assume this happened to 1password. What is the next steps? What would 1password do to make sure the users are protected to the best of your companies ability?

    Thanks for answering questions.

  • Mork
    Mork
    Community Member
    Options

    There is also always quantum computing which threatens to render current encryption obsolete. I'm sure 1P is already working on that front to harden encryption in the quantum computing era.

  • Dave_1P
    Dave_1P
    Options

    @crua9

    The Secret Key, which is mathematically infeasible to crack, protects your data even if 1Password is breached: Secret Key - What Is It And How Does It Protect Users?

    @Mork

    Our Principle Security Architect has previously posted some thoughts regarding Quantum computing here: Is 1P taking the threat from quantum computing serious these days? — 1Password Support Community

    I hope that helps. 🙂

    -Dave

This discussion has been closed.