Okta Breach

I'm more worried about trusting an organisation with my data that lets their employees use a laptop on hotel WiFi to upload files to Okta. Perhaps 1PW can comment on that?

Was the employee mentioned in the report working for Okta or 1Password?

The biggest takeaway isnt the hotel Wifi but the lack of hardware keys for all Okta admins at 1PW. Whether they were on hotel wifi or not having mandatory hardware keys for access to sensitive internal applications should have been in place before.

Also this is an Okta issue not 1PW.

Well, I used to have an account at LastPass and their incident started in a similar way. A tech guy was hacked, no user data touched at this point, months later the hackers used the information gotten in this incident to retrieve user vaults that are now out there being decrypted as we speak.

So... If your guy was using a hotel wifi without the enforced need for a hardware key and vpn and other measures, how are we sure that on Okta you didn't just lost the keys to the Kingdom like what with LastPass?

Hello all,

over the last couple of days, since I learned about the incident, I've worked my way through the 1Password Security Design Whitepaper, which is also linked in Dave's post above.

Now, I am in no way an IT security professional, merely an interested layman (by trade, I am a physician for Radiology and Nuclear Medicine and I lecture as a Professor for Nuclear Medicine at the LMU in Munich).
But as far as I can gather from the Whitepaper, there are certain design choices in place (two-secret key derivation, secure remote password) that do not leave enough information on 1Password's servers to compromise our password vaults, even in case of a data breach that leads to the theft of the encrypted vaults. If - and here comes the caveat - if everything has been correctly implemented by 1Password as stated in the Whitepaper without any unintentional or unidentified security holes.
And I think this is, where we have to take their word for it.
I tried to read into the external security audition reports that are provided by 1Password (https://support.1password.com/security-assessments/) to glean further information from there. However, they mostly go beyond the scope of what I can understand. Maybe other members of the forum can make more use of them.

So, while I am still concerned about the incident, for now I feel mostly reassured that all my secrets stored in 1Password are still safe.
Nevertheless, I will carefully monitor any activity in my accounts over the next weeks and months, just in case anything unusual happens.

-Sebastian

@eltel

Thank you!

You have a valid point there.
The questions is only: where should we go from here?

In the end, with most solutions that are feasible for laymen that can't or don't want to spend an inordinate amount of time on the subject, it comes down to trusting at least someone.
Even with open source software that I cannot review myself, I have to trust the people who can to find holes in the security defenses and fix them properly. Even though I understand that there is a higher amount of mutual control than in closed source environments.
However, setting many of those solutions up and implementing them in a way that they deliver the same experience as 1Password and comparable password managers with the same ease, seems daunting to me.

That is why I will stick with my current setup and monitor the situation.
Certain, very critical secrets - e.g. my Apple ID - I have protected with additional measures like hardware keys. But I do have to acknowledge that someone with unlimited access to my 1Password vault could wreck irreversible havoc in my life.

Outsourcing identity and access management to Okta means outsorcing parts of the security and credentials management to Okta. I have to admit that I am quite unhappy about 1Password's decision to do that because I would never trust Okta's security model because they are the one's who grant access to the customer's IT systems and they are the one who are targeted by every hacker all over the world. Okta is a young company providing services to companies that don't understand IT security very well. I know this sounds harsh but I really would like to see 1Password to become more self sufficient in this area of expertise.