undefined | Better HN

0 points_pghu9y ago0 comments

I also very very very strongly do not want any hosted service requirement for using 1password. I am very proud user of 1P but a hosted requirement would kill it for me. No matter how much you (the generic 'you') tell me you're super secure, nothing will be as secure as owning my own data and using local Wi-Fi sync to put it on my phone.

0 comments

bad_user9y ago

Would you feel the same about encrypted data stored in Dropbox? IMHO it is better because you have more control and storage is decoupled from UI.

Anyway, I gave up on both 1Password and LastPass. I've been a 1Password user for about 2 years before I switched to KeePass.

To be more specific, for the desktop (OS X, Linux, Windows) I use: https://keeweb.info/

For Android: https://play.google.com/store/apps/details?id=keepass2androi...

And for iOS, though be warned this one is subpar: http://minikeepass.github.io/

All 3 apps are open-source. This is important because open-source will not die for as long as there is demand and more importantly, you own it.

No, I'm NOT against proprietary software, as I said, I gladly paid a premium for 1Password. However their Windows client is basically unmaintained, their new "modern Windows" app is still alpha and doesn't work with Wine and of course, they have no Linux support. Most aggravating is that they are clearly switching to a subscription model, with all of their development effort going towards it lately. No more Everywhere interface for OpVault, no new sync options other than Dropbox and iCloud, etc. In other words I'm tired of bait and switch models and one is in progress here.

wlesieutre9y ago

Seconding this. I generally dislike hosted subscription offerings, especially for a password manager, and even more especially for one that I've already purchased four different licenses to (Mac, Windows, iOS, Android).

AGKyle9y ago

While I understand your concern, and to some extent, sure, you're right that owning your own data does reduce certain attack vectors it's also a trade off that a vast majority of people don't have to worry about either.

But the real important thing to consider is whether the protection you would get from a hosted solution so above and beyond overkill that it matters?

If you're curious why I feel that way, we have written up a white paper on how 1Password Teams (and therefore Families and now Individuals) stores and secures your data.

https://1password.com/files/1Password%20for%20Teams%20White%...

We designed 1Password so that we cannot know anything about your data. We also designed it knowing full well that our servers would be a target. So, we designed it in such a way that if a malicious person were to acquire your data there's more or less nothing they can do to acquire the decrypted data.

What we settled on is having two secrets. Both of which are not known by us. The first is your Master Password, something that you're likely well aware of having used 1Password already. The second part is an Account Key, which is a random 128-bit key generated locally. These two things are never given to us and should never be shared. They are both used for the cryptographic functions in 1Password. Without them both, you can't see the decrypted data.

This is unique in that it actually protects weak master passwords. That's the big deal to worry about if our database of user data is compromised. The first attack is to start running password cracking tools against it to try to find the weak passwords. Except in this case, there are no weak passwords because even if your master password is "a" the attacker still needs your Account Key, which looks something like this:

A3-Z4JZ6V-P9BALK-S6J69-FAXCN-LTDY8-T3QHJ

So, now a password cracker is going to have to guess all those combinations of weak passwords against something much much stronger as well. I wish them luck because the math more or less makes this impossible if a user uses a strong master password as well.

There's some math in the white paper if you're curious about more.

Knowing how it works and how extremely unlikely it is that I am such a target that someone is going to literally spend millions upon millions of dollars trying to crack my account (and still likely get nowhere)... I'm small fish, it just isn't worth it to even try.

Either way, for the sake of learning (I love learning, so I always assume others do as well), I would recommend reading the white paper, if not only to gain some new knowledge that you may not have been exposed to previously. If you have, awesome!

As always, if you have questions let me know!

Kyle

AgileBits

j / k navigate · click thread line to collapse