Hacker News new | ask | show | jobs
by jxpx777 3617 days ago
Disclosure: I work for AgileBits, makers of 1Password.

For desktop browser extensions that are properly using the frameworks, the extension's Javascript runs in its own execution context so the page cannot redefine variables. This protected 1Password when we discovered that a certain page had redefined the global JSON object, which provides parse and stringify functions among other things, to be the number 3, i.e. a numeric constant called JSON. :'D
3 comments
throwanem 3617 days ago
Out of curiosity, does this apply only to Chrome's extension framework, or to Firefox's and Safari's as well?

Context: I'm a new 1Password user who is contemplating use of the extensions for those latter two browsers, and while it seems probable their extension frameworks offer the level of security you describe, I'd like to be certain before pulling the trigger. Thanks!

link
AGKyle 3617 days ago
Disclaimer: I work for AgileBits as well :)

Hi there!

Yes, all 3 of the major browsers (and derivatives of them) offer the same support for a sandboxed execution environment. You can safely use any of them if that's a requirement you have :)

Kyle

AgileBits

link
throwanem 3617 days ago
Neat, thanks!
link
dkopi 3617 days ago
Great point. Exactly the type of comments I come to hacker-news for!
link
favadi 3617 days ago
When you are here, is 1password for team is the future and the classic 1password will become obsolete soon?
link
AGKyle 3617 days ago
Disclaimer: I also work for AgileBits

We really try not to call it "Classic" or anything like that. It's standalone, you're in charge of upgrades, syncing and backups and stuff like that. It's also not designed for sharing (at least to the degree of the Family and Team solutions).

That said, we don't have any immediate plans to remove the standalone products. However, if a vast majority of our users switch to 1Password Family or 1Password Teams (and as of today, an Individual plan!) then it doesn't make a ton of sense to keep the standalone product around. So, it's probably one of those speak with your wallet kind of scenarios.

I'll certainly pass your feedback along, it sounds like you'd like to keep it around.

I hope that helps answer your question :)

Kyle

AgileBits

link
_pghu 3616 days ago
I also very very very strongly do not want any hosted service requirement for using 1password. I am very proud user of 1P but a hosted requirement would kill it for me. No matter how much you (the generic 'you') tell me you're super secure, nothing will be as secure as owning my own data and using local Wi-Fi sync to put it on my phone.
link
bad_user 3616 days ago
Would you feel the same about encrypted data stored in Dropbox? IMHO it is better because you have more control and storage is decoupled from UI.

Anyway, I gave up on both 1Password and LastPass. I've been a 1Password user for about 2 years before I switched to KeePass.

To be more specific, for the desktop (OS X, Linux, Windows) I use: https://keeweb.info/

For Android: https://play.google.com/store/apps/details?id=keepass2androi...

And for iOS, though be warned this one is subpar: http://minikeepass.github.io/

All 3 apps are open-source. This is important because open-source will not die for as long as there is demand and more importantly, you own it.

No, I'm NOT against proprietary software, as I said, I gladly paid a premium for 1Password. However their Windows client is basically unmaintained, their new "modern Windows" app is still alpha and doesn't work with Wine and of course, they have no Linux support. Most aggravating is that they are clearly switching to a subscription model, with all of their development effort going towards it lately. No more Everywhere interface for OpVault, no new sync options other than Dropbox and iCloud, etc. In other words I'm tired of bait and switch models and one is in progress here.

link
wlesieutre 3616 days ago
Seconding this. I generally dislike hosted subscription offerings, especially for a password manager, and even more especially for one that I've already purchased four different licenses to (Mac, Windows, iOS, Android).
link
AGKyle 3616 days ago
While I understand your concern, and to some extent, sure, you're right that owning your own data does reduce certain attack vectors it's also a trade off that a vast majority of people don't have to worry about either.

But the real important thing to consider is whether the protection you would get from a hosted solution so above and beyond overkill that it matters?

If you're curious why I feel that way, we have written up a white paper on how 1Password Teams (and therefore Families and now Individuals) stores and secures your data.

https://1password.com/files/1Password%20for%20Teams%20White%...

We designed 1Password so that we cannot know anything about your data. We also designed it knowing full well that our servers would be a target. So, we designed it in such a way that if a malicious person were to acquire your data there's more or less nothing they can do to acquire the decrypted data.

What we settled on is having two secrets. Both of which are not known by us. The first is your Master Password, something that you're likely well aware of having used 1Password already. The second part is an Account Key, which is a random 128-bit key generated locally. These two things are never given to us and should never be shared. They are both used for the cryptographic functions in 1Password. Without them both, you can't see the decrypted data.

This is unique in that it actually protects weak master passwords. That's the big deal to worry about if our database of user data is compromised. The first attack is to start running password cracking tools against it to try to find the weak passwords. Except in this case, there are no weak passwords because even if your master password is "a" the attacker still needs your Account Key, which looks something like this:

A3-Z4JZ6V-P9BALK-S6J69-FAXCN-LTDY8-T3QHJ

So, now a password cracker is going to have to guess all those combinations of weak passwords against something much much stronger as well. I wish them luck because the math more or less makes this impossible if a user uses a strong master password as well.

There's some math in the white paper if you're curious about more.

Knowing how it works and how extremely unlikely it is that I am such a target that someone is going to literally spend millions upon millions of dollars trying to crack my account (and still likely get nowhere)... I'm small fish, it just isn't worth it to even try.

Either way, for the sake of learning (I love learning, so I always assume others do as well), I would recommend reading the white paper, if not only to gain some new knowledge that you may not have been exposed to previously. If you have, awesome!

As always, if you have questions let me know!

Kyle

AgileBits

link
jamie_ca 3616 days ago
Please do consider keeping the standalone apps. Not having my passwords stored on someone else's server (encrypted or not) is why I'm a 1Password user (and likely buying an upgrade license this month to load it on my other windows box). Similarly why I've bought and upgraded Arq to store backups on storage I control.
link
sondr3 3616 days ago
I'm probably being daft but I can't find the Individual Plan on 1Passwords homepage, any idea where I can find out more about it?
link
AGKyle 3616 days ago
Sorry about that, we haven't officially announced it but it is available when you start the sign up process.

https://start.1password.com

It is $2.99/mo when billed annual ($3.99/mo month to month), includes all of the applications as part of the subscription price.

It is otherwise based on the same technology as Family and Teams options. It's basically Families with only 1 user.

link