[dimino]

It absolutely blows my mind that people are okay with giving their passwords (encrypted or not, see this very breach for why that's not always enough) to a 3rd party, but are not okay reusing a password somewhere.

If 1Password ever got owned, the Internet would be severely fucked.

And to stem the potential flood a bit, I realize there are plenty of good counterargument built up over the years to try and combat this general idea, but fundamentally the concept of giving your password to someone else to manage is still a confounding idea, regardless of whatever points those arguments make.

[macintux]

> It absolutely blows my mind that people are okay with giving their passwords (encrypted or not, see this very breach for why that's not always enough) to a 3rd party

That sounds more like LastPass than 1Password, although I haven't looked at the new subscription offering.

I don't give my passwords to 1Password.

[chrisfosterelli]

You don't give your passwords to LastPass either, you give them encrypted random noise they can't do anything with.

[macintux]

Which does not change the parent post's point, that with LastPass you're still giving it to a 3rd party who could leak that information for brute forcing.

[nommm-nommm]

If someone could brute force my LastPass password I'd be impressed.

[dimino]

And who, exactly, encrypts them for you?

Dropbox was also encrypting your passwords, FWIW.

[nommm-nommm]

IIRC encryption and decryption is done on the client side and the server only stores encrypted data.

Dropbox was not encrypting passwords they were hashing them.

If you stored already encrypted files on Dropbox nobody can decrypt those files provided your encryption key is good.

[dimino]

> Dropbox was not encrypting passwords they were hashing them.

Incorrect.

[djcapelis]

That's a really unhelpful comment. Please specify what encryption you think Dropbox is doing on the passwords and what knowledge you have on the topic.

I'm pretty sure you're going to say "they do TLS" and then the person you're talking to can go ahead and explain that the encryption LastPass/1Password does protects an entirely different threat model, but unless you have a conversation here no one is going to be able to communicate a thing.

[nommm-nommm]

How exactly is that incorrect? The article is stating that the passwords are bcrypt and SHA1 hashes.

[tptacek]

That isn't how 1Password works. Passwords are encrypted clientside, in a standalone native application.

[dimino]

Who wrote the standalone native application?

To be more direct, I'm suggesting the standalone native application may not completely correctly implement the encryption algorithms. I have no evidence of this, but the concept still concerns me.

[tptacek]

That's not what you said. You said that if someone owned up 1Password, the whole Internet would be in trouble. But that's like saying that if someone owned up one of the OpenSSH developers, the Internet would be instantly vulnerable. A false statement.

[dimino]

It's a true statement, not a false one. If someone was able to release an intentionally vulnerable version of OpenSSH/1Password, people who updated would be "instantly* (your word) vulnerable.

[jonknee]

My passwords are synced through WiFi on my local network, but thanks for your concern.

[tzakrajs]

Using a strong key and cipher, you should feel safe giving anyone your information.

[this_user]

Keys can still be cracked, and ciphers can be broken. Not giving anyone your information, if you don't have to, is always the preferred option.

[tptacek]

If the construction 1Password standalone uses to encrypt passwords is broken, we have bigger concerns than our passwords.

[nommm-nommm]

No it's not, like with anything it's a trade off.

[heartbreak]

1Password only recently added a service which syncs your vault with them. I use 1Password with a vault that exists only on my encrypted MBP. If my laptop is decrypted and my 1P vault is decrypted then yes I'm screwed. What's the alternative exactly?

[ocdtrekkie]

A great example was the recent Opera browser sync hack. Everyone who uses it has to change ALL of their passwords everywhere. Password managers are a TERRIBLE idea, and it's kinda sad so many security researchers recommend them. Single point of failure is a really basic concept to understand.

Password reuse has been slightly overblown as a concern. Things like your Google, GitHub, TeamViewer, bank, etc. accounts should always be unique. But if someone hacks your password for the Engadget forums or something, does it matter that they can now log in to your Kotaku commenting account? REALLY? People talk about how they have hundreds of accounts and could never remember passwords for all of them, so need a password manager... but in reality, only a few of those accounts actually matter.

And you're better off leaving a piece of paper with passwords on it by your desk than using a password manager. The likelihood of a digital hack of a password manager is infinitely greater than the likelihood of someone breaking into your house to get your passwords (instead of like... just taking your TV).

[pfg]

The majority of cloud-based password managers perform encryption client-side. A server hack would leave the attacker with random garbage. Short of brute-forcing your master password, they're not likely to get anything.

The only real concerns here are weak crypto and backdoors. If your threat model includes backdoors planted by software vendors you trust, not using a password manager won't help you, since someone might as well just backdoor your browser and get your brain-managed passwords as you type them. I'd stay away from webapp-based password managers, as planting a backdoor is typically easier for these.

Weak crypto is a hard problem, so you'd have to do some research and check whether the format your password manager uses has been vetted by the crypto community.

Looking at the vectors that are most commonly used to hack people today, I'm certain that password managers would be a massive improvement compared to the short and re-used passwords the majority of users use today.