[joegahona]

Is 1Password any less vulnerable, architecturally, to a massive hack akin to what happened recently to LastPass? I'm in the same boat as the OP and wary of putting all my stuff somewhere else that will result in a similar breach a few months from now.

[rgrmrts]

I'm not a security expert or cryptographer so take with a grain a salt, but I've been trying to understand what flawed architectural decisions LastPass made, and based on the critiques I've seen by some security/cryptographer folks (on Twitter, mostly) it does seem that 1Password is less vulnerable. It seems the key derivation, number of rounds, and unencrypted metadata (e.g. the website associated with the credential) are factors that made LastPass more vulnerable.

AFAICT, 1Password encrypts all metadata, their key derivation is stronger, and the use more rounds. Their security whitepaper [0] goes into a ton of detail. I'm more comfortable with my choice in 1Password (I previously used LastPass years ago, and need to rotate some old passwords that were still in LastPass).

[0]: https://1passwordstatic.com/files/security/1password-white-p...

[aussiesnack]

Yes, it is. Lastpass is uniquely poor amongst the most commonly used password managers.

https://infosec.exchange/@epixoip/109585049354200263

[smileybarry]

1Password at least has the architectural benefit that your vault key isn't just your passphrase, but also an "account key". (Both are merged to form the actual key) So at the very least it's dramatically harder to crack, compared to running dictionary attacks on passphrases with LastPass. That's one reason I finally switched from 1Password.com + Dropbox to 1Password.com a year ago.

[jpgvm]

Architecturally no. Operationally based on folks I know have (or continue to) worked there in the past suggests they are much less likely to be popped. Something about having higher calibre security folk seems to make major breaches much less common. See here Google and Apple which apart from some social engineering vulns in iCloud have remained mostly untouched for decade+ whilst being the juiciest of juicy targets.

[hk1337]

I don't know if I would say it is based purely on syncing with 1Password.com like you do with LastPass but I would on the fact (AFAIK they still offer these options) you can choose where to sync your vault, 1Password.com, iCloud, Dropbox, FTP, locally between devices. So, from an attacker viewpoint going after 1Password.com wouldn't necessarily get all the 1Password users.

[aussiesnack]

I just don't have the security expertise to make the judgement, and, let's face it, that's true of most of us. Which is of course why you're asking, but you're not guaranteed to get answers from people you know to be any more knowledgeable than you. Somewhere you have to rely on good old human trust.

Finding the info re where to place your trust is tricky. I happen to have been personally recommended 1Password by a genuine security expert who uses it for his family, and that's about the best I can do. I know Agilebits pays for regular 3rd party security audits / pen tests. I guess you could look further into those. I know they're financially sustainable so can afford the expertise they need (which is part of why I think subscription a good model for software like this - I want Agilebits to be on a long-term secure footing). As far as we know publicly, they also have an excellent security record (which LastPass didn't even before the recent breach).

[edit - there's more info here https://support.1password.com/security-assessments/]