Hacker News new | ask | show | jobs
by sugarpile 975 days ago
1. Setup to sync via icloud was very straightforward and 100% fine for "non-tech saavy" 2. Why would it matter if dropbox was hacked? Your vault password was never sent to to dropbox. It was just a dumb store for an encrypted vault. The calculus changes now that the vault is online and stored by the same party you're sending the password to.
5 comments
smileybarry 975 days ago
> Your vault password was never sent to to dropbox. It was just a dumb store for an encrypted vault. The calculus changes now that the vault is online and stored by the same party you're sending the password to.

You never send your password or account key to 1Password. Each side authenticates the other via cryptographic challenges and you receive the same encrypted database that 1P stores, as a dumb file host. They have a whole whitepaper on the security design of 1Password accounts: https://1passwordstatic.com/files/security/1password-white-p...

Technically, the earlier OPVault format stored on Dropbox/iCloud/locally was less secure due to generating a key just from your password.

link
selykg 974 days ago
> 1. Setup to sync via icloud was very straightforward and 100% fine for "non-tech saavy"

As someone who did support for 1Password years ago, this is patently false. It was "fine" for tech savvy users, for everyone else it was a big opportunity for problems.

New "issues" came about from the switch to a hosted solution, but data syncing issues, mostly, disappeared.

Also, to confirm the other commenters, your password is never sent to 1Password in any situation where syncing is involved, whether it be Dropbox/iCloud or the hosted solution. And with the hosted solution your account key is also never sent to 1Password. This is also well documented in their Security White Paper.

link
a10c 973 days ago
I think you should read the 1Password security whitepaper before rambling on about things you clearly haven't spent the time and effort to learn about.
link
sugarpile 973 days ago
Fine, I'll concede poor wording on my part.

However, in their white paper they specifically have a section "Crypto over HTTPS" which outlines the risks of their new web UI. Yes, the password stays local if no one mucks with delivered js, however, 1password being compromised would allow serving of modified js.

This is a new vector only present due to their new web vault model + associated web UI features. They state it themselves in the whitepaper: "The authenticity and integrity of the web client depends on the security of the host from which it is delivered. An attacker capable of changing the web client on the server could deliver a malicious client to the user"

link
s3p 973 days ago
1P could be 'compromised' and send a malicious version of their software back before they had the subscription model... I don't see how this is involves any more risk.
link
elondaits 974 days ago
Was sync to iCloud and Dropbox through a single file? Because there’s no chance to merge databases if they get out of sync. Proper cloud support can handle this.
link
insanitybit 975 days ago
Your vault password is never sent to 1Password either.
link