And neither of this is ever know to the servers-it stays on your device. Your encrypted stuff on 1Password servers is decryptable only with a radically robust passphrase that consists of your chosen password plus a long string of gibberish ("Secret Key"). MPG: let me simplify this down to its essence. That is the nature of running any service. Sure, attackers try, and we do defend against such attempts. But I believe that the 1Password Secret Key plays a role. There are many things one could attribute that to, including luck. Unlike some of our competitors, our service has never been breached. ![]() Why try to steal stuff that you can’t crack or decrypt? But because the Secret Key makes such cracking futile, the encrypted data that we hold is far less valuable to an attacker. If we didn’t have the Secret Key built into 1Password, some user data on our servers would be decryptable if the attacker threw enough resources at cracking verifiers. Instead of thinking in terms of “is it like a second factor” or “is it like a key file” it’s best to explain it in terms of what it actually does: It protects you if we were to be breached. 1Password: Secret Key: What is it, and how does it protect you?Ī unique feature of 1Password’s security is the Secret Key, but its value is often misunderstood by users and security experts alike. * I am no cryptologist, but I can understand whether a system design is done right or not, and my professional background gives me a strong base for that too, along with the time spent engineering encryption productions. There are a dozen other concerns I have about security, but when a company does a key thing right, it raises my confidence that they got the other things right too. It had not crossed my mind that some companies would be so incompetent and careless as to not use the secret key approach that 1Password uses. ![]() I worked in security (encryption, Pretty Good Privacy aka PGP) years ago as an engineering manager, so I consider myself competent in evaluating the general security approach of a product*, and it sure looks like 1Password does things right. MPG: I hadn’t realized how incompetent some password managers are, like LastPass. They do, and it has a very interesting section about the advantages of optimizing the security of passwords by maximizing randomness - something I hadn’t thought through previously. Re: security re: 1Password re: How to Create a Password System You Can Live With Reader Christopher C writes:Īfter noting that LastPass had been hacked, I was curious as to whether 1Password (which I have used for years, and see that you do too) had a blog post that mentioned it. SEND FEEDBACK Related: passphrase, password manager, security
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |