Save you a click: No user data was compromised.
Regardless, I’m glad they are being open about this. I use 1password, so I want to know absolutely anything that could be a threat, especially after the debacle with LastPass.
1password user data is encrypted, right? so even if a hack had allowed a bad actor access to user pw databases, it’s not like they would’ve just scored everyone’s passwords… right?
Exactly. Accounts are locked with both password and encryption key. The latter is not known by 1Password.
To be accurate, they don’t know either. A login key and a decryption key are derived from password and secret key client-side.
I’m not sure about 1password, but with Lastpass, the passwords were encrypted, but not the URLs for each site. Whoever has the lastpass vault knows what sites were associated with each account, and can start targeting accounts which look valuable.
Also, and I don’t mean to scare the people who use 1password, they (LastPass) lied about the extent of the encryption. Many technical details they either omitted or lied about until they HAD to reveal the true extent of the hacks that had occurred. I know, I was a LP user unfortunately. Now comfortable at Bitwarden, but 1password was an option I considered.
Unless they had the encryption key.
but the encryption keys are not stored on the 1password cloud systems
If they have vaults downloaded, then they can rapidly brute force the vault passwords and would like be able to decrypt a lot of them.
1password protects against this by combining the password you choose with a cryptographically random 128bit “secret key”. That one isn’t getting brute forced easily.
https://1passwordstatic.com/files/security/1password-white-paper.pdf
They document their vault security highly and it’s worth reading through.
Good point. It’s been such a long time since I’ve had to use the secret that I forgot it existed.
It’s not as simple as brute forcing the password, it’s also encrypted using a secret key. You essentially have 2 factor encryption on the vaults.
If a user was social engineered, not very tech savy to catch on to it and revealed the master password, you’d only need to guess the encryption key, no?
Yes, but the encryption key is very likely more secure than the users password to begin with.
It wasn’t 1Password that got breached, it was a 3rd party company called Okta, which 1Password was using in some capacity.
The attempted breach was detected and the hackers had only 1 set of Okta credentials from 1 member of the IT team. So they couldn’t actually do much.
It was detected and immediately all the keys were changed so the hacker lost all access to Okta immediately.
No 1Password systems were affected at all.
Hypothetically even if the hackers somehow managed to get a customers vault, they would never be able to decrypt it because it requires 1. The master password AND 2. The very long and complex decryption key, which only the user posseses.
Even 1Password does not posses it so it’s literally impossible for the vault to be hacked.
1Password is still by far THE most secure password manager.
1Password is still by far THE most secure password manager.
Now that is a very confident statement. Any sources to back that up? Maybe even a comparison to other password managers like Bitwarden, LastPass, etc.?
Don’t compare it to last pass, you’ll have an answer very shortly
First password manager coming to mind because of such things.
Nothing is unhackable.Hmm. Why don’t you let everyone know what you know about encryption. Or, let everyone know how much you don’t know about encryption by just stating, “Nothing is unhackable”.
Opsec is a treadmill. Everything is hackable. This is why companies hire penetration testers.
I mean… also, insecure things are eminently hackable and you don’t know until someone has tried. That’s the main reason companies hire penetration testers.
I think my knowledge suffices to say that equal to physical security no security is forever safe. At some point a weak point will be exposed.
And if you can get a hand on encrypted content and live long enough with the right ressources and determination you might be able to crack something.Because afaik it’s all math at some point. Math is logic and logic can be cracked.
Interesting. Currently, I guess if you have hundreds of years to sit at the most advanced computers currently available you too can crack modern encryption…
Please don’t bring up LastPass in this conversation. They aren’t relevant to anything wrt security, and worse yet, they remain extremely opaque with their security protocols.
Yeah definitely not worth doing a comparison to LastPass but doing the comparison to bitwarden and then local only ones like keypass/KeepassXC may be worthwhile
Oh yeah. How secure is a local encrypted password safe that is synced via things like Dropbox/OneDrive/GDrive/Syncthing or Resilio in comparison to something like Bitwarden and 1Password.
Not sure if you’ve read this but it might help get started.
https://1passwordstatic.com/files/security/1password-white-paper.pdf
Considering we’re hearing about a lot of password managers getting hacked, saying you’re the most secure is not really that impressive.
Is it more secure than Bitwarden? (Genuine question)
Care to back up the last statement about last pass being the most secure? I’m having a really hard time seeing lastpass as more secure than a local only password manager like keepass or KeePassXC.
Honestly, this reads like a PR post.
OP said 1password, not LastPass.
Something local with sufficient encryption will always win against a cloud service, until someone gets access to your computer.
deleted by creator
I can guarantee you they are not monitoring 30-message Lemmy posts on something that happened weeks ago for damage control. I’m sorry to say that your personal opinion is not that important.
Fucking Okta. Or as I call it Okra.
Interesting to learn how to open up not just one PC but a whole infrastructure of passwords, tokens etc.
Imagine trusting a 3rd party to keep every single one of your passwords. That literally defeats the purpose of using passwords if you keep them all centralized. You’re supposed to MEMORIZE your passwords. Kindergarten shit.
I have 1400 passwords saved at the moment. You really expect me to memorize all of them?
There’s a tradeoff between security and convenience that has to be dealt with. You’re not supposed to reuse passwords, but most sites/apps require a login. How do you memorize a couple hundred passwords? An offline vault is safer, but also a real hassle to keep synchronized between devices and locations.
I’ve settled on memorizing passwords for financial sites and emails and storing the rest in a password manager. All I can hope is that, should a breach happen and my passwords somehow get decrypted, I’ll retain control over the most critical accounts.