

IPassword's 128bit AES. "Safe" against the NSA? - bigiain

So Agilebits say this about the security of 1Password:<p>&quot;The slightly longer answer is that your data is encrypted using AES, the same state-of-the-art encryption algorithm used as the national standard in the United States. 1Password uses 128-bit keys for encryption, which means that it would take millions of years for a criminal to decrypt your data using a brute force attack.&quot; (here: http:&#x2F;&#x2F;help.agilebits.com&#x2F;1Password3&#x2F;security.html)<p>Given the current discussion about the weaselly-ness of Google &amp; Facebook&#x27;s possibly scripted denials - I can&#x27;t help but read that and see some obvious mis-direction. It&#x27;s a &quot;US national standard&quot; that would take &quot;millions of years for a <i>criminal</i> to decrypt&quot;.<p>So - if I were paranoid about the NSA - how worried should I be about my 1Password encrypted password file? How worried should I be in the future if, for example, I&#x27;d stored my encfs keys in 1Password, then stored both an encfs partition and my 1Password file on Dropbox, should I assume the NSA are reading my encrypted files now, or that they&#x27;ll be able to read them in 5 or 10 years, or should I feel secure that Agilebits &quot;millions of years&quot; is still within 3 or 4 orders of magnitude of what even the NSA is capable of? (which&#x27;d give me well-past-my-lifetime expectations of privacy)
======
jgeorge
Why worry about the security of your passwords when the traffic you view with
those passwords is probably already being logged?

While it wouldn't surprise me that AES is encouraged because there's a
backdoor in it, I'd be less surprised to find out they had the ability to
decrypt SSL on the fly.

If you're paranoid about someone getting your passwords, don't put them in an
online tool.

