Let's say 1Password somehow got breached, and customer vault passwords exfiltrated and posted online. Would Troy post about the breach and pull them into the database, as he has always done in the past? Or would his "partner" gently tap him on the shoulder and ask him to kindly hold off on that, because, hey, they're really sure they plugged that hole good this time; and they already let the affected customers know privately, so, why make a big deal about it?
So, yeah, I think it's quite safe to be confident he wouldn't do that.
The moment 1Password is compromised and Troy "nothing to see here"'s it? People would turn on both products very quickly because they'd find out about the former as private users and when the latter didn't disclose it, it would lose credibility.
Are you asking who tell the general public? Some hacker, or some chain of associates, just like any breach. HIBP only stores breaches that have previously been made public. So for for HIBP to "ignore" a breach, the breach has to already be public, so there will be news organizations covering the breach if it's big.
This DB would end up on a darknet auction somewhere, and that's where things get "fun". Now, people can talk about this auction and all the really bad ramifications of both parties hiding it.
Worse yet, I could see someone waiting a month, and them leaking a DB that's fake and encrypting and dumping on the Darknet. The goal there is slander.. It doesn't have to happen for the damage to be done.
>Let's say 1Password somehow got breached, and customer vault passwords exfiltrated and posted online.
First, 1Pass is not LastPass. Even their cloud service is optional (I don't use it for one), and it still operates end-to-end encrypted through a native client doesn't it? At least for those clients AgileBits simply doesn't have this information at all so there's nothing to breach. Unless by "breached" you meant "hacked so badly that a copy of the client with malware got signed and made it through app store review." But an infected client is much more easily noticed by massive numbers of people, making secrecy even more pointless then it'd be otherwise (which would still be pointless because such a breach would be obvious instantly if it was put to use).
Second and more importantly, one of the entire fundamental points of password managers isn't merely to not get breached, it's that if they do there's an orderly way to go through and change every single password to something new and random. Yes, it'd be an irritation for a whole vault, and if it happened repeatedly it'd be reason to move to something else, but the only possible way for it to escalate from a minor problem to a huge one would be for notification to be delayed. I don't see how it wouldn't be in AgileBit's direct financial interest to come clean as instantly and rapidly as possible, which would minimize both customer impact and liability. With word out operators of sensitive services could also know to be on higher alert and/or issue mandatorh resets. This last part would apply to LastPass or any other such service too fwiw.
Granted I'd hope such a thing, or even the possibility, would motivate an industry push for standardized password/username interaction APIs. There's no technical reason that cycling every single password you've got shouldn't be at least a mostly automatable operation. It'd be better still if passwords were done away with entire in favor of certs but might as well keep improving the current pile of hacks if that's the best we can manage piecemeal I guess.
There was a company which literally handed their database to Troy after a breach so everyone would be on equal footing to the attackers.
I've pointed a few folks to his site and their very first question, every time, is some variation of, "you mean you want me to type my password into this dude's site?"
So haveibeenpwned is basically relying on Troy's reputation alone, which he alludes to in pretty much all of his blog posts about it.
It's hard for me to imagine him not publishing everything he learned about a 1password breach.
And this is why the v2 API design is important.
Instead of sending a password to an external site, you hash the password locally with SHA1, and send in just the first five hex digits. In return you get a list of hash suffixes of known-broken passwords. You get to verify locally whether the password is known, without the password ever being transmitted.
The API is so simple to use that one of our engineers implemented and deployed a HIBP check roundtrip in less than a day. Usually a functional change in authentication path would stay in review for somewhat longer (due to people wanting to make very sure we don't mess it up), but the new API is really straightforward to reason about. It was trivial for reviewers to see that we couldn't leak information by accident.[ß]
ß: Technically it would be possible for Troy and Cloudflare to correlate the number of times a particular blob is requested and the "times found" count in the list of suffixes. But because we reject known-broken passwords, the only real information that gets exposed is the number of times users attempt to choose passwords that may have higher-than-usual incident counts.
Entering your password on this site effectively reduces the strength of your encryption (or whatever you use the password for) to the strength of the SSL encryption used, plus all possible side channel attacks you can mount against browsers and network protocols like DNS, plus the security or insecurity of Troy's own machines, and the guy is already a viable target for dozens of intelligence agencies. Note that a man-in-the-middle attack on this site is almost impossible to detect and there is no way for you to tell whether Troy Hunt's servers and developer machines are compromised or not.
So in a nutshell, it's a big No No. But it makes sense for a company like 1Password to cooperate with him, since these companies are in the business of storing all your passwords "in the cloud" anyway.
Actually I bet my guesstimate is way too low.
Furthermore: if you're using unique random passwords anyway, then there's no sense in checking them against HIBP, and if you're not, then punching them into HIBP is how I try to convince people that they should be.
I'm still baffled that they decided to sunset it.
I for one have moved out of 1Password on the desktop and use other clients. I don't mind paying for software, but companies using dark patterns like hiding purchase options intentionally don't deserve my money.
This is an incredible value to normal humans who are not in the tech field. This password manager will help them proactively discover a stolen password. This is a powerful step forward for normal people who don't have any grasp of how bad the security situation is in the world.
I know this isn't perfect for technicians, but I would recommend this as worthy of subscription for my family members who I love but for whom I am unwilling to provide IT support.
Perhaps, but I have my doubts. I have stopped recommending 1P to non-technical friends & family because none of them can ever figure out how to use it (or remember for long enough to continue doing so). I have persuaded many to try it over the years, but literally only one of them has continued with it. That happened to be my mother (because I'm in frequent contact so can help her when she gets stuck). Everything I've witnessed leads me to believe 1P is primarily a tool for the tech savvy.
I've been using 1Password since nearly the beginning, and am really quite dependent on it now (so much so that I had a hard time coming to terms with an inevitable eventual move to Linux, until the release of 1PasswordX). So I'm an advocate.
But I think the whole computer industry outside of a very few (notably Facebook and Amazon) has a grossly inadequate picture of just how little most people (including most of the so-called 'digital native' generations) know about the many computers in their lives. They don't use computers --
they are trained by a small number of commercial interfaces. It's extremely basic rat-in-maze stuff.
The companies rightly lauded for their design skills targeted at us (this includes Apple and AgileBits) aren't even in this ballpark, and from everything I see and hear from them, they haven't a clue that they're not there.
Can you elaborate on this? I'm curious what they get stuck on; why do they find it any more complex than web browser bookmarks, or email?
- not understanding the distinction between the password stored in 1password vs that on the server, eg thinking that changing the 1password one would change the original, thus locking themselves out ;)
- being completely thrown by 1Password's distinction between password & login entries
- assuming that changing the OS password would change the 1P master password automatically (really)
- the iOS share menu-based version is particularly opaque to almost all of them, and only my mother ever got familiar enough with it to manage it when I'm not around (& this only because of my regular interventions over months)
- not understanding (or noticing) the difference between updating a login entry and creating a new one, and ending up with a mess of contradictory logins
- getting completely thrown by different logins for different subdomains
There have been many more, these are just a sample of what I remember now. At a rough guess I'd say I've introduced 1Password to perhaps 20 non-tech users. Only one has continued. Many people simply lack any mental model whatsoever of how the different faces of software interact, so they get in a terrible muddle.
> why do they find it any more complex than web browser bookmarks, or email?
I don't think any use bookmarks (few people do, not even many use urls -- the vast majority in my experience use google to find sites. Every visit!).
Email's a special case. It's been around a very long time, and is used throughout the day in many workplaces, so a much higher level of familiarity has built up. Even here though, it's only the advent of large scale cloud providers (gmail, exchange/outlook/live etc) that has made email truly usable for many. Before gmail in particular, I used to have to help all my friends and family with their email, at least during setup, and often again with things like managing inbox quotas etc (with POP). It is easier now, mainly because the common interfaces hide just about everything, and there are few enough dominant ones such that devices come preconfigured knowing how to connect to them.
> being completely thrown by 1Password's distinction between password & login entries
I had a hard time at first figuring out what the "password" type was for, too.
However their official CLI sadly only supports interactions with the subscription service. If you are using local vaults then there are still open source CLIs for Linux:
https://github.com/latkin/1poshword (disclaimer: my project)
Issues I faced immediately after installing it:
* Entering username/password and choosing the "Save in 1Password" option complains about not being able to reach server.
* Clicking on the extension icon and choosing New Item only shows a spinning wheel.
I'll try again when it's officially released but thanks again.
EDIT: Sent an email to their support detailing the issues.
I think it's basically the ideal place for 1Password to be running. It's hard for malware authors to infect the chromebook with stuff like keyloggers etc. I bought the chromebook for the sole purpose of managing financial transactions -- accessing investment/bank websites etc.
You can sign up here: https://agilemail.createsend.com/h/r/0D6ED375D55C4CF1
Unfortunately the 1Password 7 beta uses some APIs not supported by mono (yet?).
So my entire dev environment is out.
And they've also always supported the local wifi-only solution, where you have to be on the same network, and physically authorize both devices to talk to each other, before they can sync the password database.
If enpass.io works for you, that's great. I'm glad you're happy with it. But this feature isn't unique to enpass.io.
And honestly your passwords aren’t on their servers. An encrypted blob is. Encrypted with a password only you know.
This is actually an important attack vector and AgileBits themselves admitted the possibility. Imagine that a compromised HTTPS root certificate can open the door to a huge man-in-the-middle attack, which is totally within the reach of governments or of well funded crime syndicates.
Also the cloud sync is no longer optional. The standalone version is no longer available anywhere on their website and Google doesn’t help either.
At this point the standalone version is still available only for those in the know, being on life support probably to not piss old timers off. At least they are thinking about us, I’ll grant them that.
It doesn't generate as much marketing buzz on its own as a Lastpass or a 1Password does, but too many people have too much stake in their passwords for them to even consider a less secure solution solely based on marketing.
I'd prefer a CLI based password manager for it's flexibility.
My guess is that the lack of browser integration (with extensions) that helps people autofill on specific sites/domains is what keeps it from being recommended as much as LastPass or 1Password.
What it's still missing is the possibility to have (almost) concurrent edit on the database, if you sync that on the cloud. Talking about the KeepassXC browser, they are close to a release where multiple users will be able to edit the database without breaking everything.
And 1Password got plenty of attention and reviews, whereas Bitwarden did not.
Granted I’d prefer the open source solution when all other things are equal.
But I cannot trust Bitwarden with my data without hosting it myself and the current server implementation is expensive to host. Bitwarden copies LastPass as a model but I think that’s the wrong model to copy.
As you can read on the keepassXC site, an audit checks only a limited snapshot of code. You can have flaws in the implementations on in plug-ins, for example in the http KeePass plugin (https://github.com/pfn/keepasshttp/issues/258).
Subscription pricing is pretty optimal for something like 1Password since if there is one product you want to make sure is being actively worked on it is the one with all your passwords. If you previously purchased a license you can continue to do that.
I'm a huge fan of 1Password, and also a fan of paying subscription pricing for apps and dev teams making things I enjoy, but I'd seen the linked doc and parsed it the exact opposite way: "If you don’t want the benefits of a 1Password membership, you can use these third-party and advanced sync options:" --> ~"If you don't want to pay for a subscription, the non-subscription version of 1Password supports the following"
Up until now I've been counting the days until Agilebits finally sunsets the non-subscription plan since I thought the subscription option didn't support the "advanced/third-party" sync options. Will go re-evaluate that now.
If any Agilebits folks are lurking, it may be worth disambiguating that "switching to subscription billing" does not mandate "switching to an Agilebits-hosted vault"
Of course they can change their minds at any moment, but they did enough things right over the years that I have chosen to trust them.
Business-wise, they already have the best of both worlds: a cloud-based option for regular users (which generates steady income), and a standalone option for pro users who want full control (which generates spiky income, and a lot of goodwill).
From a brand perspective, pro users are much more likely to be spreading the word to friends and family (I definitely don't want my mom to be dealing with Dropbox issues, so cloud is just fine for her). From a cost perspective, maintenance of the standalone version is likely minimal, compared to supporting a cloud service safely.
Killing the standalone option would be net negative.
I don't think these statements have any value whatsoever if AgileBits is unwilling to expose this option on its website and make it easy to buy. There is no way to buy the standalone option without spending a lot of time on the website and hunting for it (or asking on the forums). It doesn't have to be (and shouldn't be) so hard, unless AgileBits is not confident about the subscription model or wants to hide something. As a potential customer, this is how I see it.
Despite all that, AgileBits goes way out of its way to not only provide a standalone password manager but keep it within shooting distance of the functionality of the non-standalone product.
But that's not enough for you: if they don't actively advertise and promote the variant of their product that is most expensive for them to provide, unlike, you know, any business on the planet, you're unsatisfied with their support.
I'm totally fine with it. It's a very reasonable business decision to try to steer away users towards the cloud option, while still offering the standalone (even if it's a bit buried). If you can't find the standalone subscription with a few more clicks, maybe you really shouldn't be using it in the first place.
Kudos to AgileBits for staying true to their origins. Provided they don't screw up, I'll continue to promote their products to friends and family.
Of course, I don't use 1Password (standalone) because I don't think a company that actively hides the standalone option deserves to get my money. "A few more clicks" is actually not the correct way to describe it. Like you, I will continue to state this dark pattern for as long as AgileBits follows this and warn people about such tactics, which I strongly believe are not good.
As for other popular commercial password manager being subscription based, that's not the topic of discussion in my comment. Such a deflection is not useful for discussion.
It makes some amount of sense, by now they have picked up most of the tech savvy crowd and for the average user hearing a list of sync options is intimidating.
That was the only concern part for me and unless I missed it I couldn't find where it was addressed.
Beyond that this is a great idea!
Pretty good documentation on that: https://feeding.cloud.geek.nz/posts/how-safe-browsing-works-...
Another idea here, stolen from Mozilla's implementation, would be to add in a few noise entries when making a request.
So, if the user types in their password and the hash evaluates to "2e78f...", you would send off the request for that range and also send off requests for a handful of random, other ranges.
In effect, this isn't particularly different from using less symbols to denote the range, e.g. asking for "2e78" instead of "2e78f". But that gives you 16 times as many results, whereas with noise entries, you can fine-tune it to give you for example only 5 times as many results (with 4 noise entries, that is).
Not sure what k-anonymity is but I wouldn’t be surprised if it’s something similar.
Edit: nope, looks like k-anonymity basically lets you search by the first few characters of the sha512 hash, and it responds with all of the hashes that have that as the first few characters, along with the count for each (how many people use that password, likely.)
Doesn't storing the backup codes of 2-factor in your password safe where your first factors resides negate the whole "2 factors" thing?
Personally I write down the backup keys on a piece of physical paper.
Also see my introduction to password managers: https://leclan.ch/password-managers/
Edit to add: There is a dupe detector that prevents duplicate submissions, but I'm not sure what the parameters are (e.g., detection window duration, whether it does title matching). Sometimes when I've submitted dupes, it returns the previous submission rather than creating a new one. Clearly that didn't kick in in this case.
Hopefully that turns into a fruitful partnership!
Same goes for LastPass, as a side note.
- follow you around on encrypted cloud blob
- trusted machines you know you’ll log in from
- 2FA / MFA
- shareable passwords with friends/family
- works in all browsers
- works on mobile app / log in on any PC
- one time password access
- non-password things like door codes, software licenses, etc
- a lot more I’m just not thinking of I’m sure
Additionally dedicated problem programs tend to be more responsive and featureful then when the functionality is tacked on non-core in something else. Password managers facilitate sharing within groups and organizations for example in a secure and structured way. For many people that may be one of their most valuable features in fact, right down to the level of families.
I mean, this basic philosophy shows up a lot in computing right? For example, it's an important idea at least at the heart of some of the original Unix style of doing things, where you have lots of independent programs that do something well and then link them for more complex operations rather then everything-and-the-kitchen-sink. The latter has its place sometimes too but there are strengths to the former, or to programming styles that splits up larger systems into smaller tasks joined together.
1Password also holds documents and notes; in my state, documents such as car insurance can be legally carried on your phone for traffic stops. I also have my health insurance cards in there for ease of use.
Plus, if you want to use multiple browsers across various operating systems you need your password manager to be browser independent.
I wouldn't rely on this because it turns your phone into a single point of failure (your battery could die or your phone could fail at the wrong time). Similarly, I would never rely on mobile wallets without physical cards as a backup.
I keep everything in 1P. Why carry around a library/health/gym/etc. card when you need the number once a week? 1P. Credit cards. Colour copies of my passport & licence. Backups of SSH keys. Passwords to sparsebundle disk images containing sensitive files. Loyalty program numbers & PINs.
It does so much that Chrome doesn’t. The iOS apps are magnificent. Their sync service is magnificent. I couldn’t live without it.
(^A friend of mine died a few years ago and we had a hell of a time figuring out where his finances were. Shit job. Don’t let that happen to your friends. Label your stuff in a password manager and make sure someone you trust has the key.)
Your family and friends, however, are not. They need advice. They need your advice. And your advice should be that they use 1Password.
* I don't really trust Google too much
* I use passwords for non-web-based services routinely
* I share passwords for some accounts with my wife
* I like to be able to access my passwords anywhere I am
* I store credential-related secrets as well (such as security question answers, which I make up the answer to)
* Non-browser passwords.
* Portable between browsers.
* Much better UX.
* Better password generation.
* Secure notes.
* Probably better security (both in terms of the crypto used, and in terms of what you need to do to view your passwords). Reasonable experts will disagree here.
Chrome is better than nothing. But 1Password (standalone) is better than Chrome.
I'm fairly certain that scenario isn't possible with what any browser has.
I'm also not limited to just passwords.
It could also be added as a benefit for the 1password or other password management application side is that the passwords stored would be usable in all of those browsers whereas Chrome's would be locked in Chrome, Firefox's locked in Firefox, etc.
So the moral of the story, ignoring security in all (external vs browser) cases, if the specific browser is all you use, it is a fine password manager. The moment you go outside of that use case, the values flip quickly.
If you don’t know where it’s been used and with what username, it hasn’t mich value.
In any case, you can use his V2 API to check your password without sending the password or even the complete hash.
You can check out my little go script which does this here: https://github.com/mrunkel/checkpass
In the blog post, Troy says the cost of HIBP is more than a few coffees, but am not sure if that's per day or per week. Hopefully the latter. Someone in his position wouldn't feel the pinch, as he himself states that "the time commitment" is what concerns him more. Regardless, his effort and time are worth paying for so that more people can benefit from the service. My contention is that AgileBits is not the right entity to partner with to get some money for this service.
He also hasn't yet talked about the long term plans for HIBP, though people have asked him about the "bus factor" currently being 1. He's said he'd write about it soon. If he's going to hand over management of HIBP to AgileBits, that would make it look really weird and remove at least some of the trust that HIBP now commands.
Wish he had put up some fundraising page or an annual fundraiser — given his fame in tech circles, I'm sure that would've gotten more money than necessary to run HIBP and to pay for his time. Wish he had planned to hand over HIBP to a set of individuals (not companies) for long term care. Alas, what a sad move!