• pingveno@kbin.social
      link
      fedilink
      arrow-up
      51
      ·
      1 year ago

      Regardless, I’m glad they are being open about this. I use 1password, so I want to know absolutely anything that could be a threat, especially after the debacle with LastPass.

      • ziggurism@lemmy.world
        link
        fedilink
        English
        arrow-up
        12
        arrow-down
        1
        ·
        1 year ago

        1password user data is encrypted, right? so even if a hack had allowed a bad actor access to user pw databases, it’s not like they would’ve just scored everyone’s passwords… right?

        • Anoxydre [they/them]
          link
          fedilink
          English
          arrow-up
          27
          ·
          1 year ago

          Exactly. Accounts are locked with both password and encryption key. The latter is not known by 1Password.

          • tippl@lemmy.world
            link
            fedilink
            English
            arrow-up
            4
            ·
            1 year ago

            To be accurate, they don’t know either. A login key and a decryption key are derived from password and secret key client-side.

        • bamboo@lemmy.blahaj.zone
          link
          fedilink
          English
          arrow-up
          8
          arrow-down
          1
          ·
          1 year ago

          I’m not sure about 1password, but with Lastpass, the passwords were encrypted, but not the URLs for each site. Whoever has the lastpass vault knows what sites were associated with each account, and can start targeting accounts which look valuable.

          • dasgoat@lemmy.world
            link
            fedilink
            English
            arrow-up
            6
            ·
            edit-2
            1 year ago

            Also, and I don’t mean to scare the people who use 1password, they (LastPass) lied about the extent of the encryption. Many technical details they either omitted or lied about until they HAD to reveal the true extent of the hacks that had occurred. I know, I was a LP user unfortunately. Now comfortable at Bitwarden, but 1password was an option I considered.

        • pulaskiwasright@lemmy.ml
          link
          fedilink
          English
          arrow-up
          6
          arrow-down
          4
          ·
          1 year ago

          If they have vaults downloaded, then they can rapidly brute force the vault passwords and would like be able to decrypt a lot of them.

  • danielfgom@lemmy.world
    link
    fedilink
    English
    arrow-up
    59
    arrow-down
    10
    ·
    1 year ago

    It wasn’t 1Password that got breached, it was a 3rd party company called Okta, which 1Password was using in some capacity.

    The attempted breach was detected and the hackers had only 1 set of Okta credentials from 1 member of the IT team. So they couldn’t actually do much.

    It was detected and immediately all the keys were changed so the hacker lost all access to Okta immediately.

    No 1Password systems were affected at all.

    Hypothetically even if the hackers somehow managed to get a customers vault, they would never be able to decrypt it because it requires 1. The master password AND 2. The very long and complex decryption key, which only the user posseses.

    Even 1Password does not posses it so it’s literally impossible for the vault to be hacked.

    1Password is still by far THE most secure password manager.

    • Appoxo@lemmy.dbzer0.com
      link
      fedilink
      English
      arrow-up
      42
      arrow-down
      3
      ·
      1 year ago

      1Password is still by far THE most secure password manager.

      Now that is a very confident statement. Any sources to back that up? Maybe even a comparison to other password managers like Bitwarden, LastPass, etc.?

          • hystericallymad@lemmy.ml
            link
            fedilink
            English
            arrow-up
            1
            arrow-down
            10
            ·
            edit-2
            1 year ago

            Hmm. Why don’t you let everyone know what you know about encryption. Or, let everyone know how much you don’t know about encryption by just stating, “Nothing is unhackable”.

              • Chaotic Entropy@feddit.uk
                link
                fedilink
                English
                arrow-up
                1
                ·
                edit-2
                1 year ago

                I mean… also, insecure things are eminently hackable and you don’t know until someone has tried. That’s the main reason companies hire penetration testers.

            • Appoxo@lemmy.dbzer0.com
              link
              fedilink
              English
              arrow-up
              3
              arrow-down
              1
              ·
              edit-2
              1 year ago

              I think my knowledge suffices to say that equal to physical security no security is forever safe. At some point a weak point will be exposed.
              And if you can get a hand on encrypted content and live long enough with the right ressources and determination you might be able to crack something.

              Because afaik it’s all math at some point. Math is logic and logic can be cracked.

              • hystericallymad@lemmy.ml
                link
                fedilink
                English
                arrow-up
                1
                arrow-down
                2
                ·
                1 year ago

                Interesting. Currently, I guess if you have hundreds of years to sit at the most advanced computers currently available you too can crack modern encryption…

      • ram@bookwormstory.social
        link
        fedilink
        English
        arrow-up
        23
        ·
        1 year ago

        Please don’t bring up LastPass in this conversation. They aren’t relevant to anything wrt security, and worse yet, they remain extremely opaque with their security protocols.

      • douglasg14b@lemmy.world
        link
        fedilink
        English
        arrow-up
        16
        ·
        1 year ago

        Yeah definitely not worth doing a comparison to LastPass but doing the comparison to bitwarden and then local only ones like keypass/KeepassXC may be worthwhile

        • Appoxo@lemmy.dbzer0.com
          link
          fedilink
          English
          arrow-up
          7
          arrow-down
          1
          ·
          1 year ago

          Oh yeah. How secure is a local encrypted password safe that is synced via things like Dropbox/OneDrive/GDrive/Syncthing or Resilio in comparison to something like Bitwarden and 1Password.

      • dangblingus@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        Considering we’re hearing about a lot of password managers getting hacked, saying you’re the most secure is not really that impressive.

      • danielfgom@lemmy.world
        link
        fedilink
        English
        arrow-up
        13
        arrow-down
        1
        ·
        1 year ago

        In theory yes because Bitwarden only uses your master password to unlock your password collection. If someone were to brute force the password and figure it out, or if bitwarden servers were hacked and the password acquired, they could access all your passwords.

        With 1Password your vault (database with all your passwords) is encrypted on the server. To open it you must provide 2 things:

        1. The master password
        2. The decryption key

        1Password do not have any record of the decryption key. They give it to you as a pdf when you create your account, and only you have it.

        So even if someone cracked your master password, they still cannot decrypt the vault to get your info. They would have to come to your house and try find that pdf with decryption key. Which they don’t do.

        So you are at significantly safer on 1Password

        • GigglyBobble@kbin.social
          link
          fedilink
          arrow-up
          7
          ·
          edit-2
          1 year ago

          I hope they don’t have your master password either. The decryption key sounds like just a longer password or salt with extra steps. What if the generation algo is cracked?

          Also, you can go multi-factor with every password manager I know.

        • wols@lemm.ee
          link
          fedilink
          English
          arrow-up
          3
          ·
          edit-2
          1 year ago

          The main difference is that 1Password requires two pieces of information for decrypting your passwords while Bitwarden requires only one.

          Requiring an additional secret in the form of a decryption key has both upsides and downsides:

          • if someone somehow gets access to your master password, they won’t be able to decrypt your passwords unless they also got access to your secret key (or one of your trusted devices)
          • a weak master password doesn’t automatically make you vulnerable
          • if you lose access to your secret key, your passwords are not recoverable
          • additional effort to properly secure your key

          So whether you want both or only password protection is a trade-off between the additional protection the key offers and the increased complexity of adequately securing it.

          Your proposed scenarios of the master password being brute forced or the servers being hacked and your master password acquired when using Bitwarden are misleading.

          Brute forcing the master password is not feasible, unless it is weak (too short, common, or part of a breach). By default, Bitwarden protects against brute force attacks on the password itself using PBKDF2 with 600k iterations. Brute forcing AES-256 (to get into the vault without finding the master password) is not possible according to current knowledge.

          Your master password cannot be “acquired” if the Bitwarden servers are hacked.
          They store the (encrypted) symmetric key used to decrypt your vault as well as your vault (where all your passwords are stored), AES256-encrypted using said symmetric key.
          This symmetric key is itself AES256-encrypted using your master password (this is a simplification) before being sent to their servers.
          Neither your master password nor the symmetric key used to decrypt your password vault is recoverable from Bitwarden servers by anyone who doesn’t know your master password and by extension neither are the passwords stored in your encrypted vault.

          See https://bitwarden.com/help/bitwarden-security-white-paper/#overview-of-the-master-password-hashing-key-derivation-and-encryption-process for details.

    • hillbicks@feddit.de
      link
      fedilink
      English
      arrow-up
      14
      arrow-down
      2
      ·
      1 year ago

      Care to back up the last statement about last pass being the most secure? I’m having a really hard time seeing lastpass as more secure than a local only password manager like keepass or KeePassXC.

      Honestly, this reads like a PR post.

      • douglasg14b@lemmy.world
        link
        fedilink
        English
        arrow-up
        12
        arrow-down
        2
        ·
        1 year ago

        It really does read like a PR post.

        There’s some bold confident statements in there that are definitely not really accurate from the standpoint of software and system security.

      • setVeryLoud(true);@lemmy.ca
        link
        fedilink
        English
        arrow-up
        2
        ·
        edit-2
        1 year ago

        OP said 1password, not LastPass.

        Something local with sufficient encryption will always win against a cloud service, until someone gets access to your computer.

      • StereoTrespasser@lemmy.world
        link
        fedilink
        English
        arrow-up
        7
        ·
        1 year ago

        I can guarantee you they are not monitoring 30-message Lemmy posts on something that happened weeks ago for damage control. I’m sorry to say that your personal opinion is not that important.

  • dangblingus@lemmy.world
    link
    fedilink
    English
    arrow-up
    1
    arrow-down
    11
    ·
    1 year ago

    Imagine trusting a 3rd party to keep every single one of your passwords. That literally defeats the purpose of using passwords if you keep them all centralized. You’re supposed to MEMORIZE your passwords. Kindergarten shit.

    • dinckel@lemmy.world
      link
      fedilink
      English
      arrow-up
      8
      ·
      1 year ago

      I have 1400 passwords saved at the moment. You really expect me to memorize all of them?

    • TheHarpyEagle@lemmy.world
      link
      fedilink
      English
      arrow-up
      5
      ·
      1 year ago

      There’s a tradeoff between security and convenience that has to be dealt with. You’re not supposed to reuse passwords, but most sites/apps require a login. How do you memorize a couple hundred passwords? An offline vault is safer, but also a real hassle to keep synchronized between devices and locations.

      I’ve settled on memorizing passwords for financial sites and emails and storing the rest in a password manager. All I can hope is that, should a breach happen and my passwords somehow get decrypted, I’ll retain control over the most critical accounts.