One Strong Reason (Literally!) that 1Password is the Best Choice for a Password Manager for most of us
re: How to Create a Password System You Can Live With
Reader Christopher C writes:
After noting that LastPass had been hacked, I was curious as to whether 1Password (which I have used for years, and see that you do too) had a blog post that mentioned it. They do, and it has a very interesting section about the advantages of optimizing the security of passwords by maximizing randomness — something I hadn’t thought through previously.
MPG: I hadn’t realized how incompetent some password managers are, like LastPass. OMG.
I worked in security (encryption, Pretty Good Privacy aka PGP) years ago as an engineering manager, so I consider myself competent in evaluating the general security approach of a product*, and it sure looks like 1Password does things right.
It had not crossed my mind that some companies would be so incompetent and careless as to not use the secret key approach that 1Password uses. There are a dozen other concerns I have about security, but when a company does a key thing right, it raises my confidence that they got the other things right too. And vice versa.
* I am no cryptologist, but I can understand whether a system design is done right or not, and my professional background gives me a strong base for that too, along with the time spent engineering encryption productions.
1Password: Secret Key: What is it, and how does it protect you?
A unique feature of 1Password’s security is the Secret Key, but its value is often misunderstood by users and security experts alike. Instead of thinking in terms of “is it like a second factor” or “is it like a key file” it’s best to explain it in terms of what it actually does: It protects you if we were to be breached.
...If we didn’t have the Secret Key built into 1Password, some user data on our servers would be decryptable if the attacker threw enough resources at cracking verifiers. But because the Secret Key makes such cracking futile, the encrypted data that we hold is far less valuable to an attacker. Why try to steal stuff that you can’t crack or decrypt?
...Unlike some of our competitors, our service has never been breached. There are many things one could attribute that to, including luck. But I believe that the 1Password Secret Key plays a role. Sure, attackers try, and we do defend against such attempts. That is the nature of running any service...
MPG: let me simplify this down to its essence.
Your encrypted stuff on 1Password servers is decryptable only with a radically robust passphrase that consists of your chosen password plus a long string of gibberish ("Secret Key"). And neither of this is ever know to the servers—it stays on your device.
Since Secret Key resides only on your devices and not their servers, an attacker that compromises the 1Password website could not decrypt your stuff using all the computing power in the universe multipled a trillion trillion times over.
The key to this is that these secrets (your chosen password or the Secret Key) are never transmitted across the internet; they never leave your device. Rather, protocols (PAKE) is able to exchange encrypted messages and this does not require knowing the secrets.