LastPass Publishes More Details about Its Data Breaches
In 2022, password management service LastPass suffered its latest significant breach, this one resulting in the loss of customer vault data (see “LastPass Shares Details of Security Breach,” 24 December 2022). Months later, the company has finally provided significantly more information about the breach, what data was compromised, and how users should respond. The new information is helpful, but it doesn’t make me regret switching to 1Password.
In a carefully worded blog post, LastPass CEO Karim Toubba lays out a more-detailed timeline of two chained incidents, with the first setting the stage for the second. He then points readers to a pair of security bulletins with recommended actions: one for LastPass Free, Premium, and Families users and another for LastPass Business users. Finally, he summarizes what actions LastPass has taken to better secure its systems. I particularly appreciated the extensive list of all the data types accessed, with notes about which fields were encrypted and which were not.
Notably, the company says that it hasn’t heard from the attacker nor seen any indication of the data being used.
There has been no contact or demands made, and there has been no detected credible underground activity indicating that the threat actor is actively engaged in marketing or selling any information obtained during either incident.
If you’re interested in security stuff, the various posts are worth reading, and LastPass has done a much better job of communicating this time, even if it’s overdue. In particular, if you’re still using LastPass, I recommend following the company’s advice to:
- Ensure the strength of your master password
- Increase the number of password iterations
- Turn on or reset multifactor authentication
- Review the Security Dashboard
- Turn on dark web monitoring
LastPass hasn’t yet made the last two options available to LastPass Free users, but the company says it will enable them shortly. Interestingly, LastPass has dramatically increased the number of password iterations. Some long-time users were still set at what is now an absurdly low 5,000, while newer users had 100,000 iterations. The default is now 600,000—that’s a big change.
I wonder what Karim Toubba must be going through. He joined LastPass as CEO in April 2022, and the first breach occurred just months later, in August 2022. The company has likely been in crisis mode ever since, and the extent of the changes (combined with the actual breach, of course!) suggests that its previous security stance was problematic. We hope the adults are now in charge and are taking the right steps to prevent future breaches.
Switching to 1Password from LastPass and Authy
On top of my irritation with LastPass’s interface, functionality, and reliability, the breach was the final straw, so I switched to 1Password and imported my data from LastPass. I chose the approach of exporting data from LastPass and importing it into 1Password because 1Password’s direct import capability doesn’t work if you have multifactor authentication turned on in LastPass. I wasn’t comfortable disabling that, even temporarily.
I’m not quite ready to delete all my data from LastPass, but that’s on my list once I’m confident that 1Password has all the capabilities I want. I realize that some people haven’t been happy with the changes in 1Password 8, but as someone who didn’t particularly use previous versions, I haven’t been perturbed. While not perfect, 1Password has been significantly more elegant than LastPass, which never provided anything resembling a native Mac or iOS experience. That was especially true in the last few weeks I used LastPass, when it felt like the company was making rapid changes in an effort to show users that it was doing something.
I particularly like using my Apple Watch to unlock 1Password on my 2020 27-inch iMac and my watch or Touch ID on my M1 MacBook Air. LastPass introduced app-based multifactor authentication a while back, but it never properly accepted input from its watchOS app, forcing me to pull out my iPhone every time to confirm login in its iOS app. I’ve subsequently reset LastPass’s multifactor authentication to use a normal time-based one-time password (TOTP) that I stored in 1Password, which auto-fills it whenever I log in to LastPass on my Mac—a distinct improvement over tapping a button in LastPass’s iPhone app.
1Password’s support for TOTP has been a big win. I started with authentication apps early, when Google Authenticator was the only game in town. When I learned that its data wouldn’t transfer to a new iPhone (it can now if you can scan a QR code on the old device), I switched to the free Authy ecosystem of apps, which has worked acceptably and syncs across my Macs, iPhone, and iPad. (I tried LastPass Authenticator briefly, but it’s available only for the iPhone and iPad, and I hate turning to my iPhone when logging in on the Mac.)
Authy provides the Authy Desktop app for the Mac, but every time I want to log in to an account requiring two-factor authentication, I have to launch Authy Desktop, search for the website (I have 28 accounts), click a button to copy the code, switch back to my Web browser, and paste the code. I thought about automating the process with Keyboard Maestro, but it would be nothing more than fragile monkey-clicking. The way 1Password auto-fills the TOTP as the next step in the login process has been a huge relief.
(Glenn Fleishman reminds me that you could opt instead to use Apple’s multi-platform support for TOTPs, but on the Mac, it works only within Safari. If you use other Mac browsers or apps, you have to bring up Safari > Preferences > Passwords or the Passwords settings/preference pane, authenticate, search, click, and copy; see his article, “Add Two-Factor Codes to Password Entries in iOS 15, iPadOS 15, and Safari 15,” 7 October 2021. And, of course, then there’s the whole iCloud Keychain vulnerability if your iPhone and passcode were stolen; see “How a Thief with Your iPhone Passcode Can Ruin Your Digital Life,” 26 February 2023.)
Moving my two-factor authentication setup from Authy to 1Password has been fussy and time-consuming. Amazon Web Services was the only service that allowed me to register 1Password as an additional authentication device. For all other accounts, I’ve had to reset two-factor authentication or turn it off and back on. The threat of being completely locked out of an account is scary, so I’m careful to add the new TOTP to both 1Password and Authy (again) before I delete the old account in Authy. While I don’t anticipate using Authy after I get everything set up in 1Password, it feels like a useful backup if storing the TOTP in 1Password alongside the account credentials feels problematic. Remember to record one-time or “scratch” codes if a site offers them when enabling two-factor authentication—they can be a lifeline if you have a TOTP blowout.
Much as with the Wall Street Journal’s coverage of iPhone passcode thefts, I’ve come to see the LastPass breach as an opportunity to rethink my approach to password security. I wasn’t entirely happy with LastPass before the breach but couldn’t muster the enthusiasm for switching. By cleaning up duplicates and other cruft in 1Password organically, as I need to use the associated sites, I can nibble away at a task that would be too enormous to face all at once—I have over 900 logins. I’ll ultimately have a better handle on my passwords than ever before.
But I’ll still be happy if passkey support—see “Why Passkeys Will Be Simpler and More Secure Than Passwords,” 27 June 2022—becomes widespread quickly such that I don’t need all these stinkin’ passwords!
I was shocked to read this given all the criticisms about 1Password 8 moving to Electron.
In addition to using your Watch for 2FA, you please share some additional examples of how 1Password is more “elegant” than LastPass?
1Password is undoubtedly the tool which acccomplishes the tasks of a password manager with least traction for users. Definitely much smoother than others. I’m using Enpass which is crude in comparison.
I can do a search in 1Password and hit Return to display the top hit, or press Command-Return to see all the results. I like the latter for seeing all the duplicates and random logins that I need to clean up.
1Password distinguishes between deleting and archiving. I want to delete all my duplicates, but I prefer to archive logins for sites that have gone under or that I never plan to use again, just so I’m not losing the historical data. I’m funny like that.
I really like 1Password’s Quick Access pop-up interface for finding passwords for apps. In LastPass, I’d have to search my vault in my browser or, more generally, load the associated Web site so I could more quickly find the related password.
1Password has an option to show always show passwords and full credit card numbers. When I’m doing duplicate removal, it’s very handy to be able to see which logins use the same password without having to reveal it manually for each one individually. There’s also an option to toggle revealed fields by holding Option, which might be more generally useful after I finish cleanup.
1Password on the iPhone lets me add a TOTP to recognized sites easily by simply tapping a purple banner and scanning a QR code. No need to even edit the login.
Adam: Right on!!
I have been a 1Password user since version 2.0 in 2009.
I followed the “abandon 1Password” discussion very closely and hung onto version 7 for dear life.
I even purchased and installed several of the suggested alternatives – but either they didn’t have all the functions I needed or didn’t work as well – and I figured I’d try again when I had to.
We have a “family plan” and my grown son went ahead and switched to v8 and reported no problems or concerns.
Then early this month Joe Kissell (who took over the Take Control series from Adam – and has done a truly spectacular job) issued TC of 1Password v6.0.1 – devoted exclusively to version 8.
I dove into the document. To my surprise all the commotion about Electron and no local backups is barely mentioned, much less given front row seating. I wrote Joe directly and asked those questions. His reply was analogous to Adams – there just isn’t any problem. Certainly no functional loss is apparent due to Electron and while he understood some folks had concerns about no local backup, in his opinion, the 1Password backup systems were as good as anything going and not a basis for rejecting the software.
I made the switch – it was easy to do – the software has performed flawlessly since – the speed and function are as good as ever and maybe better.
In retrospect, I think the intensity and repetitiveness of the objections were substantially overblown. I don’t expect anyone who voiced them to acknowledge that now. I do expect to be blasted for my position.
My real concern is that even in a forum as open, balanced, and thoughtful as TidBits – that discussion tolerated little if any dissension.
As regards my experience, technical knowledge, hands-on time. I can only say I bought an Apple ][+ before IBM issued a personal computer and have upgraded thru virtually every generation of Mac since then, including into silicon. I maintained an entire household of computers, did many hands on upgrades and repairs, had multiple on site and off site backups, and never had anyone have a critical data loss.
I will not respond beyond that to the criticism I expect.
I will shake my head and bemoan it – in silence.
Thanks again to Adam for “Sure!”
I’ve tried v8 a couple of times now and I think the Electron thing is overblown. It is a different interface than v7 but mostly it’s just different and there were or still are some minor UI inconsistencies that folks pointed out and my guess is that those will eventually get fixed. There were also comments that it Ian macOS like…which are valid but mostly I don’t use the app anyway but the plug-in. They made a choice to use Electron to have a standard client so they say…but then they wrote t least 1 or 2 clients in native format IIRC…so the standard client thing was a cost and profit related business decision…I don’t necessarily agree with that…but it’s their decision to make.
The loss of what any security professional would consider critical features is a much bigger deal…no backup and restore capabilities with automated backups that the user can restore without their servers is the biggest one. Loss of DropBox or iCloud support is another…but they claim their Secret Key is better than just another password to get access…I disagree, it is just a second password and no better than DropBox being the second password outside of the forced length of the Secret Key.
I’ve evaluated Enpass and BitWarden…and neither is as fully featured as 1PW is…but am yet to decide when/if v7 dies whether to move or not. I already have a subscription anyway but keep my vault on DropBox and use their server for an additional backup and for emergency access by our son…so money isn’t the issue. But I get the feeling that their VC investors who own a considerable amount of the company are driving the train now and they’re interested in ROI…which pushed the company to go after the corporate enterprise market and that will only have detrimental effects on features and support for individual users.
Have they restored the backup and restore to other than their servers yet and if so is it automated? That’s the biggest drawback…I’m sure that they have all sorts of backup options on their end…but as a long time IT security guy having your own is simply common sense and non negotiable. Vault corruption on their server is certainly possible and since everything syncs to all devices…that corruption would overwrite the good data on a phone or laptop…and then the user is screwed unless he can restore his own backup which will repopulate their servers and get synced elsewhere.
I realize their whole Secret Key makes this hard…but just require both passwords to do the restore…it ain’t that hard. I’m sure the local copy is kept in SQL or something similar…but the vast majority of us including me ain’t smart enough database wise to backup and restore outside the app.
Not having a local backup makes 1PW v8 a non starter. I’m still using 1PW v6.
Do you mind explaining why?
Are you worried about hacking, data loss, or losing access? Can’t you just periodically export your vault and store it encrypted as your own manual backup? Then if something happened to 1P, you’d still have your own copy. Your vault doesn’t change that often, so I don’t see the drawback here.
Thanks to the comments here since Adam switched to 1Password, I plan on doing the same.
I chose LastPass as my first password manager because a TidBITS article years ago mentioned Adam preferred it to 1Password because it (at that time) integrated into his browsers better. When Adam recently switched to 1Password, I was hesitant to do so because of all the previous negative comments concerning version 8. But it seems, not having used version 7 or prior, I apparently won’t know what I’m missing. It will certainly be better than LastPass, at this point.
As for local backups, I never trusted LastPass from the start. (To be fair, I didn’t trust any password manager to not malfunction and lose all my passwords.) So I’ve kept a running, current database of all my passwords within an encrypted sparse disk with a unique, complex, long password locking it. (No, not anything in Keychain either. Just in my head.) So now I’m a lot more confident to switch over to 1Password, knowing I’ve got every password safe in my own personal database, regardless.
Which I’ll continue to maintain during my time using 1Password. Until PassKeys finally becomes ubiquitous and passwords will be obsolete.
I have the same issue as David…and it’s a matter of data loss…say something happens which corrupts the database on their servers and that gets synced to all users devices…and because they were hacked or ransomwared or whatever they are down for some unspecified period. Users in this case ar screwed…unless they have their own backup to restore to their device.
Yes…one can export the vault but if the export is like that in v7 and earlier it is somewhat incomplete since attachments don’t get included and it is a manual process. Earlier versions do automatic export of the entire vault to a location of the users choice…and restoration of those backups is trivial. A manual only less than full contents export is obviously inadequate. I’m sure that the company thinks they’ve done a good job in preparing for bad things…but as a long time IT security guy…backups need to be complete and automated to ensure they happen.
However…their forced subscription model with only their servers allowed is designed for profit…not individual user security…and their focus isn’t on you and I any more…it’s on enterprise where the profit is greater.
It is still the best product available…but is crippled compared to v7. They claim it is more secure because of their 30something character Secret Key…and while that is better than say a 20 character DropBox second password…better is the enemy of good enough…and if the Master/DB password takes 10,000 million centuries to crack security is not improved by their Master/Key taking a million million centuries…it’s already good enough.
From the 1Password discussion forum, September 2022:
"1Password 7 can only export “attachments”, not Documents. Are your PDFs in question saved as Documents in 1Password?
1Password 8 can export both, but its export will contain all vaults in an account, and therefore all the files in each of those vaults. There’s no option to select a single vault or selection of items within a vault."
Thanks, that may be a viable workaround for me since otherwise I have no major issues with v8…but still not as food as earlier versions auto backup.
Edit. Actually…I have no idea what the guy in that post on their support forum is talking about since there is no ‘document’ storage in 1PW v7 other than an attachment to another type of record. So the comment being replied to there was strange as the only way to have a pdf in v7 is as an attachment.
Assuming that attachments get properly exported along with everything else…and assuming that the export is encrypted (which in v7 it is not and it’s the same 1pif file so I imagine v8 is the same) then it would sort of work as a manual backup. However…the lack of (a) encryption on the exported/backedup file and (b) the lack of automation so it just happens makes this not really a viable work around other than weekly or monthly as opposed to the current (v7) daily automated encrypted backup copy. I realize their Secret Key may have something to do with this lack…but it’s on them to solve the problem I believe.
From Joe Kissell, “Take Control of 1 Password” ver. 4.1 (which focuses on 1Password 7), p. 98:
“Documents and Attachments
Vaults in 1Password accounts include a Documents category, which is just what it sounds like—when you create a new document (File > New Item > Document on a Mac, or plus button > Document in Windows), you can navigate to a file on your computer and store it in 1Password.”
This is not the same as attaching a file to an item.
Ah…it’s only for the only vaults that Document is a category…doesn’t exist for a standalone vault which is what I’m using and will continue to use due to the complete lack of any local backup/restore capability in v8 (or v7 for online vaults for that matter) and the apparent complete uninterest in the company in providing that capability to users for online vaults. Their attitude on backups seems to be “trust us, we’re smarter than you are”…but any long time (or even short time) IT security guy will tell you that relying on any single entity for your backups is pretty dumb.
I hadn’t looked at online vaults since I don’t use them but see the Document there now that I looked.
Not sure if this answers all your needs, but from the 1Password discussion forum, October 2022:
"Do you happen to use any full-disk backup software like Time Machine on your Mac? If you do then that full-disk backup will also contain a copy of your encrypted 1Password data. If you did need to restore it in the future then you can drag and drop the following folder from the backup to your Mac:
~/Library/Group Containers/2BUA8C4S2C.com.1password/Library/Application Support/1Password/Data
The benefit of a Time Machine backup is that it’s done automatically and is versioned."
EDIT: Citation link https://1password.community/discussion/129532/backup-1password-8-vaults#latest
That’s actually good news…but at least until recently their support people weren’t putting out that info anyplace that I know of. Assuming that the data there is encrypted and only decrypted in RAM…then TM or CCC and my other backup routines will solve the problem of backups. The other issues…subscription, Electron, no DropBox support are less critical…and as I stated in another reply 1PW is still better and more fully featured and user friendly than their competition.
I never used LastPass but have used 1Password for 15 years. If LastPass required their users to store their password data on LastPass servers that were breached, I’m glad I did NOT go to 1Password 8 since they seem to be setting themselves up to be hit like LastPass. I’m staying with 1Password 7 standalone and keeping my data on my own equipment.
I agree 100%
I am curious why everyone seems to be moving to 1Password. I too have been a longtime user of Lastpass, but I did a trial of 1Password and when I saw the cost for a family plan I balked. I’m now trying out Bitwarden, which seems to get high ratings for security, and I like that it’s open source. 1Password seems to be pricing their product higher than before, and it was off-putting to me given the circumstances of having to find an alternative to Lastpass. Has anyone else on this thread tried Bitwarden? I’d be interested in anyone’s experience with it. Thanks.
Rick, that is another reason why I’m not moving from 1Pwd7 to 1Pwd8: their greed! I crunched the numbers and discovered that you will pay MORE over the life of 1Pwd8 via subscription than you would just upgrading a standalone application every 2 - 3 years. IIRC, the subscription cost passed the standalone cost after around 20 months. And that was for just 1 person as I do not need anything else. I guess I’ll eventually have to go back using 3M’s password manager!
BitWarden for me. Can’t be beat for free or even the $10/yr that I pay.
I’ve been using 1Password since 2007, and removed all of my passwords and info from a Pages/Works doc. I’m not sure what the version was then. I have about 400 items in there now. Probably need to do some pruning. I’m not a fan of the passwords being in the cloud. I’ve been using Authy on my iPhone for a few years for a few sites. And, also I use Step Two on my Mac. Looking forward to Passkeys.
Apparently the exploit used to hack the LastPass developer’s laptop was a problem with Plex for which a patch had been released more than two years prior:
Backups are possible with BW but the big drawback of it for me is there are no file attachments…a lot of my PW manager entries have pdfs or images attached like the Driver License and Passport ones have images of the actual documents in addition to the numbers in the various fields. It’s also less elegant than 1PW…and if I didn’t need attachments I would seriously consider it. In addition, secure note entries have a fairly limited character count and no formatting is possible…which again is something I use for a lot of chronological documents that I prefer to have encrypted. I’ve also evaluated Enpass and in the absence of backup capabilities in 1PW v8 would switch to one of them when/if v7 quits working.
As it is though…there is a local copy of the vault on each device and if it turns out to be actually encrypted on disk (which I believe to be the case but haven’t verified yet)…then it does get backed up by TM and for those who want daily incremental backup copies similar to what v6 and v7 do then any of the various sync apps can easily do this for us. Not as elegant as a backup capability within the app…and I don’t understand why it’s not already included therein…but as a work around it’s probably acceptable.
Yep…me too…but if the data is actually encrypted and stored locally in the Library folder as indicated then that will get backed up by TM or CCC or whatever and one can easily schedule a CCC task to do the same daily backup that v6 and v7 do now…it will just happen outside their app. I’m not entirely sure why they don’t just include this capability in the app and have a note in with them to verify that the copy there is indeed encrypted and backup-able by whatever means one desires…will report back if/when I get an answer.
I used last pass premium for years, but got uneasy with the changes in ownership; I switched to 1password, originally v7 and jumped to v8 when it was available. Its been a smooth transition, and while I was hesitant to use it for the 2nd factor auth, it really is so smooth, that I switched from authy to letting 1password handle it (yeah I know its a compromise).
I havent had any issues with v8 being electron; I wouldnt have known if others hadnt kept pointing it out.
Ok, replying to myself since I said I would report back after discussions with the 1PW team.
There is sort of a way to do your own backups of 1PW data that is normally stored at 1password.com…and AFAIK this applies to both v7 and v8 with vaults that are stored there. Local vaults stored on DropBox or wherever continue to be backed up daily by v7 but are not allowed in v8. And their veil of corporate speak that is used to justify some of the lost features between v7 and v8 seems to be just that…doublespeak to justify their business decisions.
As you know 1pasword.com uses both a Master Password and a Secret Key, neither of which is ever sent to the cloud…all local data is encrypted on disk and only decrypted in RAM. Previously, 1PW said that the use of both of those was what required data to be stored online only and not locally…their tech admitted in our conversation that this was not the case. They claim that their dual encryption makes their product more secure than storing locally…but essentially they just use 2 passwords to increase entropy and there’s nothing different about the Secret Key than the name and the length. Arguably…this makes their system more secure at least theoretically from a math standpoint depending on the actual length of your DropBox (for instance) and Master Password and might provide greater entropy. However…this is only true from a theoretical math standpoint…from a practical standpoint if the combination of Master and DropBox provide say 1 million centuries to crack both then if their system provides 2 million centuries that’s insignificant. As a long time IT security guy…I understand that better can often be the enemy of good enough…and personally I don’t really depend on the second password at DropBox to provide additional entropy…yes, it could be cracked and my data stolen but I essentially assume that the encrypted vault blob at DB could be exfiltrated so it’s only the Master Password protecting my data…hence having a long and secure Master Password is valid.
I’ve considered all the ‘defects’ in v8…subscription only, no DropBox, Electron client, and no inherent backup and the only one that actually matters (at least to me) is the backup issue…the others are things I’m willing to live with because to date 1PW has been and remains the best password manager on the market.
So…according to their tech this is how things work.
Encrypted data is maintained on both their server and each of a user’s devices and is only decrypted in RAM. When a change is made in data anyplace…that change is encrypted on device using both the Master Password and Secret Key and then stored to disk. The encrypted blob is then synced to the cloud and thence to the other devices…but the actual encryption and original storage is done locally (this to means that their “it only works online”) is just corporate BS to enforce the use of a subscription…personally I think they could have enforced that and still allowed local/DB/iCloud storage but how they run their business for profit is up to them and I can see some advantages in doing what they’ve done even through I don’t agree with it).
On macOS…the encrypted data is stored locally at ~/Library/Group Containers/2BUA8C4S2C.com.1password/Library/Application Support/1Password/Data…and as such is backed up by Time Machine if one has it running. Since the location is known…it would be trivial to make a backup copy of this folder using CarbonCopyCloner or any of a dozen other backup/sync apps to make backups to a location of the user’s choice including DB or iCloud or wherever…thus providing the organic backup and restore capabilities that any security professional would demand. I asked why…since this was obviously possible…the app didn’t include this and scheduling as a matter of duh, why not…and got no good answer except corporate doublespeak about how their redundant backups and data centers made such a thing unnecessary. I postulated a situation to them involving some bad guy getting into their system with some sort of ransomware that (a) encrypted their already encrypted servers holding them for ransom, which would obviously take the servers offline but in the process the now corrupted blob got synced to all user devices making users have no data. For whatever reason their servers remained offline for some time…and while they admitted that the TM or other backups that some savvy users made could be restored to the users device to get the user back in business…they didn’t have a good answer to the situation I offered except “trust us”.
Frankly…they probably do have sufficiently redundant and offline backups and replicated data that their servers going offline after such a corruption is extremely unlikely…but as a long time Windows sysadmin and IT security guy…being able to bootstrap myself independent of anything they’re doing seems prudent. They did also admit that if I restored that backup…only my Master Password would be required to decrypt the data and not the Secret Key…so it’s not clear how the Secret Key plays into the whole backup/thing…but if one restores the folder above to your macOS computer it then decrypts with your Master Password and you’re back in business. Sync with your other devices would have to wait until their servers were restored though…at which point their blob and your blob would sync and then sync via their server to your other devices.
So…at this point I’m happy that I can do my own backup and restore if it became necessary and while I prefer to keep my vaults on DB, I can live with using their server to sync instead. And…having surveyed the available alternatives to 1PW…even the I think cropped v8 compared to v7 is still better than any of the alternatives. It’s not cheaper than BitWarden and perhaps Enpass either…but neither of them is as fully featured and provides for as many categories of entry as 1PW does. In particular…1PW provides the ability to have Secure Documents and while some of the alternatives do this as well none that I’ve found allow formatting in those secure documents and none of them allow attachments to entries…for instance if you use 1PWs Passport or Driver License categories you put in all the numbers but can also attach a pdf or jpg of your actual passport/license as well.
From a March 11, 2023 article in the Wall Street Journal, another reason to keep using password managers:
I’m jumping in late here. As a PasswordWallet user I’m wondering if there are any advantages to switching to a subscription system like 1Password.
PasswordWallet seems to work ok. It synchs via DropBox though, and that doesn’t always happen automatically. So if there have been changes I sometimes have to force a synch on my current device to make sure I have the latest info.
How does 1Password do its synching?
As I understand, the Secret Key is stored locally and never changes after being created (or synced from another of the user’s devices). Since it is never stored on 1Password’s server, it couldn’t be corrupted in your ransomware senario.
Thus it’s already present (and intact) when you restore the vault so only the Master Password is needed to decrypt the vault.
I’m curious though:
(After all, you need to be able to recover if the Secret Key is corrupted by gamma rays or by any other means.)
It’s stored in the login and iCloud keychains.
PW is good for what it does…but it has some drawbacks. Used to use it myself and wife still does. Sync between devices doesn’t work transparently, the auto fill of web pages is cumbersome, it has limited storage capabilities if you want the pre formatted records for passports or whatever…and a big one is no secure notes which I use heavily. Also…it’s supported by Sanford but he’s essentially a one man shop, has largely moved on into other interests in his life, and has zero interest (I know because I asked him) in adding any of the additional capabilities or solving its issues.
So…for me…it’s just not good enough any more.
1PW OTOH…just works…sync via either DB or iCloud or their servers is automatic and much like macOS just works. And it has the additional features of a more modern app…and it isn’t supported by a one man disinterested shop.
That said…it still has its faults. The company sold a large chunk of itself to some VC people…they claim they’re still ‘in control’…but we know that VC people want ROI. Nothing wrong with that…but it’s obvious that the company’s intended market now is primarily the business market and a lot of the things people don’t like about the new v8 reflect that lower costs and increase revenue and hence profits mindset. However…for most serious geeks…the lack of local backup and restore capability is the biggest deal with v8…the rest of the complaints are annoyances. And with their recent disclosure of where the local copy exists and knowing that it can be backed up and restored eases a lot of concerns.
And all that said…1PW is still far and away the best app in its category despite the drawbacks in v8…I’ve done a bunch of testing of the alternatives and either they have the same issues with backup and restore or they lack critical features that serious IT security geeks want. So…for now, I’m staying with the previous v7 which avoids the v8 issues…and if it ever breaks then I will likely upgrade to v8 unless one of its competitors seriously upgrades their product. I’m actually pretty sure that their redundant data centers and backups and Secret Key and all is actually well thought out and implemented…but as a long time IT security guy…the ability to backup and recover from my end alone is a critical, non negotiable requirement. My password manager is the singularly most vital app and contains my most valuable (to me) data…and the ability to recover it in a worst case scenario with zero help from the company or internet is critical…it’s right up there with being faithful to my spouse and your word is your bond and a deal is a deal to me.
Other people have different opinions…but you asked. I don’t like the subscription option…but have had one for several years despite my primary 1PW vaults being on DB…their server copy which I manually update is part of my backup strategy. The non native macOS client I don’t like but that’s a quibble. The other v8 issues are also quibbles except for the backup and restore thing…and we now know how to handle that.
The Secret Key is essentially just a second password that is used to…for lack of a more sophisticated explanation…double encrypt your data. Nothing wrong with that…but they state that it is so much better than your Master Password and (for instance) your DropBox or iCloud password.
Because of its length…then mathematically they are correct in saying it is more secure, unless your Master or DropBox passwords are of equivalent length…but as a practical matter it isn’t really more secure. The difference between 10,000 centuries to crack and 100,000 centuries is irrelevant since these days the only factor in passwords that matters is length.
The Secret Key is originally calculated when one establishes your subscription account…and I have no idea where it is calculated (their end or yours) but they say they Never know it so I assume on your end….but as I said it’s just a second password which increases the overall entropy and makes the cracking time longer…but once it gets to 10 million trillion centuries (or whatever the number Steve Gibson’s haystacks page calculates…making it 100 million trillion centuries simply doesn’t matter…for the vast majority of us with secure long master passwords th bad guys will simply move on because the cost to crack isn’t worth what they might get out of it.
@PW’s security is just fine…they just add a bunch of marketingspeak to claim how they’re so much better…but while they aren’t lying they are splitting hairs and using technically correct but irrelevant mathematical data to claim they’re ‘better’.
Thanks for all the extra detail!
One reason I’ve stuck with PW is I tried another one once (can’t remember which, maybe Last Password?) and the problem was the cumbersomeness of getting it to work with some sites, especially Japanese sites.
PW on the other hand “just words” all the time.
As we both noted, syncing between devices leaves some to be desired. I usually have to force a sync on the new device. But after that it’s fine.
When you mention secure notes, the entire wallet is secure. So isn’t that enough?
Another reason I’ve stuck with PW is that none of the other ones, including 1 Password, have a feature to import from PW!
Yes… but the Secure Note in 1PW is essentially an RTF file that’s encrypted…for instance one of mine has all the design details and related info about our home network in a formatted text document…this is something that PW won’t do. But the note has details in it that need encrypting so Apple Notes isn’t adequate for that even with their encryption. PW does have a notes field in each record…but it’s limited in size and isn’t formattable for ease of use.
Join the discussion in the TidBITS Discourse forum