1Password and the loss of local sync

Revised update:

I’ve had conversations with AgileBits via their support forum, and there’s been some back and forth, so let me revise my update and consolidate what I’ve learned.

• For existing users on OSX and iOS, local vaults and local sync remains in place. Agile states no plans to remove, but will not commit to that functionality long term.
• For users on Windows and Android, local vaults and local sync are not available.
• New users must buy a subscription to 1Password.com, which forces them to create a web vault, master passphrase and such. Once signed up, OSX and iOS users can jump through some hoops and convert to a local vault.  This will result in challenges, accidental use of the incorrect vault, and is generally a pain – it’s well hidden, by design.
• As The Register put it, “1Password won’t axe private vaults. It’ll choke ’em to death instead.”  That pretty well sums it up.

I understand that the company needs a more sustainable revenue model, and a subscription option is the way to go.  Adobe and Microsoft are right there too.  But the insistence on linking subscription to cloud vaults just makes no sense.  We in the security industry are often painted as acting as if we are ‘smarter than the users’, and this is a prime example of it.  While cloud vaults may make sense for the majority of users, it is by no means appropriate for everyone.

Our job as security professionals is not to say yes or no to a solution, it’s to present options, risks, and yes, recommendations, but then let each user make their own decision.  Once they decide, then we tell them how to be safe given their own constraints and preferences.   We do not own the risk, users do.

Until and unless AgileBits allows users to download the software, purchase a subscription, and use local vaults and local syncing without any cloud involvement, across all four major platforms, I can no longer recommend 1Password for new users.  Again, let me be clear – I’m happy to move to a subscription model, but artificially linking that to a cloud service is an unacceptable downgrade in the security of the solution.

I welcome suggestions in the comments for alternative products that provide this important capability.

Original post follows:

Go to any talk or read almost any blog post on ‘keeping safe online’ and you’ll see a recommendation to use a password manager.  They mitigate the impact of any individual site being breached and substantially upgrade defenses against password guessing.  But they also consolidate all your passwords into a single place, which raises risk in a different way.  When using one, you’re betting that the tradeoff is worth it (and it generally is).    Security is all about making those tradeoffs – there’s no one-size-fits all solution for any security risk.

Which brings me to AgileBits, 1Password and the tradeoff they’ve decided to make for us.  1Password has long been a favorite of security professionals because of its reliable functionality, ease of use, solid crypto, and comprehensive set of features that address many different threat models.  Now one of those key features is on the chopping block – as part of their move to a subscription model, they’re also forcing folks to their cloud service, and they will make no statements of continued support for local syncing.  For anyone who manages risk for a living, it means we have to assume that it will die from neglect and start looking for alternatives.

Unfortunately, they are providing overly simplistic responses when objections are raised, and like many things in security, the nuances are important, so let me try to clear up a few things.

First, they’ve chosen to confuse two completely separate issues – the move to a subscription model (business decision) with the move to a cloud-only syncing solution (technical decision).  They need not be linked.  Adobe and Microsoft have both shown that a company can successfully move to a subscription model for locally installed software – neither require the use of their cloud service.   And while Apple is intentionally making it more and more difficult to stay local, even there you still can.  So let’s set aside subscriptions as irrelevant to the discussion.

The design of the new cloud based system appears robust, and they’ve had audits done on the code and service.  Good so far.  Then they state “We are advocating memberships since we feel it’s the best way to use 1Password.”  Fair enough, and for a class of users, probably the majority, the threat model tilts towards convenience being a key feature.  I know folks like that myself, and recommend that they use Dropbox or 1Password’s cloud service – but also tell them to use two factor everywhere they can, and be prepared to go change every single password if there’s a breach (more on that in a moment).  For them, the tradeoff is worth it because the alternative is to not use a password vault at all.

But that statement is based an overly simplistic user base and threat model.  The truth is far more nuanced, and for substantial minority of users it’s not a good option.   These include folks who are prohibited by corporate policy from using non-contracted third-party cloud services (extremely widespread), and individuals willing to put up with the minor hassle of local syncing to reduce their risk. Having all the vaults in a single place makes it a tempting target for an attack, breach and disclosure.   Unfortunately, Agilebits asserts in forum posts that compromised vaults are “useless” to an attacker.  That’s grossly oversimplified, and I quickly came up with three ways they aren’t useless:

• First, they are immediately useful as a business-level attack against Agilebits, as losing the vaults would be a material event to the company, undermining trust even if not compromised. If public trust is lost, and Agilebits goes out of business, or if a substantial portion of users leave for a less secure (or no) solution, then that’s a net gain for the bad guys.

 

• Second, for users who’ve chosen a weak master passphrase they have some utility for decryption attacks using lists of common passwords. Granted that the computational defenses Agilebits has put in place make that more difficult, but attacks only get better with time.  Most likely, especially if vaults are linked with specific individuals, is a targeted attack to discover a weak passphrase based on social media and other research.

 

• Last, for those with robust passphrases (which I suspect is a minority of users), stolen vaults are likely safe until and unless a defect in the implementation of the crypto is discovered.  While the math may be secure (a whole separate topic), that crypto is implemented by humans writing code.  As with any and every software package*, there are defects in the code. Some of those may impact security. Full Stop.  So all an attacker has to do is sit and wait – and if/when a vulnerability is found in the code that reduces the attack complexity, every vault and every password is at risk.   The chance of that is non-zero, but it’d be a black swan, and there’s no real way to quantify those.

The fact that Agilebits doesn’t have access to decrypt vaults, or ever touch master passphrases is irrelevant to these particular threats.   They generally respond to questions about code risks with a whitepaper about crypto risks.  Even with auditing, that’s still the major concern in the last bullet, not a fundamental break in the underlying crypto (e.g. quantum cryptanalysis).  If that happens, we have far more issues than our password vaults.

A breach of a password vault is catastrophic.  And that’s why security professionals keep them local – a diffuse target is a harder target to economically exploit.  If someone wants to go after an individual, an attacker is going to use a keylogger, at which point a password vault doesn’t help and cloud/local makes no difference.  But concentrating all the vaults in a single place makes an attack worthwhile.

Agilebits may be making a business decision – that the cost of maintaining local sync isn’t worth keeping those users.   That’s their call, but I wonder how many people use 1Password because it was endorsed by security professionals who do so because it does cover multiple threat models.  That’s a lot of high-quality free advertising that may be lost.

I wish they would acknowledge that there are diverse use cases and stop painting users with a blunt brush (apologies for the mixed metaphor).  For some users, ease of use is a security feature as the alternative is no vault at all.  But for others, the tradeoff just isn’t worth it (or even possible under company policy).

If they want to end support for perpetual licenses, fine, I’ll step up day one and sign up for a subscription license.  It’s easily worth a few bucks a month to my family.   But they really need to stop with the weasel words, admit that there are multiple threat models in play, that cloud only answers one of them, and commit to local syncing long term regardless of the licensing model.

 

*Footnote:  Yes, it’s theoretically possible to formally analyze a set of code and determine that it is complete and correct, but in practice that’s never done.  EAL 7 rarely exists in the real world, and never does in consumer-grade products as the cost of validation for each and every configuration of hardware and software is far beyond any reasonable investment.