A few months ago, AgileBits, the makers of 1Password, made some changes to their licensing model, which created a lot of confusion and concern. I wrote about those here: https://douglhotka.com/2017/07/12/1password-and-the-loss-of-local-sync/ and took 1Password off my recommended list. Since then I’ve collected new information, and re-evaluated things. Short answer, it’s back on the list, with a caveat. Read on for details.
First, as I said back then, I’m not addressing the subscription licensing change. That’s the wave of the future, and we all need to get used to renting software. My employer is moving that direction, Adobe and Microsoft are already there. While subscription licensing and cloud services need not be related, a company has to look at their customer base and make business decisions on where to invest limited resources – a small firm like AgileBits has to focus their spend. So let me walk through the current options in 1Password with both my new information, reflections, and their business drivers in mind.
Most Secure, Least Convenient, Limited Platforms
Local vaults, no cloud service. Assuming the use of a strong passphrase. This keeps the encrypted vaults within our own control, at the price of dealing with local network connectivity issues, and simply remembering to do the sync in the first place. We also have to make sure we have a disaster recovery copy offline somewhere, only sync on secure networks and so forth. Most secure, most control, pretty clunky to use. Only available on MacOS and iOS.
I’ve used this since day one, and is what caused the outcry earlier this year. The announcement made it pretty clear that local vaults are not a strategic future feature. As the Register noted, they aren’t killing them, just letting them die by neglect. New users on Mac and iOS can turn it back on, but it’s awkward, and requires first setting up a cloud vault.
Least Secure, More Convenient
Using a local vault with DropBox syncing is the least secure option. The sole line of defense is the strength of the master passphrase, and improvements in cryptanalysis, bugs in the implementation, or social engineering attacks can put your entire vault at risk. While syncing is more convenient, the security tradeoffs have always been too great, and I’ve never recommended this. If Agile needs to eliminate one capability, this would be the one I’d pick….well, after the next one.
Just don’t.
Using an in-browser (non-plugin) web client is a risky proposition, and I don’t recommend it. The browser is the most compromised piece of code on your machine. I use a separate browser for critical stuff (banking/healthcare) than for general browsing for example. In the case of accessing your passwords with a browser window, my recommendation is: Just don’t – especially on a computer you don’t own and control. And absolutely never on a public computer. That’s like licking the seat in an outhouse.
Secure, Very convenient – Secure Enough?
This is their new direction – storing vaults in the cloud, accessible by a local client or browser plugin. Frankly, it gave me the willies, and my immediate reaction to their announcement was “heck no”. I know how hard it is to get cloud services right, and it presents a much larger target than local vaults. Their competitors have had multiple breaches, and I expect Agile to have one at some point (to be clear: I expect every cloud service to have one at some point). For passwords, that’s catastrophic if the information can be decrypted.
On the flip side, for the vast majority of the user population, cloud storage, backup and sync, is a huge usability factor – it removes a ton of friction to adoption, and for those folks, there’s no question that using 1Password in the cloud is more secure than not using it at all! Those of us willing to put up with the clunky local sync (either for personal or corporate reasons), are a tiny minority. Security is all about tradeoffs – for me, I picked security over usability. For others, it’s the reverse. But is 1Password’s cloud good enough even for us tinfoil aficionados?
I had some friends ask me that question (particularly with their kids), so I took a deep look at the white paper on the security architecture for 1Password’s cloud service (https://1password.com/files/1Password%20for%20Teams%20White%20Paper.pdf ) which goes into pretty gnarly detail. I’ve also had a good email exchange with a couple of folks at AgileBits, including their ‘Chief Defender of the Dark Arts’ (and thanks to them for taking the time).
The crypto design is pretty clever. In addition to a master passphrase, it adds a unique secret key that never leaves the device. That’s very different from the cloud-only/browser-only competition. Since that key is generated by 1Password, they can ensure that it’s robust enough to withstand attack (versus a human generated master passphrase). I do wish they wouldn’t use the word ‘impossible’ in the white paper, though agree that this design makes it extremely unlikely (absent major implementation defects or improvements in cryptanalysis) that a brute force or dictionary attack on cloud-stored data could succeed.
This does introduce a risk if a user loses the secret key. It’s critically important that it be kept safe and secure in case of a catastrophic loss of all devices. That’s manageable as it’s only needed when setting up a new device, and a safety deposit box is your friend.
So in operation, using a client application (which talks to a browser plugin – not the in-browser option I mention above), that’s a pretty secure solution. And it’s probably secure enough, even for a tinfoil fedora guy like me. That is – once it’s setup.
Which brings us my last real concern. Right now, the only way to create a new account and cloud vault is in-browser. That’s probably the dirtiest, least secure, least trusted piece of code on any machine. If you do the initial setup via a compromised browser, it’s game over. In fact, when I had dinner with my friends to do their initial setup for 1Password for Families, I first did a machine scan using Malwarebytes and found three different adware packages on their Mac (yep, macs get malware).
I’ve reached out to Agile. They understand the concern, and have expressed an interest/desire to move the signup process out of the browser, but it may be a while before that happens. In the meantime, there’s a workaround, which is to do the setup from a known-clean/safe/secure system. At a minimum, make sure you do a malware scan prior to signing up. For my friends, I created a new OSX virtual machine using VMWare Fusion, and did the setup inside it.
So where does this leave us? Right off, there’s no good local-sync alternatives out there (I looked). Given that, I’d much rather use theirs than any alternative (including iCloud Keychain, LastPass, KeePassX, and all the rest). Since I fully expect that local sync will go away at some point, I’ll make my family happy and make a slight tradeoff in security for vastly improved usability. I’m going to sign up for the service and have put 1Password back on my recommended list with a few points to note:
- Choose a robust passphrase that you use nowhere else. Longer is better – 20 characters or more. Using ‘funky shark tree airplane panda router’ is much better than fstapr (the old guidance to use the first letters of each word in a sentence)
- I’m not a fan of unlocking my vault with TouchID, and recommend against using FaceID. I like using different mechanisms as layered security.
- Make VERY sure the machine and browser are clean prior to signing up for the service, using travel mode, or other direct-on-the-web functions. A fresh/clean virtual machine is an excellent option.
- Store the secret key in a secure, offsite location (or locations). Note that your own vault is not an option!
Thanks again to AgileBits’ staff for their help and openness.