1password v. Excel encryption

Swankadelic

Hello. I'm new to Agile and 1password. I apologize if this is the wrong place to post but I am currently demo'ing the program before purchasing and would like to know the answer to a basic question: aside from the many nice features available in 1password, is the security any better than an encrypted Microsoft Excel spreadsheet? I ask because my thought was to simply save all of my usernames and passwords in an Excel spreadsheet, encrypt this file when saving it using the built-in encryption (AES 128??), and then sync the file on my Dropbox account. How does this differ from 1password strictly in terms of the security? I appreciate your honest feedback. Thank you.

khad

Welcome to the forums, Swankadelic! Thanks for asking about this. It is great that you are thinking about these things.



Offhand, I don't know enough about how Excel's encryption has evolved over time. I only know that it used to be very trivial to crack a password-protected Microsoft Office file. I would hope this has improved, but I'd have to do some digging. What I [i]can[/i] tell you about is how 1Password protects your data.



One of the main differences between 1Password and other solutions is that at any given moment, only a single piece of data is decrypted. With other solutions such as an encrypted document, if you have opened the file all of your data is decrypted at once. This provides a much larger vector of attack to an opportunistic ne'er-do-well.



1Password presents itself to the user as either “locked” or “unlocked.” The impression someone might get from this is that when 1Password is unlocked, all of the information is suddenly decrypted. This, however, is not how 1Password really works. A system like that would suffer from having far too much of your sensitive information decrypted in computer memory or worse written to disk. 1Password gets around this problem by [b]only decrypting the particular item you need at any given time[/b] and then forgetting that information when it is no longer needed. So instead of thinking of an unlocked state as a vault with all of your information being open, it is better to think of things differently.



Imagine, instead of a vault that is locked or unlocked, a room full of locked boxes. Each box requires a key to open it, the same key. When you have entered your master password, that key is available although all of the boxes still remain locked. At various times 1Password will select a box and unlock that particular one. When it is done with the contents of that box, it will lock it again.



You can read more about this in our "[url="http://help.agilebits.com/1Password3/cloud_storage_security.html"]Security of storing 1Password data in the cloud[/url]" document.



Another advantage to using 1Password is its integration with browsers via extensions. Encryption is not the only thing that makes 1Password secure.



1Password offers what an Excel spreadsheet cannot: A great management application on your desktop that also provides [b]true browser integration[/b]. Many applications provide safe storage areas for your data, which is great, but sometimes you want to actually use that data. What happens when you want to use that data when you need it most, in your web browser? Many apps require you to take care of them by manually adding your data to them and manually copying the data to your browser. Not only is this manual work inconvenient, but as soon as “copy and paste” are mentioned, you become vulnerable to keyloggers and phishing attacks. Other tools, which do work in browser, may limit your management of your data to tools within web browsers. 1Password gives you both full browser integration, but also a powerful and easy to use application for managing your data.



1Password does things differently. It works for you. You can save Logins automatically, fill login forms, and even generate strong passwords, all from within the browser. Since this is all done for you, you are protected from keyloggers and other malware, as well as phishing scams.



Of course, none of this would matter if your data was not protected with strong encryption. When creating, reading, or manipulating the Agile Keychain, 1Password uses a combination of the [url="http://www.openssl.org/"]OpenSSL library[/url], [url="http://opensource.apple.com/source/CommonCrypto/"]CommonCrypto[/url], or Windows cryptography libraries depending on platform and version for all of its encryption and key generation needs. These libraries are compliant with the [url="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2006.htm"]FIPS 140-1 and FIPS 140-2[/url] Federal Information Processing Standards.



The core of the encryption is AES (Advanced Encryption Standard) using 128-bit encryption keys and performed in Cipher Block Chaining (CBC) mode along with a randomized Initialization Vector.



According to the [url="http://www.nist.gov/public_affairs/releases/g01-111.cfm#AES"]National Institute of Standards and Technology[/url]:



[quote]

What is the chance that someone could use the “DES Cracker”-like hardware to crack an AES key?



In the late 1990s, specialized “DES Cracker” machines were built that could recover a DES key after a few hours. In other words, by trying possible key values, the hardware could determine which key was used to encrypt a message.



Assuming that one could build a machine that could recover a DES key in a second (i.e., try 2[sup]55[/sup] keys per second), it would take that machine approximately 149 thousand billion (149 trillion) years to crack a 128-bit AES key. To put that into perspective, the universe is believed to be fewer than 15 billion years old.

[/quote]



You can read more about this in our "[url="http://help.agilebits.com/1Password3/agile_keychain_design.html"]Agile Keychain Design[/url]" document.



I hope that helps a bit. If you have any further questions or concerns please let me know. <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/smile.png' class='bbc_emoticon' alt=':)' />



Cheers,