This is a staging forum for AgileBits, not an official support forum. Visit http://discussions.agilebits.com instead.

Security: 1PasswordAnywhere

revs
revs Junior Member
A quick couple of questions regarding 1PasswordAnywhere -



I was wondering how secure it was compared to the main 1Password Application?

i.e. if it's on my Flash Drive and I lose it? how worried should I be?

If its using the same security as the main 1Password application and is super-duper-secure then I wont worry ! <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/smile.gif' class='bbc_emoticon' alt=':)' />



Also - while I'm asking - how about the bookmarklet? I'm pretty sure I read that wasn't as secure? what is the security risk with it?



Thanks again!

Comments

  • jpgoldberg
    jpgoldberg Agile Customer Care
    Hi revs!



    You ask a couple of great questions.



    [quote name='revs' timestamp='1289381282' post='14837']

    A quick couple of questions regarding 1PasswordAnywhere -



    I was wondering how secure it was compared to the main 1Password Application?

    i.e. if it's on my Flash Drive and I lose it? how worried should I be?

    If its using the same security as the main 1Password application and is super-duper-secure then I wont worry ! <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/smile.gif' class='bbc_emoticon' alt=':)' />[/quote]



    1PasswordAnywhere uses the very same data file that 1Password itself uses, and so it has the same super-duper security. You have nothing to worry about.



    [quote]

    Also - while I'm asking - how about the bookmarklet? I'm pretty sure I read that wasn't as secure? what is the security risk with it?[/quote]



    We generally recommend that the bookmarklet be used for less secure items. Your bookmarklet data is also secured with AES-128 (which is what is used for the data in the application itself), but there are two things that make the bookmarklet not quite up to the standards of the other stuff.



    The first is that given that it lives in the browser bookmarks, it is far more accessible to the bad guys. Browser security issues could lead to websites grabbing the (encrypted) data along with all of your other bookmarks.



    The second reason is that although the encryption algorithm is the same as we used elsewhere, the mechanism for getting from your password to the data is different. Your regular 1Password data uses PBKDF2 to get from your master password to your actual decryption key. PBKDF2 means that the processing of your master password is made to be slow. The extra fraction of a second isn't noticeable to a human because you enter your master password just a few times. But it makes it very hard for someone to set up an automated password guessing program (cracker) to try to decrypt your 1Password data. The Login with 1Password bookmarklet does not use PBKDF2, and so it is more feasible for someone to throw a password guessing program at it. So if you do use the bookmarklet for high security items, you should use a very strong access code for it.



    We like to say that your data are protected with the strength of your master password. That is an over simplification. With PBKDF2, your data are protected [i]more strongly[/i] than your master password! But in the case of the bookmarklet, the strength of your access code really is the strength of the protection.



    You can read about PBKDF2 here: http://en.wikipedia.org/wiki/PBKDF2



    Cheers,



    -j
  • revs
    revs Junior Member
    Superb reply, thanks for taking the time to add all the technical details!
  • jpgoldberg
    jpgoldberg Agile Customer Care
    [quote name='revs' timestamp='1289483470' post='14909']

    Superb reply, thanks for taking the time to add all the technical details!

    [/quote]



    You are very welcome, revs. We are proud of the underlying, behind the scenes, security design of 1Password; and so we are especially happy when given the opportunity to show it off a bit.



    If you would like even more detail, please also take a look at http://help.agile.ws/1Password3/agile_keychain_design.html and http://help.agile.ws/1Password3/cloud_storage_security.html



    Cheers,



    -j
  • 1PW anywhere is a useful feature but having used it for the first time I wonder just how secure it is.



    Whilst opening the keychain file in a browser - Safari in my case - requires the master password, once this is done and the page displayed, won't a copy remain in the browser cache? I took the precaution of flushing the cache once I had finished, but it still left me with an uneasy feeling that this could prove a security hole.



    Anybody else feel the same, or is there some mechanism that flushes the cache automatically when quitting 1PW?
  • khad
    khad Social Choreographer
    Welcome to the forums, Tacitus99!



    Thanks for raising this question. It is great that you are thinking about these things. I'll leave it to Jeff to explain in more detail, but your encrypted data is not stored on disk unencrypted at any point when using 1PasswordAnywhere. For all intents and purposes it is exactly as secure as using the main 1Password application.



    That being said, please be aware of keyloggers and even clipboard managers that can and will capture your passwords if they are copied to the clipboard. We recommend using 1PasswordAnywhere only on trusted systems and copying smaller bits of your password out of order. Of course, some advanced keyloggers will also take screenshots.



    Be careful out there. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_smile.png' class='bbc_emoticon' alt=':-)' />
  • [quote name='khad' timestamp='1296791449' post='20027']

    That being said, please be aware of keyloggers and even clipboard managers that can and will capture your passwords if they are copied to the clipboard. We recommend using 1PasswordAnywhere only on trusted systems and copying smaller bits of your password out of order. Of course, some advanced keyloggers will also take screenshots.

    Be careful out there. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_smile.png' class='bbc_emoticon' alt=':-)' />

    [/quote]

    Thanks for the reply Khad. Whilst 1PW anywhere is useful, it's something I would use only when really needed. In this case it was to sign in to a forum using a Mac in one of the University labs. Given that Comp Sci students really, really, like to show how they can beat the man, it's not something I would make a habit of and, would certainly never use for financial matters <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/biggrin.gif' class='bbc_emoticon' alt=':D' />



    Is it possible to delete all items that are non critical and then rename the keychain to (say) 1PWReduced.agilekeychain to avoid confusion. I could then create a travelling keychain for use [u]if necessary[/u] whilst away from home.
  • jpgoldberg
    jpgoldberg Agile Customer Care
    Hi Tacitus,



    First thanks for the great question. We do take steps to minimize the amount of time that any sensitive data is kept in memory. As you rightly observe, this is harder to manage using JavaScript in 1PasswordAnywhere than it is within other components that provide more explicit control over memory management. The information would never make it to a browser cache, but it can remain in memory longer than we would ideally like.



    [quote name='Tacitus99' timestamp='1296835525' post='20051']

    Whilst 1PW anywhere is useful, it's something I would use only when really needed. In this case it was to sign in to a forum using a Mac in one of the University labs.[/quote]



    As always individuals need to make their own choices based on their own preferences, priorities, and risk assessment.



    I presume you already do this, but when you do use 1PasswordAnywhere in those situations, you should turn on the private browsing mode of your web-browser. In Safari and Firefox that is called "Private Browsing"; in Chrome it is called "Incognito." When using a shared computer, this is something I would recommend. (When these things were first introduced, people would refer to it as "porn mode". But porn mode isn't just for porn any more!) Also, of course, quit the browser when you are done.



    [quote]

    Given that Comp Sci students really, really, like to show how they can beat the man, it's not something I would make a habit of and, would certainly never use for financial matters <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/biggrin.gif' class='bbc_emoticon' alt=':D' />

    [/quote]



    Indeed, telling these people that something is well secured isn't seen as a deterrent to attempting to break it, but instead it is seen as an invitation. We design 1Password with these people in mind. We don't want to just protect your data against a casual intruder, but we want to keep your data safe from a skilled, resourceful attacker. This isn't an easy task we've set for ourselves. We are continually looking for the weakest points and working to harden them. As it happens, we have recently been alerted to something very similar to issues that you raise about 1PasswordAnywhere, and are exploring exactly how we can reduce the amount of time sensitive information is stored in computer memory.



    [quote]

    Is it possible to delete all items that are non critical and then rename the keychain to (say) 1PWReduced.agilekeychain to avoid confusion. I could then create a travelling keychain for use [u]if necessary[/u] whilst away from home.

    [/quote]



    That is a very interesting idea. At the moment 1Password doesn't have a built in way of handling multiple keychains, but you could export the data you are interested in to a 1pif (1Password Interchange File) and then start with a new data file (Hold down the option key when you launch 1Password) and then import that data into your new data file. You can then rename the data file as needed (but keep the extension .agilekeychain).



    Because the 1pif file contains your data unencrypted, be sure to securely delete it after importing from it.



    Again, thanks for raising this issue here. It does give me the opportunity to talk a bit more publicly about things that we've been looking internally and how we try to keep up with and stay ahead of security threats.



    Cheers,



    -j
  • Tacitus99
    edited February 2011
    Hi Jeff:



    Thanks for the lengthy reply.



    [quote name='jpgoldberg' timestamp='1296848051' post='20056']

    I presume you already do this, but when you do use 1PasswordAnywhere in those situations, you should turn on the private browsing mode of your web-browser. In Safari and Firefox.....

    [/quote]

    Yes I do turn on private browsing - I also flush the cache prior to closing the browser.



    [quote name='jpgoldberg' timestamp='1296848051' post='20056']

    Indeed, telling these people that something is well secured isn't seen as a deterrent to attempting to break it, but instead it is seen as an invitation. We design 1Password with these people in mind.....

    [/quote]

    Good to know. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/smile.gif' class='bbc_emoticon' alt=':)' />



    [quote name='jpgoldberg' timestamp='1296848051' post='20056']

    That is a very interesting idea. At the moment 1Password doesn't have a built in way of handling multiple keychains, but you could export the data you are interested in to a 1pif (1Password Interchange File) and then start with a new data file....

    [/quote]

    Thanks for the tip. My idea was to carry a limited keychain for use with 1PW Anywhere if the need ever arose. Normally if I had my laptop with me I would use the full application and login via the University WiFi network. One advantage of DropBox sync is that it uses Port443 which will go through the Uni firewall - useful for swapping files between laptop and home.



    [quote name='jpgoldberg' timestamp='1296848051' post='20056']

    Again, thanks for raising this issue here. It does give me the opportunity to talk a bit more publicly about things that we've been looking internally and how we try to keep up with and stay ahead of security threats.

    [/quote]

    It's good that you are prepared to engage with users. I'm a new user to 1PW and have found it to be the best password app I've used so far. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/biggrin.gif' class='bbc_emoticon' alt=':D' />



    Enjoy your weekend!
  • jpgoldberg
    jpgoldberg Agile Customer Care
    Hi, Tacitus. Sorry for not getting back to you sooner.



    [quote name='Tacitus99' timestamp='1296853260' post='20060']

    My idea was to carry a limited keychain for use with 1PW Anywhere if the need ever arose.[/quote]



    That is an interesting idea. It's yet another reason for us to get busy with working support multiple data files.





    [quote]It's good that you are prepared to engage with users.[/quote]



    At the risk of sounding a bit saccharine, we love our users and we love discussing things with you.



    [quote]I'm a new user to 1PW and have found it to be the best password app I've used so far. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/biggrin.gif' class='bbc_emoticon' alt=':D' />[/quote]



    Thank you very much. Be sure to tell your friends! We don't advertise much and rely on customers like you to spread the word. So I'm going to take this opportunity to mention a few sites that allow comments on 1Password:



    [list]

    [*] MacUpdate: http://macupdate.com/info.php/id/21711

    [*] CNET: http://download.cnet.com/1Password/3000-18501_4-95581.html

    [*] I Use This (Mac): http://osx.iusethis.com/app/1password

    [/list]



    And of course tell your friends on Facebook, Twitter, and maybe even if face to face conversations.



    Let me welcome you again to the forums and to 1Password. We've got a great community here and I think you will enjoy it.



    Cheers,



    -j
  • kevinburke
    edited June 2011
    I set up a cronjob to rsync my 1password anywhere folder to a static folder on my website every night. That way I can get on 1password anywhere by visiting my website in a web browser. Is this in general an OK thing to do? Could someone gain access to my passwords (a) if they had root on my server or (<img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/cool.gif' class='bbc_emoticon' alt='B)' /> by brute forcing the password? I don't really share the address with the public and it's not linked to anywhere on the Net. My master password is longer than 12 letters.
  • khad
    khad Social Choreographer
    edited June 2011
    Welcome to the forums, Kevin!



    Thanks for asking about this. I merged your post with what I think is the appropriate thread.



    The short answer is that 1PasswordAnywhere essentially [b]is[/b] your data file. All of the data 1PasswordAnywhere reads comes directly from your data file. For details about the security of your data file, please take a look at the aforelinked [url="http://help.agilebits.com/1Password3/agile_keychain_design.html"]Agile Keychain Design[/url] and [url="http://help.agilebits.com/1Password3/cloud_storage_security.html"]Cloud Storage Security[/url] documents. You might also want to glance at a related thread about [url="http://forum.agile.ws/index.php?/topic/3002-javascript-ok-for-cryptography/"]JavaScript and cryptography[/url].



    Please let me know if you have any additional questions or concerns!



    Cheers,