This is a staging forum for AgileBits, not an official support forum. Visit http://discussions.agilebits.com instead.

Security: Has 1Password been publicly tested ?

Hi



I love your philosophy to Security and Usability combined. I think you have an excellent design and your approach and implementation is thus far exceptional !



I am curious if 1Password has been tested in earnest, by something like distributed.net or other brute force attacks for from academic analysis and attack ?



I havent found anything on the net as yet ...



Thanks,

Comments

  • khad
    khad Social Choreographer
    edited January 2012
    Thanks for the kind words and the great question, chaoskcw! It is great that you are thinking about these things.



    Two of the primary design goals for the [url="http://help.agilebits.com/1Password3/agile_keychain_design.html"]Agile Keychain format[/url] were:[list=1]

    [*]It must not require a single line of encryption code to be written. Encryption code is tricky and is best left to experts.

    [*]All encryption and key generation code must be well reviewed by the professional community. Having a large user base is critical to ensure the code is robust, well tested, and well supported by the community.

    [/list]

    To that end, when creating, reading, or manipulating the Agile Keychain, 1Password uses a combination of the OpenSSL library, CommonCrypto, or Windows cryptography libraries depending on platform and version for all of its encryption and key generation needs. These libraries are compliant with the FIPS 140-1 and FIPS 140-2 Federal Information Processing Standards.



    The core of the encryption is AES (Advanced Encryption Standard) using 128-bit encryption keys and performed in Cipher Block Chaining (CBC) mode along with a randomized Initialization Vector.



    In short, we have not sought certification for 1Password itself as we make frequent updates to it which would all require recertification. 1Password performs no encryption itself but calls native OS X tools, which in turn are Apple's implementation of the Common Data Security Architecture.



    If we can be of further assistance, please let us know. We are always here to help!
  • Thanks for the reply, this is indeed useful.
  • khad
    khad Social Choreographer
    No problem. That is what I am here for. <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/biggrin.png' class='bbc_emoticon' alt=':D' />



    Cheers,