Deputy editor at Ars Technica Nate Anderson was curious if he could learn to crack passwords in a day. Although there’s definitely a difference between advanced and beginner crackers, openly available software and resources make it easy to get started and do some damage.
After my day-long experiment, I remain unsettled. Password cracking is simply too easy, the tools too sophisticated, the CPUs and GPUs too powerful for me to believe that my own basic attempts at beefing up my passwords are a long-term solution. I’ve resisted password managers in the past over concerns about storing data in the cloud or about the hassle of syncing with other computers or about accessing passwords from a mobile device or because dropping $50 bucks never felt quite worth it—hacks only happen to other people, right?
But until other forms of authentication take root, the humble password will form a primary defense of our personal information. The time has come for me to find a better solution to generating, storing, and handling them.
I use 1Password.
Using a service like 1Password is a terrible idea. They could insert backdoors to it and you won’t know (it’s proprietary software)
If you want real security, either remember all the password you have (and never have just one, by the way), or write them down on a piece of paper you can hide very well somewhere. Don’t trust anyone.
I can’t even believe that they are touting cloud save as a feature by the way. Just promoting that shows that they are willing to grossly breach the security of your passwords. I can’t believe those pricks are making money from this thing. Don’t pay 1Password, Nathan.
[Disclosure: I work for AgileBits, the makers of 1Password]
Y.A., you are correct that we can’t absolutely prove that there is no backdoor. As you point out, we are not open-source, and unless you inspect and compile the code yourself, you can never be sure. But there are plenty of good reasons (even if not absolute proof) that we are good guys. I’d also like to point out that we are not a “service”. You purchase the software from us as a one time purchase, and none of your data or your usage is ever known to us.
Before I get into that, there is also the question of the alternative you recommend. Password reuse is an enormous password. You might have a great password, but if some site that you use it on doesn’t handle it well (for example doesn’t even encrypt it) then attackers will be able to try that password on all of your sites. That does happen. If you only have a small number of sites and services that you need a passwords for, then writing them down on paper is fine. But it is hard to resist the temptation to start reusing passwords for multiple services.
Reasons to have confidence that there is no back door:
1. About 10 people have read access to the source (along with the occasional outsider). That’s a lot of potential whistle blowers. Some of us have a long history of promoting individual privacy and security.
2. We have been extremely open about our security design and our data format. We publish great detail about how we do stuff. See
http://blog.agilebits.com/2013/03/06/you-have-secrets-we-dont-why-our-data-format-is-public/
3. It would be bad business to have a backdoor. Credit card details sell for about 1USD a piece (if buying in bulk) on the black market. Stolen passwords, even for high value sites, go for about 2 USD. Stealing your data would put us out of business, so even if we were evil, it wouldn’t be in our financial interest to steal your data. (No, I haven’t carefully worked through the math on that one.)
4. We are a Canadian company, but given the way we work we can “relocate” relatively easily. We’ve never had any government pressure on us (of course, you just have to take my word for that). We twice have had law enforcement people write in about 1Password data they couldn’t decrypt. We gave them exactly the same information we have to anyone who has forgotten their Master Password: There is nothing we can do to help you unlock it.
None of those reasons offer proof that there is no back door, and your decision about whether to trust us (both our competence and our intentions) is something that you have to make yourself. I think that what may be underlying your concern, putting all of your very valuable eggs in one basket, is a very legitimate concern. It’s not something to do lightly.
In a later post, you say that our recommendation of Dropbox and iCloud for syncing data undermines our credibility. We do encourage people to synchronize their 1Password data across computers and devices that way. It makes things really easy. But we don’t compel people to. You can opt not to synchronize at all or to synchronize through a somewhat less automated process.
But this also misses a larger point. We know that some people will have their computers and devices stolen; and so we have designed the 1Password data format with that in mind. If it’s unsafe to keep some data on the cloud than it is unsafe to keep in on your own computer. None the less, we have learned that rightly or wrongly some people will not trust anything to the cloud no matter how well encrypted. And so it is possible for those people to synchronize their 1Password data without the use of a third party service.
Anyway, this has gotten far longer than I originally intended. Again, your security choices are your own, but I hope that I’ve added some additional perspective.
-j
–-
Jeffrey Goldberg
Chief Defender Against the Dark Arts @ AgileBits
http://agilebits.com
I’m a 1Password user myself. Thanks for the reasoned and honest response.
I always use lastpass. They only allowi one person to have access to your passwords: you. From their website: “No one at LastPass can ever access your sensitive data” https://lastpass.com/whylastpass_technology.php
What do you think of this product? http://www.yubico.com/applications/password-management/consumer/lastpass/
I’ve been using KeePass for years. It’s Open Source and has packages available for every major OS (including Android, iPhone, and Blackberry). You have to take care of syncing data yourself, though