Click here for your link to Password Protector 1Password
Online security is not something that should ever be taken lightly. We live in a new world of ‘drop your email address in here’ and ‘quick pay’ where bank details are typed in on your screen then shot somewhere else in the world to someone you’ve never met to process.
While there are companies out there specializing in security online you have to do your bit to make sure that everything your end is as secure as possible. Thats why I bought and recommend 1Password.
With 1Password it enables me to keep any details I need inside it while at the same time just needing one password in order to access them all! Trying to remember 20 different passwords and account names is just not practical from a memory standpoint as well as productivity and security issues to boot.
I’ve found 1Password to be easy to set up, reasonably priced and I can’t even explain how much it’s improved my productivity. Too many times I’ve clicked on that ‘forgot your password’ text and needed another one sent. 1Password has made sure that never happens again.
So visit 1Password and secure your accounts now.
its the same as in eve online. you can not trust anyone. its not about if you trust someone or not but about how big is the risk and are you willing to take it.
Thanks for the post, Paul, and thanks for using 1Password!
Ryan, while our Agile Keychain Design document doesn’t directly address the question of whether or not there is a backdoor in 1Password, it does show that we are as open as possible about our data formats, which are fully available for inspection:
http://help.agile.ws/1Password/agile_keychain_design.html
However, that is only part of an answer. There are, in fact, two parts to the question. One is about a backdoor which someone at Agile would maliciously put in the code, the other is about a third party supplying you with a modified version of 1Password. For the latter, we use Apple’s codesigning system as well as have our updater verify each download against a digital signature. I can give you more detail about those if you wish, but I suspect that you are more interested to know that we are not the bad guys ourselves.
The simple truth is that you can never be absolutely certain that there is no backdoor. There isn’t one, but if we would do something so evil as to put in a backdoor, we certainly would be willing to lie about it. So you can’t simply take our word for it. Nonetheless, there are things that I can point to which are strong indicators that there is no backdoor. I know that we at Agile are all good people, but simply stating that does not prove it. Therefore, let me point to reasons that go beyond reliance on our virtue.
It would be incredibly foolish of us from a business perspective to put in a backdoor. The trust that we have from our customers is our livelihood. There are very sophisticated security researchers out there scrutinizing 1Password for security flaws. If they were to discover a backdoor, our reputation and business would come to an end. Consider the effort that has gone into developing 1Password over the years. Our business is about providing a quality product and support. If we were seeking credit card numbers and online banking credentials, we would be conducting our business differently. These are some great reasons to avoid low-cost password managers from fly-by-night companies who don’t offer a lot of detail about their formats and methods.
We have never had any government pressure to put in a backdoor. We are a Canadian company, and we have an international staff. If one government were to try to pressure us, we could easily relocate the business to another jurisdiction.
Lots of people within AgileBits have access to the source code which means that if one of us tried to put in a backdoor, others would spot it. So it would not be possible for just one or two people colluding to do it. At the same time, only a few people have the ability to sign the code that gets distributed, so all changes do get reviewed.
We can’t be as fully open as an open source project, but within the constraints of our business we try to be as open as possible. With our browser extensions, where more code is written in JavaScript, that source is available for inspection (although parts of it are obfuscated).
For network operations, you can monitor all network traffic coming from 1Password and its components. You will only find three cases where 1Password opens a network connection.
1. For WiFi syncing (if you use it) 1Password for Mac will pick up host information over Bonjour and then open up a connection on the local network to 1Password on an iPhone, iPad, or iPod Touch but only when you have set things up for Wi-Fi syncing.
2. Our updater will check for new updates, fetch them, and verify their signature. You can disable this if you wish (Preferences > Updates > Automatically check for updates).
3. Thumbnail previews are retrieved when you create a new Login. 1Password will attempt to create a preview of that page (with no form filling). This can also be disabled (Preferences > Logins > Login Previews).
All of the encryption and security protocols we use are from well known and well reviewed libraries. This means that it would be harder for us to conceal a backdoor as we just aren’t in a position to make subtle changes to the actual encryption algorithms and protocols. Our practice of not “rolling our own” encryption implementation is also an overall security advantage.
I hope that this goes some way to reassuring you. As I said, we know we are honest, and we want you to know that too. Caution and skepticism are healthy habits, though, especially when it comes to security.
Rene, your 1Password master password is extremely important. Although we take steps to thwart automated password crackers you should still use a strong, memorable master password. Password cracking tools are becoming more powerful every year, and too much is at stake in your 1Password data. Given the strength of the encryption we use, your master password is likely to be the weakest link in your 1Password security. Don’t be too scared of that. Given how strong everything else is, it would be practically impossible to use and remember a master password that is actually stronger than 1Password’s encryption.
We have a great blog post on creating better master passwords. It’s easier than you might imagine and almost certainly not what you think.
http://blog.agilebits.com/2011/06/21/toward-better-master-passwords/
For example, would you believe that “correct horse battery staple” is actually a stronger password than “Tr0ub4dor&3″? You can read more about the math behind it all here:
http://blog.agilebits.com/2011/08/10/better-master-passwords-the-geek-edition/
Please let me know if you would like any clarification of any of these points or if there is anything else I can help with. We always love talking about security and are glad when others do too!
Cheers,
—
Khad Young
Forum Choreographer, AgileBits
http://agilebits.com/support
Wow Khad, thanks for the great information! I hope this has been of good use to those who doubt the safety and effectiveness of 1Password.
Carlos, you are quite true on that. Basically, there are many hacking mtheods. Having a strong password just extend the duration time for a brute force technique. Which it does not technically stop the phishing technique or keyloggers technique that you had just mentioned. Those two required the application side (which means the host side) to take certain precaution to prevent this. For instance, implementing a PKI authentication to fight against phishing or using out-of-band communication technique to fight keyloggers. However at the user side alone, these techniques are not possible because only the host can determine. As a result, the best and only way for a end user to secure his identity is to have a strong password. Unless the host gave the second factor option but the user choose not to use Alan Tay\’s recent post ..
You are correct, if someone found out that password they could access your others. However the program isn’t stored online its stored on your personal computer so they would also need to be in possession of that. You can also change your main password whenever you like, daily if you choose to for extra security whereas changing all 20 or 30 or more passwords would be a real hassle. I’ve had great success with it and increased my productivity and speed as a result, so I definitely recommend storing your passwords together where possible and for me, 1Password does this wonderfully.
This sounds really great but what if someone were to find out that one password then they have access to anything and everything you have online right? Or is this one of those things where you have to log on to this site in order to navigate to other sites? Either way if someone got a hold of your password that would end all the security you have. I think more research is needed here.
After having your identity stolen once before you become very leery of doing any type of business on the computer that makes you vulnerable and to me this is one of those things. You have done a great job with your post but before I would trust this I would have to do some more research to see exactly how it works, granted your video helped but I am still not sold.
These days, nothing can be called SAFE! Everything can be hacked and stole. So to be on a safe side that password aren’t cracked or found, use some numbers or signs in your password and never keep dictionary words as your passwords.
Selecting a strong password is really important specially if you’re putting a business online or indulging in activities that involves critical information. In my own opinion though, the problem is not with the weak password. It’s the lack of knowledge on stuffs that actually hacks your password like phishing links. This is the most common reason of accounts getting hacked.It does make sense because there’s no way that a hacker can guess your password because it’s weak or something like that. If you’re doing business at home then you’re the only one who get access to your computer so there’s really no way that your account is going to get hack even if you have a weak password unless you got into a phishing links or online keyloggers.Besides, if you happen to get caught into this type of stuffs, then no matter how strong your password is. It will still be recorded and your account gets hacked.