It has come to my at­ten­tion that peo­ple are Wrong On The In­ter­net about pass­word man­ager­s. This mat­ter­s, be­cause al­most ev­ery­body should be us­ing one. Here­with back­ground, opin­ion­s, and a de­scrip­tion of my own se­tup, which is rea­son­ably se­cure.

What is a pass­word man­ager? · It’s a piece of soft­ware that does the fol­low­ing (although not all of them do all of the­se):

  1. Store your pass­words in a safe way, pro­tect­ed by at least a pass­word, which we call the “master password”.

  2. Make new pass­words for you. Here’s an ex­am­ple of a gen­er­at­ed pass­word: QzbaLX}wA8Ad8awk. You’re not ex­pect­ed to re­mem­ber the­se.

  3. Make it easy to use pass­word­s. One way is to copy it out of the man­ag­er and paste it in­to a pass­word field. Another is to use a brows­er plu­g­in that auto-fills lo­gin form­s. On cer­tain com­bi­na­tions of app and mo­bile de­vice, you can use your fin­ger­print to open the pass­word man­ager, which makes ev­ery­thing way faster and eas­ier.

  4. Store oth­er stuff too. I keep var­i­ous Im­por­tant Num­bers and AWS cre­den­tials and re­cov­ery phras­es and so on in there.

  5. Syn­chro­nize be­tween de­vices. I have two com­put­ers and one phone and I need ac­cess to my pass­words on all of them.

There’s more, but those are the es­sen­tial­s. The ef­fect is that you end up us­ing a dif­fer­ent pass­word for ev­ery site and ap­p, that they’re all strong, and that you don’t have to re­mem­ber very much.

My own man­ager, which I’ve been run­ning for years now, con­tains 504 item­s, and I use it a few times a day, ev­ery day. Grant­ed, many of the 504 are for sites and apps that no longer ex­ist (like the dead peo­ple I can’t bear to erase from my con­tact­s).

How they work · It’s pret­ty straight­for­ward con­cep­tu­al­ly. They have a lit­tle database with all the stuff in it, and it’s all en­crypt­ed us­ing your pass­word. So even if some­one steals the database, you’re prob­a­bly OK be­cause mod­ern cryp­to makes it re­al­ly hard to crack the code.

Where it gets in­ter­est­ing is how these things syn­chro­nize be­tween de­vices, and how they use the net­work.

Ba­si­cal­ly, it comes down to this: Can you get ac­cess to your pass­words over the We­b? Lots of pass­word man­agers al­low this, but some don’t. For ex­am­ple, I use the 1Pass­word app, which has no web­site what­so­ev­er, and has a va­ri­ety of ways of sync­ing (iCloud, Drop­box, WiFi, lo­cal fold­er) none of which in­volve talk­ing to a web­site with a browser. [There are lots of oth­er pass­word man­ager­s, which I’m not gong to write about be­cause I don’t use them.]

What’s wrong with a Web site? · The prob­lem is that the site has my en­crypt­ed data, and at some point, wants me to type in the pass­word. Thus, in prin­ci­ple, they can peek and see my pass­word­s. And hand them over to the NSA. Or to the crim­i­nal gang that ab­duct­ed the CEO’s chil­dren. This makes me un­hap­py.

In prin­ci­ple, this could be OK. What with mod­ern JavaScrip­t, it’d be per­fect­ly prac­ti­ca­ble to do all the cryp­to in­side my browser, nev­er send the pass­word (or any­thing un­en­crypt­ed) over the wire, and have me sleep sound­ly at night. Fur­ther­more, since JavaScript is by def­i­ni­tion open-source, I could in prin­ci­ple look at the code and sat­is­fy my­self that it’s whole­some.

In prac­tice, nope. The JavaScript plat­form is dy­nam­ic to the core and hor­ri­fy­ing­ly com­plex even be­fore they start load­ing mas­sive mod­ern ap­pli­ca­tion frame­works on it; any tee­ny lit­tle bug or zero-day ex­ploit at any lev­el of the stack and I’m cooked. Al­so, the NSA or a crook on­ly has to make the slight­est lit­tle mod to the code, and take it away a few mil­lisec­onds lat­er, and the horse would (si­lent­ly) be out of the barn.

In the 1Pass­word app’s sync mod­el, how­ev­er, one as­sumes they use the pretty-secure HTTPS-based APIs for each of these prod­uct­s, ma­chine to ma­chine, no JavaScript in the loop.

Why we’re talk­ing about this · Be­cause AgileBit­s, the com­pa­ny be­hind 1Pass­word, is try­ing to get peo­ple to move over to a Web-based thing; that’s what you find when you go to 1pass­word.­com.

There’s a de­cent sum­ma­ry at cy­ber­scoop and a longer, more per­son­al nar­ra­tive from Kenn White.

I, like many security-conscious peo­ple, am just not gonna use any­thing where the same par­ty, who’s not me, gets to see my stored da­ta and my pass­word. Sor­ry. But I love the 1Pass­word apps and I’d re­al­ly like to go on us­ing them. More on that lat­er.

Let’s get se­ri­ous · Am I claim­ing that my app-only ap­proach is 100% safe? No, be­cause se­cu­ri­ty just isn’t bi­na­ry, ev­er. Let’s see:

  1. The bad guys could slip a seda­tive in­to my cof­fee at a cof­fee shop and in­stall a key­log­ger on my com­put­er, or

  2. in­stall a cam­era any­where I work and fo­cus it on my hand­s, or

  3. phish me with a super-clever web­site or poi­soned USB key, and get the key­log­ger in that way, or

  4. point a gun at me and ask me to un­lock all my de­vices (then prob­a­bly pull the trig­ger), or

  5. send a Na­tion­al Se­cu­ri­ty Let­ter to AgileBits and force them to put back­door code in a fu­ture 1Pass­word app re­lease that sends the good­ies to the en­e­mies.

And any­how I’m ob­vi­ous­ly a lame-ass hyp­ocrite be­cause I use the 1Pass­word Chrome plu­g­in to fill in forms for me, and this means I type the mas­ter pass­word in­to a browser. Hav­ing said that, I ver­i­fied that it works when I have the net­works turned of­f, and at the end of the day, the plug-in is no more nor less se­cure than the app I use all the time.

Is your set­up per­fec­t? · Wel­l, I on­ly re­mem­ber four pass­word­s: For my per­son­al com­put­er, for my work com­put­er, for my AWS ac­coun­t, and the 1Pass­word mas­ter. And the AWS pass­word is just an ac­ci­dent of his­to­ry; I on­ly need 3.

Ob­vi­ous­ly I change them reg­u­lar­ly and use password-less ssh ac­cess wher­ev­er I can, and lots of places I go have two-factor, via SMS or hard­ware to­ken (Ge­mal­to, Yu­bikey) or the An­droid Authen­ti­ca­tor ap­p.

So, on bal­ance I feel pret­ty se­cure. One down­side is when I’m set­ting up a new com­put­er or phone. The pro­cess of typ­ing in long gen­er­at­ed pass­words on a mo­bile “keyboard” is so im­prac­ti­cal as to be hi­lar­i­ous.

In ef­fec­t, my se­cu­ri­ty is about as good as my mo­bile device’s. Ac­tu­al­ly a bit bet­ter, be­cause the 1Pass­word app needs one more fingerprint-or-password.

You sync through Drop­box, are you crazy?! · After al­l, Con­di Rice is a board mem­ber, which has to wor­ry you. But let’s as­sume the worst: that Drop­box turns tur­tle for the Fed­s, or gets to­tal­ly pwned by bad guys. So, con­grat­s, they have my en­crypt­ed pass­word file. It’s not im­pos­si­ble that they might crack it. But it’d prob­a­bly be eas­i­er and cheap­er for them to slip a seda­tive in my cof­fee, or… (see above).

Why is AgileBits do­ing this? · For the same rea­son that Adobe has been pres­sur­ing its cus­tomer­s, for years now, to start sub­scrib­ing to its prod­uct­s, rather than buy­ing each suc­ces­sive ver­sion of each ap­p. A sub­scrip­tion busi­ness is much nicer to op­er­ate than one where you have to go out and re-convince peo­ple to re-buy your soft­ware.

I un­der­stand, and I sup­port AgileBits want­ing to be­come a sub­scrip­tion biz. But I still want to keep my da­ta and pass­word away from their server­s. This all seems fine to me. I pay my month­ly rent to Adobe and it’s for Light­room & Pho­to­shop, not for their un­ex­cit­ing server-side of­fer­ings.

So AgileBit­s, why not? Please go ahead and start ask­ing for sub­scrip­tion­s. But don’t ask para­noid peo­ple like me to go any­where near 1Pass­word.­com.

AgileBits has ad­dressed the sit­u­a­tion in Why We Love 1Pass­word Mem­ber­ships, but it’s re­al­ly un­sat­is­fy­ing, to­tal­ly ig­nor­ing the se­cu­ri­ty con­cern­s. And (I guess I shouldn’t be sur­prised) fail­ing to ac­knowl­edge the busi­ness ad­van­tages for them in mak­ing this move.

Am I wrong? · Maybe there’s some­thing I and the oth­ers who are all up­set about the 1Pass­word move are miss­ing; maybe it’s all just OK and there’s re­al­ly no sig­nif­i­cant loss of se­cu­ri­ty. In which case, AgileBits re­al­ly needs to ex­plain why.



Contributions

Comment feed for ongoing:Comments feed

From: Jason Heiss (Jul 20 2017, at 12:11)

100% agree. I would happily pay AgileBits a few USD a month for a subscription if they asked. I think that paying a single up-front fee for software gets the incentives all wrong and would encourage anyone selling software to sell it on a subscription model.

[link]

From: Anthony Williams (Jul 20 2017, at 12:12)

I agree that web interfaces, and anything where someone has both your private data and your password (at least for the instant when you send it to them through the browser) is a concern. That's why I don't store my private key in keybase.

I used to use LastPass, which has a web interface, but accessing the web interface from a mobile device is a pain, and I started to feel disturbed about them having my passwords.

Now I use Password Store on my Android devices, and QtPass on my desktop machines. They are all essentially the same app, just customized for the platform. They use GPG to encrypt each password separately, so in theory you can use different identities for separate passwords, and a git repo to store them, so you can see your old passwords too. It's not quite as easy to pass round a git repo as a binary file, but it's easy enough to host on your own web space.

Plus, the whole chain is open source, so you can audit it yourself, and create your own build if you like.

[link]

From: Aaron Parecki (Jul 20 2017, at 12:21)

I'm with you in that running this stuff in a browser makes me uneasy, although between https and actually trusting Agile Bits, I've launched the 1password web app on a couple of occasions. The vast majority of my use of 1password is their desktop and iOS apps.

The security of their ecosystem is written up in a PDF whitepaper, which is a good read: https://1password.com/teams/white-paper/

tl;dr your master password is never sent to Agile Bits, and they have no way of decrypting the data on their servers.

[link]

From: Doug K (Jul 20 2017, at 12:22)

true confessions: I have never yet used a password manager.

This is mostly because I don't trust websites to secure my passwords. Password Safe is what I have been planning to try, for some years now. For the moment I remember about a dozen long passwords which are written down along with the rest of them, on a couple of pieces of paper in approximately safe locations. That also has all the lies I tell in answer to 'security' questions.

I am probably living in a fool's paradise imagining this is secure. As John Gierach says, just don't tell the fool, might as well let him be happy..

[link]

From: Sean Bamforth (Jul 20 2017, at 12:49)

I'm generally OK with subscriptions, but the size of the 1Password team so depressed me (I mean, what do all those people actually do?) that it put me off the product.

I can't help but feel that it doesn't take 8o people to manage my passwords, and any company this size is doomed to either fall to its competition, or suffer in some other way that's going to increase the attack surface of my password file.

I'm back with lastpass now, and I'm not 100% happy about that, but the user interface is better and as a company they don't *feel* as mismanaged.

All of which is an extra demonstration of the weird decisions that go into safeguarding this most precious resource.

[link]

From: COD (Jul 20 2017, at 12:59)

I use KeyPassX for the same reason. Keeps my passwords secure, and I can sync across Mac, Linux, and Android.

[link]

From: Miike (Jul 20 2017, at 13:04)

I acknowledge the greater security risks and also want to mention how this shift also provides certain features that would otherwise be very cumbersome.

I use the 1Password for Families product, which wouldn't be straightforward without some kind of cloud-based sync hosted by AgileBits. For the unfamiliar, 1P for Families is basically a 5-user version of AgileBits' 1P for Teams product.

This has let me onboard my dad, who accepted the value props of better passwords AND easier sharing between us. Previous, we'd have to exchange on phone/email/SMS/whatsapp and often resulted in using the same password for many services for simplicity.

I suppose having a shared vault on Dropbox is theoretically possible, but is far from smooth to setup and opens up the possibility of sync collisions, which is worse.

[link]

From: SteveB (Jul 20 2017, at 13:54)

I notice a lot of complaints about password managers in browsers and storing your credential bank in the cloud...

Rightfully so.

At Bluink, our Bluink Key solution stores all your passwords, OTP seeds, and FIDO U2F private keys on your phone in an AES 256 bit encrypted container... Never in a browser or cloud service. You can keep a personal backup where ever you want.

With our Bluink Key USB device, we connect your phone to your machine, and "inject" passwords directly for you. As well as OTP codes for Google Auth. and FIDO U2F.

For personal use, the app is free (iOS and Android), and you can buy the Bluink Key on Amazon or our Bluink.ca site.

Why not try the future of security today?

[link]

From: Greg Lloyd (Jul 20 2017, at 14:26)

I'm also a long time 1Password fan. One app + subscription issue: What if you choose not to renew (or 1Password goes away)? I'd accept a policy that says that a subscription app goes read-only (except for master password/admin changes) if the license lapses for any reason.

[link]

From: Tyler Kellogg (Jul 20 2017, at 15:00)

Regarding #5 (National Security Letters):

AgileBits is Canadian; are they subject to National Security Letters? I don't believe Canada makes use of this but I am keen to be proven wrong.

[link]

From: Evert (Jul 20 2017, at 15:21)

I recently switched to enPass. It's pretty good, and could maybe even be called a 1Password clone.

The reason I switched from 1Password was not because of the subscription service (I was grandfathered into their existing plan), but superior Linux support.

All their desktop applications are free, the mobile apps are cheap and you can use Dropbox to sync.

[link]

From: Steve Feinstein (Jul 20 2017, at 15:43)

The assertion that the password is sent to the website for the decryption of your password is not true for the case of the LastPass manager.

LastPass uses javascript on the local browser client after retrieving the encrypted blob from the the internet server.

Login is handled by a challenge response scheme where the actually password isn't sent to the server, but the server asks the client to prove who it is by encrypting some data with the password/key and sending that to the server where it can use the public key to prove that you know the password. Again the password never goes over the wire.

[link]

From: Guy Middleton (Jul 20 2017, at 16:30)

I too am a longtime 1Password user, and also unhappy about the move to software subscriptions in general.

We all understand that software companies want a recurring revenue stream, but there are better ways to do it.

I like the approach Picturecode takes for their raw-file converter -- you purchase the software, and can optionally pay a yearly subscription fee for updates.

The new Jetbrains subscription model also works fairly well. After subscribing 12 months, you have a perpetual licence, so effectively the purchase price is the one-year subscription cost.

[link]

From: John Cowan (Jul 20 2017, at 18:18)

I keep my passwordsand other magic numbers in a plain-text file on a server belonging to a friend I trust, since it's not practical for me to have my own server. When I want something, I ssh to that server. I'm considering moving the data to an encrypted file on AWS.

[link]

From: Pat (Jul 20 2017, at 21:06)

The real question, to my mind, is why AgileBits hasn't charged for upgrades. They themselves make the point you do -- that it's hard to convince people to pay for upgrades -- but they haven't even tried.

In 6 major versions, going back more than a decade, only once did they ever charge for an upgrade (3 to 4). The other four upgrades were completely free.

Why not at least try charging a nominal fee, before completely changing both their architecture and business model?

[link]

From: gms (Jul 20 2017, at 23:25)

Keepass + Dropbox on all devices

[link]

From: Mike MacLeod (Jul 21 2017, at 00:06)

It's important to note that even cloud based password managers are still superior to not using a password manager at all.

And these days, the lines separating 1Password and LastPass are pretty faint, not just because 1Password wants to go subscription but also because LastPass now has native apps for mobile (iOS and Android) and Windows.

When I was in the market for a password manager I actually needed desktop linux support, and 1Password didn't offer that. A browser based password manager will run on any platform that can run a browser, which can be a significant advantage.

[link]

From: Pete Forman (Jul 21 2017, at 12:49)

I do the same as COD and gms: KeePass, which works on all my OSs and mobile devices, and cloud (Google Drive at the moment) to sync the encrypted password database.

The main reason I chose KeePass was its availability across all my device platforms. A nice feature is that when you copy to clipboard the contents are purged after a few seconds.

[link]

From: Mike Rodriquez (Jul 21 2017, at 16:22)

I switch from 1pass to KeePass a few years back, and after this little episode am not planning on making any changes.

[link]

From: Jon H (Jul 21 2017, at 19:47)

How do you go about syncing two PCs and a smartphone with 1Password? The wifi sync is designed for just a single PC to smartphone sync. I've been managing to use a hack where I sync the phone to one PC at a time, but this is not perfect. It takes forever to transfer the data if I switch from syncing on PC to another on my phone. So long that my phone could interrupt the process by falling asleep. It also clearly looses certain folder data, perhaps because the folders are missing entirely from the smartphone app.

[link]

From: ludovic (Jul 22 2017, at 13:05)

I also had some hesitation going with the 1Password hosted/subscription model. I have no problem with the subscription bit, but I do with the hosted bit.

Then I figured that:

1) Parts of the "hosting" is really replacing Dropbox syncing with AgileBits syncing. I trust AgileBits more that Dropbox, so that part was easy.

2) AgileBits never has your unencrypted data or master password. As you said, it all happens in the browser using Javascript. So at that point it's a matter of how much you trust the Javscript code vs. how much you trust, say, the Objective-C code running in your 1Password app, and, as you mentioned, the Javascript that's running anyway in your browser to auto-fill forms and auto-open websites.

Of course, the answer is that Javascript in the browser is a lot less trustworthy, but if you don't trust it, just don't go to 1password.com and it will never run. At which point, what you're paying for is effectively just a replacement for Dropbox.

[link]

From: ard (Jul 22 2017, at 22:06)

as said , I dont like the web for my password manager.

I do use a rather unknown PW manager, for about 10 yrs now and feel confident with it. I normal do a copy-paste to put PW in forms. I update monthly on 2 USB sticks and use that to synchronize My PW man. on my other computers. .

I have a question: would keyloggers be able to get your PW if you only copy-paste it?? or will a keylogger only see: Ctrl+C and Ctrl+V???

Anybody has a clue??

thanks

[link]

From: Tim (but not THE Tim) (Jul 23 2017, at 23:55)

I use Norton Security on my Windows machines at home, and it has worked for me, however their Identity Safe password manager became problematic because they want to store the vault on their site so I can sync among devices - but I don't want to do that.

[link]

From: Jont (Jul 24 2017, at 09:27)

To answer to some above user: Keepass deletes automatically the copy/paste pwd in memory after x seconds.

I used LastPass but this soft had so many dangerous bugs. Went to Keepass with copy in zeroknowledge cloud (tresorit.com), very happy.

[link]

From: Michael Rourke (Jul 27 2017, at 03:09)

Agilebits could move to a subscription model without moving password storage to the cloud - at least on iOS. So I'm not sure that is the full story.

I totally agree you shouldn't need to store your data on a server run by your password storage service provider. However if you are absolutely sure your key never leaves your device or desktop you could say it doesn't really matter - but this depends on your level of trust with the implementation of the password storage service.

My view is keep it simple. Browser integration has had problems in the past too. Classic convenience/security tradeoff.

[link]

author · Dad · software · colophon · rights
picture of the day
July 16, 2017
· Technology (81 fragments)
· · Internet (110 more)
· · Security (35 more)

By .

I am an employee
of Amazon.com, but
the opinions expressed here
are my own, and no other party
necessarily agrees with them.

A full disclosure of my
professional interests is
on the author page.