Is password manager 1Password treating its customers unfairly? Are autonomous cars driving us around the bend? And what is this Net Neutrality thing anyway?
All this and more is discussed in the latest edition of the “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by Michael Hucks of PC Pitstop.
Show notes:
Please check out the show notes for this episode of the podcast on the Smashing Security webpage.
Smashing Security #033: '1Password, net neutrality, and spatchcock chicken'
Listen on Apple Podcasts | Spotify | Pocket Casts | Other... | RSS
More episodes...
Hosts:
Graham Cluley – @gcluley
Carole Theriault – @caroletheriault
Guest:
Michael Hucks
Thanks to our sponsor:
This episode of Smashing Security is made possible by the generous support of Recorded Future – the real-time threat intelligence company whose patented machine learning technology continuously analyzes technical, open, and dark web sources to give organizations unmatched insight into emerging threats.
Sign up for free daily threat intelligence updates at recordedfuture.com/intel
Thanks to Recorded Future for their support.
Follow the show:
Follow the show on Twitter at @SmashinSecurity, or visit our website for more episodes.
Remember: Subscribe on iTunes or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Local Vaults have been removed from the Windows product which is now subscription only.
For an accurate summary:
http://www.androidpolice.com/2017/07/12/1change-manydeceits-1password-betrayed-users-disappointed-security-experts-moving-license-local-storage-monthly-cloud-subscription/
It's such a shame that 1Password haven't been honest with people.
They have a history of deceit; the Cloudflare leak being the most recent when they pretended no 1Password data had been leaked.
Google engineers called 1Password liars and published some of the leaked data. 1Password changed their tune and said it 'wasn't a security risk'.
With the exception of Windows,
"In short, you can still use your EXISTING private local vault with 1Password. If you're new to 1Password, get in the cloud with everyone else."
And on cloud security,
"The downside to the subscription scheme is that you're trusting 1Password.com with all your passwords. Although they are stored encrypted on its servers, they are accessed through your web browser, so anyone who manages to hack into the service could – potentially, worst-case scenario – screw around with the JavaScript code that's served to browsers to subvert the encryption and decryption process and thus break into a lot of people's vaults."
https://www.theregister.co.uk/2017/07/13/1password_not_killing_onprem_storage/
You can access the encrypted password vault stored on 1Password.com via the client app. No need to use the web interface if you're worried about Javascript webcrypto jiggerypokery.
Yes the client app is nicely designed (and doesn't rely on Javascript) but it still relies upon TLS to transmit your master password.
Because they don't use effective certificate pinning a rogue attacker could get a fake certificate. It raises the bar but such attacks have been demonstrated in practice by non-nation states.
They DO transmit your master password to the server – that's what authorises you to download the encrypted password database. I know in your video you suggested they didn't but (I think) what you meant was they don't transmit the second password using SRP – they call it an Account Key.
1Password 4 for Windows still supports local vaults I believe for those who want to carry on working that way.
But I do wonder how the average person would keep their passwords in sync without using one of the cloud options. (Yes, I know about wi-fi sync – which I *guess* 1Password 4 supports – but I suspect that may be beyond the typical user)
I'm more worried about people not using a ruddy password manager at all, than their issues with 1Password.
I believe you cannot purchase 1Password 4 any more, so that's out of the question for new users.
I don't think it's the cloud storage which has people up in arms; it's 1Password's reluctance to admit they've effectively shuttered the ability to use local vaults in Windows and they're making it MUCH more difficult for Mac users.
They've not been truthful with people – they want people to have a "conversation" (aka 'sales talk) via email before you find out that you can't purchase the standalone Windows licence any more. However you can purchase a standalone Mac licence – after bartering with them via email.
They should give people the option OR be honest and admit they're removing X, Y, Z features. It's their refusal to give clear, honest advice which gets people (myself included) angry. They then come out with crap like "we totally understand that you love 1Password"…
Your average person hypothesis is an interesting one. I'd argue that your average Mac user would find 1Password with iCloud sync the easiest because it's already setup on your Apple devices. No extra logins, account keys required. Just download 1Password, it finds your database in iCloud and you then enter your password. But this is exactly what they've removed; unless you barter with them to get the standalone licence.
Windows users, unless subscription based, are now fully out in the cold. They could have kept the ability to use your own cloud, or, retained the ability to use vaults on a local device; but no, it's gone.
I fully accept that they need to make money through the use of a subscription BUT at least give people the OPTION to keep control of it.
The largest proponents of password managers are people like you and me – we both understand computers but by alienating a large core of their 'expert' audience I can't help feeling they're shooting themselves in the foot. They could sell the benefits of their cloud service but by giving people Hobson's choice they're doing themselves no favours.
As far as net neutrality is concerned, we already in the UK have a multi-speed internet dependent on how much you pay. Whether that is access to cable being limited (let alone a choice of cable providers) or because you have to use a ropey old phone line because you live in rural Wales. The various packages that ISPs offer also don't advertise that fact that your speed is dependent on the contention ratio (ie how many other people are on the same line as you) and that you will need a 'Business' package if you want this to be lower. ISPs also have a 'Fair Usage' policy and can/will throttle your speed/access time if you break it.
That said, we could have nearly unlimited bandwidth for free UK wide including rural areas if the Government had gone ahead with using the National Grid for internet use. This was proven to work, but was suddenly cancelled….. not sure why?! Maybe BT et al know the answer to that??
You need to make a video of a virtual spatchcock-chicken-on-a-chimney barbecue with Carole cooking it and demonstrating the chimney fire enhancer thingy and Graham salivating, drinking beer and eating crisps, anticipating the delicious virtual feast and dishing out safety tips between sips. And you could have as a guest one of the people who barbecue shashlik at the Izmailovo Crafts Fair in Moscow demonstrating the finer points of smoke management.
The best password manager for Android is "Keepass 2 for Android"
Free, open source, available on all platforms. But the app is the safest, because it incorporated a keyboard to autofill user name and password. Also, you can keep it local, or sync to other devices and your own Cloud choice.
https://play.google.com/sto…
For other platforms, check your app store, or look Keepass up online. They have lots of tools to help migrate databases from most other major providers. And they had a thorough review of their code base last year, from an independent commission.