this post was submitted on 26 Oct 2023
257 points (97.4% liked)

Technology

59261 readers
2536 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
all 28 comments
sorted by: hot top controversial new old
[–] KairuByte@lemmy.dbzer0.com 101 points 1 year ago

Save you a click: No user data was compromised.

[–] danielfgom@lemmy.world 48 points 1 year ago (4 children)

It wasn't 1Password that got breached, it was a 3rd party company called Okta, which 1Password was using in some capacity.

The attempted breach was detected and the hackers had only 1 set of Okta credentials from 1 member of the IT team. So they couldn't actually do much.

It was detected and immediately all the keys were changed so the hacker lost all access to Okta immediately.

No 1Password systems were affected at all.

Hypothetically even if the hackers somehow managed to get a customers vault, they would never be able to decrypt it because it requires 1. The master password AND 2. The very long and complex decryption key, which only the user posseses.

Even 1Password does not posses it so it's literally impossible for the vault to be hacked.

1Password is still by far THE most secure password manager.

[–] Appoxo@lemmy.dbzer0.com 39 points 1 year ago (5 children)

1Password is still by far THE most secure password manager.

Now that is a very confident statement. Any sources to back that up? Maybe even a comparison to other password managers like Bitwarden, LastPass, etc.?

[–] Lime66@lemmy.world 28 points 1 year ago (1 children)

Don't compare it to last pass, you'll have an answer very shortly

[–] Appoxo@lemmy.dbzer0.com 4 points 1 year ago (1 children)

First password manager coming to mind because of such things.
Nothing is unhackable.

[–] ram@bookwormstory.social 23 points 1 year ago

Please don't bring up LastPass in this conversation. They aren't relevant to anything wrt security, and worse yet, they remain extremely opaque with their security protocols.

[–] douglasg14b@lemmy.world 13 points 1 year ago (1 children)

Yeah definitely not worth doing a comparison to LastPass but doing the comparison to bitwarden and then local only ones like keypass/KeepassXC may be worthwhile

[–] Appoxo@lemmy.dbzer0.com 6 points 1 year ago

Oh yeah. How secure is a local encrypted password safe that is synced via things like Dropbox/OneDrive/GDrive/Syncthing or Resilio in comparison to something like Bitwarden and 1Password.

[–] qqq@lemmy.world 5 points 1 year ago

Not sure if you've read this but it might help get started.

https://1passwordstatic.com/files/security/1password-white-paper.pdf

[–] dangblingus@lemmy.world 1 points 1 year ago

Considering we're hearing about a lot of password managers getting hacked, saying you're the most secure is not really that impressive.

[–] BowserDelta@lemmy.world 13 points 1 year ago (1 children)

Is it more secure than Bitwarden? (Genuine question)

[–] danielfgom@lemmy.world 12 points 1 year ago (1 children)

In theory yes because Bitwarden only uses your master password to unlock your password collection. If someone were to brute force the password and figure it out, or if bitwarden servers were hacked and the password acquired, they could access all your passwords.

With 1Password your vault (database with all your passwords) is encrypted on the server. To open it you must provide 2 things:

  1. The master password
  2. The decryption key

1Password do not have any record of the decryption key. They give it to you as a pdf when you create your account, and only you have it.

So even if someone cracked your master password, they still cannot decrypt the vault to get your info. They would have to come to your house and try find that pdf with decryption key. Which they don't do.

So you are at significantly safer on 1Password

[–] wols@lemm.ee 3 points 1 year ago* (last edited 1 year ago)

The main difference is that 1Password requires two pieces of information for decrypting your passwords while Bitwarden requires only one.

Requiring an additional secret in the form of a decryption key has both upsides and downsides:

  • if someone somehow gets access to your master password, they won't be able to decrypt your passwords unless they also got access to your secret key (or one of your trusted devices)
  • a weak master password doesn't automatically make you vulnerable
  • if you lose access to your secret key, your passwords are not recoverable
  • additional effort to properly secure your key

So whether you want both or only password protection is a trade-off between the additional protection the key offers and the increased complexity of adequately securing it.

Your proposed scenarios of the master password being brute forced or the servers being hacked and your master password acquired when using Bitwarden are misleading.

Brute forcing the master password is not feasible, unless it is weak (too short, common, or part of a breach). By default, Bitwarden protects against brute force attacks on the password itself using PBKDF2 with 600k iterations. Brute forcing AES-256 (to get into the vault without finding the master password) is not possible according to current knowledge.

Your master password cannot be "acquired" if the Bitwarden servers are hacked.
They store the (encrypted) symmetric key used to decrypt your vault as well as your vault (where all your passwords are stored), AES256-encrypted using said symmetric key.
This symmetric key is itself AES256-encrypted using your master password (this is a simplification) before being sent to their servers.
Neither your master password nor the symmetric key used to decrypt your password vault is recoverable from Bitwarden servers by anyone who doesn't know your master password and by extension neither are the passwords stored in your encrypted vault.

See https://bitwarden.com/help/bitwarden-security-white-paper/#overview-of-the-master-password-hashing-key-derivation-and-encryption-process for details.

[–] hillbicks@feddit.de 12 points 1 year ago (2 children)

Care to back up the last statement about last pass being the most secure? I'm having a really hard time seeing lastpass as more secure than a local only password manager like keepass or KeePassXC.

Honestly, this reads like a PR post.

[–] douglasg14b@lemmy.world 9 points 1 year ago

It really does read like a PR post.

There's some bold confident statements in there that are definitely not really accurate from the standpoint of software and system security.

[–] isVeryLoud@lemmy.ca 2 points 1 year ago* (last edited 1 year ago)

OP said 1password, not LastPass.

Something local with sufficient encryption will always win against a cloud service, until someone gets access to your computer.

[–] scarabic@lemmy.world 4 points 1 year ago

Fucking Okta. Or as I call it Okra.

[–] NeoNachtwaechter@lemmy.world 3 points 1 year ago

Interesting to learn how to open up not just one PC but a whole infrastructure of passwords, tokens etc.