Mastodawn

Jeffrey Goldberg Dec 28, 2022

I and my employers, #1Password, have never directly criticized a competitor before. But #LastPass's claim that it would take "millions of years" to crack the data made available from the breach needed to be addressed explicitly.

I also take the opportunity to explain why 1Password's distinct security architecture would keep users safe if we were to be breached.

https://blog.1password.com/not-in-a-million-years/

Not in a million years: It can take far less to crack a LastPass password | 1Password

How 1Password goes above and beyond to protect you in the event of a data breach.

1Password Blog

Show thread

David M Schell

Dec 29, 2022

@jpgoldberg so you're saying a six-word diceware password is gonna be fine...

This is a really useful explainer.

Show thread

Jeffrey Goldberg Dec 29, 2022

@davidmschell. absolutely.

See https://blog.1password.com/cracking-challenge-update/

How strong should your account password be? Here's what we learned | 1Password

How much effort would a hacker need to put in to crack a 1Password account password? Here’s what we learned after running some community challenges.

1Password Blog

Show thread

Chris Johnson

@davidmschell @jpgoldberg I live completely in the Apple ecosystem, and the security of the passwords (and everything else) in my iCloud Keychain comes down to the security of my physical devices. Anyone who has physical possession of one of my devices and can unlock it has access to my Apple keychain. Among the things stored in my keychain is my 1Password secret key, so isn’t my 1Password data as secure as my keychain data even if I have a really weak master password? Could you make the argument that your master password really doesn’t have to be that strong at all?

It seems to me that in the past, before fully encrypted drives and secure enclaves and modern hardware security, it might have been more important to have a strong master password. Is it that important now?

Show thread

Jeffrey Goldberg Dec 29, 2022

@captainslim @davidmschell, if you live entirely within the Appleverse then iCloud Keychain can be a very fine choice. It doesn’t do everything 1Password does, but not everyone needs all of that.

A locked Apple device is very hard to break into even with full physical access.

Show thread

Chris Johnson Dec 29, 2022

@jpgoldberg I do use 1Password for all the extra stuff that it does. My point was that 1Password—even with no master password—seems to have the same security as iCloud Keychain, which itself is very secure. So is having a strong 1Password master password important, or is it just belt-and-suspenders in the Appleverse?

Show thread

Jeffrey Goldberg Dec 30, 2022

@captainslim, that is a tough one. We are able to store the Secret Key more security on Apple devices than we are on other platforms, but I don't want people to rely on that. So you don't need an unwieldy account password, but do have a unique and reasonable one.

Show thread

Chris Johnson Dec 30, 2022

@jpgoldberg It’s interesting to imagine a passwordless mode for 1Password on Apple devices, where the encryption key is stored in iCloud Keychain, protected by OS-enforced biometric or device passcode access. It’d have the same security as iCloud Keychain, requiring physical access to and the ability to unlock a trusted device, with all the extra features of 1Password.