I and my employers, #1Password, have never directly criticized a competitor before. But #LastPass's claim that it would take "millions of years" to crack the data made available from the breach needed to be addressed explicitly.
I also take the opportunity to explain why 1Password's distinct security architecture would keep users safe if we were to be breached.
@jpgoldberg huge respect for what you've built and all the care you've taken to build a great product. I love 1password.
But this blog post is not a good look. Kicking a competitor when they're down for security reasons... Oof.
@ben, we would never do this for a breach or bug. But have you read their announcement?
Sure vendors understate the impact on users of security problems (and researchers overstates it). Human psychology leads to that, so it isn't even insincere.
But their statement goes well beyond that normal tendency.
@ben That is a very real risk.
As you might imagine our marketing people, CEO, and others were very heavily involved in the decision. Yes, it might open the doors for mud slinging in ways that merely confuse the public, as they may not be able to differentiate.
We will see.
@jpgoldberg so you're saying a six-word diceware password is gonna be fine...
This is a really useful explainer.
@davidmschell. absolutely.
@davidmschell @jpgoldberg I live completely in the Apple ecosystem, and the security of the passwords (and everything else) in my iCloud Keychain comes down to the security of my physical devices. Anyone who has physical possession of one of my devices and can unlock it has access to my Apple keychain. Among the things stored in my keychain is my 1Password secret key, so isn’t my 1Password data as secure as my keychain data even if I have a really weak master password? Could you make the argument that your master password really doesn’t have to be that strong at all?
It seems to me that in the past, before fully encrypted drives and secure enclaves and modern hardware security, it might have been more important to have a strong master password. Is it that important now?
@captainslim @davidmschell, if you live entirely within the Appleverse then iCloud Keychain can be a very fine choice. It doesn’t do everything 1Password does, but not everyone needs all of that.
A locked Apple device is very hard to break into even with full physical access.
Blunder by 1Password on this blog post. You stay above the fray when your competitor screws up like this and the entire rest of the internet is rightly piling onto them. If I worked there I’d be putting out content pieces for a month on how awesome their security was in all the ways LastPass’s is crap, but even the CIA couldn’t waterboard me into mentioning the LP breach by name as I’m doing it. https://blog.1password.com/not-in-a-million-years/
@jpgoldberg An additional good article that's worth reading 😉
https://blog.1password.com/bcrypt-is-great-but-is-password-cracking-infeasible/
@Lunatech, we explicitly said that we have to plan for being hacked. That is why we designed the whole Secret Key thing. It is to protect users in the event that we get hacked.
If your synching mechanism provides better privacy and security than ours, that’s great. I do not believe that that would be the case for the overwhelming majority of 1Password users. Security choices must be made among viable alternatives.
@jpgoldberg Also, please keep in mind that you are basing all your estimates on how long it would take to crack passwords based on currently available hardware and currently know algorithms. But already there is talk of quantum computers that will be far faster than today's computers. What may (or may not) may be a true estimate of the time it would take to crack a password vault today might look ridiculous in five, ten, or twenty years. But in any case, people should have the ability to store their passwords locally and not be forced to trust anyone's cloud storage.
There was a time padlocks were considered pretty secure, until criminals discovered how to make lock-picking tools! But they still couldn't pick the padlock they didn't know existed.
@captainslim @jpgoldberg thanks for this.
For some reason I got it in my head that the secret key was an “account number”, and the real secret key was behind the scenes obfuscated from the user, but at no point in the UI does 1P say that so I don’t know where that thought came from lol. Makes sense now that I’ve looked at my account screen again. Cheers.
@rscullen, that is an excellent question and the blog post has been updated/corrected with the answer (in a footnote) that reads.
"In an earlier version I incorrectly said that the your Secret Key “never leaves your device.” There are a number ways your Secret Key can travel from an enrolled 1Password client to a new client, including end-to-end encrypted iCloud Keychain syncing, end-to-end encrypted Android backup, mechanisms under your control such as scanning a QR code from an enrolled 1Password client or you transmitting a setup code through mechanisms of your choosing. The over all point is that it is never transmitted to 1Password controlled systems, and so is never available to us or to someone who might breach us."
Tim Vercruysse
Jeffrey Goldberg
Ben Adida
David M Schell 
Chris Johnson
August Jackson
D. Creemer
kapsiR
Lunatech
Dan Poltawski
Ryan Scullen