Norton Password Manager is a well-known password managing software that is compatible with a variety of devices. It’s main working and services revolve around managing your passwords and faster-accessing sites while being extremely easy to access and make use of. Your 1Password data is kept safe by the industry-standard 256-bit AES encryption algorithm. This makes it all but impossible for someone to decrypt the data you entrust to 1Password. Defending against crackers with PBKDF2. 1Password uses PBKDF2 to make it harder to use a cracking tool, which is designed to learn passwords by making a bunch of guesses in rapid succession, to defeat your Master. How long it would take a computer to crack your password? Disclaimer: I work for AgileBits, makers of 1Password. Thanks for asking me to answer this, Marc Bodnick. The short answer is that your data is safe in 1Password. The short answer is that your data is safe in 1Password. Fundamental design choices were made to protect everything you store in 1Password so you can trust it with your passwords, financial information, and more. 1Password protects you and your information in three different ways.
Protected by the 1Password security model, no matter what
How Safe Is One Password
1Password automatically secures your data regardless of how you sync it across devices. These are some of the steps 1Password takes to keep your private information safe, whether it’s stored on just one device or synced to many:
Encrypting your data with 256-bit AES. Your 1Password data is kept safe by the industry-standard 256-bit AES encryption algorithm. This makes it all but impossible for someone to decrypt the data you entrust to 1Password.
Defending against crackers with PBKDF2. 1Password uses PBKDF2 to make it harder to use a cracking tool, which is designed to learn passwords by making a bunch of guesses in rapid succession, to defeat your Master Password’s security.
Keeping your Master Password separate. Your Master Password isn’t stored alongside your 1Password data, or anywhere at all. This is a bit like making sure the key to a safe isn’t kept right next to it: Keeping them separate makes everything more secure.
Making your data available even when you’re offline. 1Password stores your data on your devices, so your logins, notes, and other information can be accessed even if you aren’t connected to the Internet. This means you aren’t dependent on access to your sync provider; your data will always be available when you need it.
Syncing your data makes it more secure
Sync is the safest way to make sure that your data is available when you need it. It’s more secure to have 1Password on multiple devices and to keep those devices in sync than it is to share information using texts, emails, or unencrypted files. Sync also makes it easier to recover your data if something happens to a device.
No matter how you sync, 1Password takes precautions to protect your data:
Encrypting your data at rest. Your 1Password data is always stored encrypted, so no matter how you choose to sync, your data can’t be read by anyone on the other end.
Encrypting your data during transit. Your 1Password data stays encrypted while it’s being uploaded or downloaded, so it’s always protected while it travels between devices.
Decrypting your data on your device. Your 1Password data is only ever decrypted on your device, which means you are the only one who can see it.
1Password doesn’t restrict you to just one sync method. You can always choose how you want to sync your data, and if you change your mind after you’ve set up a sync service, you have the flexibility to move everything to a different tool.
1Password account: no-fuss security and convenience
If you have a 1Password account, you benefit from features that provide safety, privacy, and convenience:
Secret Key. 1Password creates a private, 128-bit Secret Key to encrypt your data. This key never leaves your devices, and it gives your account another line of defense together with your Master Password.
Account recovery. Most websites have a password reset feature which relies on a master key in the possession of the service provider. Your 1Password account has no such key, so it can only be recovered by people you entrust. They alone can help you regain access if you forget your Master Password or lose your Secret Key.
Secure Remote Password (SRP). Most websites send your password to a server when you try to sign in, leaving it vulnerable to interception. Your 1Password account uses the SRP protocol to authenticate your login details without sending your Master Password over the Internet, so it can’t be stolen while it’s in transit. Learn more about Secure Remote Password.
Web access to your 1Password data. 1Password.com uses the latest browser-based cryptography to provide a secure way to access your data from any modern web browser.
Everything is handled for you. You don’t have to make any decisions about how your data is synced or secured. Your 1Password account was designed to offer the most protections with the least complexity of any sync option.
iCloud and Dropbox: Secure and customizable services you can trust
If you decide not to create a 1Password account, you can sync your data using iCloud or Dropbox. The encryption algorithms, secure transmissions, and other protections in 1Password keep your data safe no matter how you sync it.
Trusted services. 1Password only uses trusted services to sync data between devices. Dropbox and iCloud are large, well-known, and carefully scrutinized by the many people that rely on them to keep their data safe.
Open standards. 1Password syncs with iCloud using AgileCloudSDK, an open source API from the creators of 1Password, and uses the public Dropbox API to sync with Dropbox. By following standards and using open source tools, 1Password lets anyone find out exactly what’s happening when their data is being synced.
Additional security features. Both services offer features like two-factor authentication and easy access from any device, which means your data is protected by every tool you’ve decided to sync it with.
WLAN server: For when a sync service isn’t an option
If you can’t sync with a hosted service, whether it’s because of corporate policies or limited Internet availability, you can use the WLAN server over a local wireless network to sync 1Password.
Secret codes for adding devices. 1Password generates a secret code when you set up the WLAN server, so only devices in your possession can attempt to connect.
Local network availability. Your data never leaves your local wireless network.
Choosing the sync method that’s right for you
You’ve seen how 1Password protects your data regardless of how you choose to sync it across multiple devices. Now that you know your information is safe no matter what, this chart can help you decide which sync option is right for you.
| Feature / Service | 1Password account | iCloud or Dropbox | WLAN server |
|---|---|---|---|
| Encrypted in transit | ✅ | ✅ | ✅ |
| Encrypted on device | ✅ | ✅ | ✅ |
| Available offline | ✅ | ✅ | ✅ |
| Available on multiple devices | ✅ | ✅ | ✅ |
| Multi-factor authentication available | ✅ | ✅* | ❌ |
| Available on the web | ✅ | ❌ | ❌ |
| Account Recovery | ✅ | ❌ | ❌ |
| Secure Remote Password | ✅ | ❌ | ❌ |
| Secret Key | ✅ | ❌ | ❌ |
| Local network | ❌ | ❌ | ✅ |
* Multi-factor authentication for iCloud and Dropbox is not provided by 1Password. Learn how to turn on multi-factor authentication for iCloud and Dropbox .
Learn more
Dale Myers posted a blog entry a few days ago about a problem he’d found in 1Password: while passwords in AgileBits’ vaults were secure, metadata was stored in the clear. And this was intentional, allowing web-based access to the vault to retrieve information without requiring the 1Password app.
Myers wasn’t incorrect and he wasn’t over-sensationalizing the situation. He also provided a recommendation for a solution, one that AgileBits endorsed in its blog entry responding to his post. And he continues to use the product.
Though it’s obvious, neither Myers nor AgileBits explicitly noted one important factor, however: A sniffer has to gain access to your vault. If you posted it on a website that you set up for only you to use, perhaps someone else would find or a security breach at a hosting company might provide a way in.
But if you use Dropbox for syncing, there’s little chance for easy vacuuming up of your data. I have my 1Password vault synced to two Macs and two iOS devices using Dropbox. I have two-factor authentication enabled for Dropbox, and FileVault, Touch ID, and a passcode in use on those computers and mobiles. Someone has to either get access to my Dropbox credentials and second factor, or get access to my devices in an unlocked state to grab my file. (It’s also possible Dropbox would experience a hack that would allow files to be obtained without credentials or physical access, but that would expose vast amounts of information of all kinds, rather than being a targeted effort to obtain a 1Password vault.)
Even if someone should retrieve your entire vault, the information they could get is only useful to learn about you, rather than to break into your accounts. The passwords themselves remain protected in an extremely strong manner that requires a huge amount of computational effort and substantial time to crack.
But even losing metadata makes some people nervous, and rightly so. In the wrong hands, information about what you do—where you have accounts—could be used for identity theft or harassment.
Moving on OP
The format Myers objected to, Agile Keychain, was developed in 2008 by AgileBits as a way to allow granular updates of individual password entries without overloading the mobile device processing power that was available when the iPhone 3G was fresh and fancy. The company later developed a newer format, called OPVault, which encrypts nearly everything. Myers raised a good point by noting that Agile Keychain remains in wide use. (OPVault leaves the names of folders and categories unencrypted, as well as timestamp data, but this offers little of utility to crackers compared to URLs and user names.)
As AgileBits noted in its blog entry, it didn’t migrate everyone from the old to the new, because there remained a mix of software releases and devices. Not-that-long-gone versions of 1Password—1Password 3 and older for Mac and 1Password 4 and older for iOS—can’t read OPVault, and the company didn’t want to break compatibility in the interests of security.
Is 1password Legit
(OPVault is always used with iCloud, by the way. If you use iCloud, I generally recommend enabling two-step verification now and two-factor authentication as Apple rolls out its revised system more broadly in the coming months.)
You can imagine how this would have looked to customers, too. “I upgraded on my iPhone, and now my OS X version says I have to upgrade to read my passwords! What are you up to?!” Instead, they erred on the side of looking backward. AgileBits writes that they’re going to step up migration to the new format in upcoming releases across all platforms they support.
However, you can switch over today if you’re concerned about the metadata in your vault becoming accessible to anyone but yourself with just a few well-documented steps at the company’s website. Just check that all your devices have compatible versions of 1Password.
I went through them and it went off tickety-boo. I made the change in OS X, and then launched 1Password for iOS, where I went to the Sync settings and pointed the app to the new file. Because the entries were identical, just in a different format, it only took a couple of seconds for the sync process to show that it was up to date.
As capability improves and security follows, it will be more and more important that companies keep in mind and disclose to customers the decisions they made for efficiency in the past that are no longer needed. AgileBits didn’t drag its customers painfully to the new format—that’s an Apple move! Apple has no sentiment about the necessity of moving forward with no path back. But now that it’s taken stock with a prod from an outsider, we’ll all reduce our attack profile as a result.
Update: This article was updated to reflect the potential that a Dropbox breach would also allow 1Password data to be obtained, and to note that OPVault doesn’t encrypt folder and category names, nor timestamps.