1Password and cloud security

Posting reviews of software is not something that I do every day. Or every year for that matter. But something unexplainable about the incident foretold in this post made me write it. You have been warned…

I have been on the lookout for a new password manager, especially one with “secure” cloud sync capabilities, and someone recommended 1Password (name withheld to protect the guilty). What peaked my interest was the claim that no one but me would be able to decrypt the data.

This is in stark contrast to most cloud solutions. Let us use DigiPost.no as an example. It is touted as a completely secure way to receive digital documents from the Norwegian government and anyone else willing to pay for sender-access to the system. For instance, several brick and mortar stores in Norway are able to send you receipts and warranty-certificates over the system. But is it secure? Their FAQ claims that it is as safe as your bank. And maybe it is. But my bank does not aggregate data about me from other sources, at least not to my knowledge. Browsing further down the FAQ reveals the following quote: “Et fåtall sikkerhetsklarerte medarbeidere er autorisert til å vedlikeholde og korrigere kundeopplysninger.” Sadly this is in Norwegian only, but it basically says that some employees have the security clearance necessary to view or alter your data to perform “maintenance”. Images of underpaid outsourcing employees from Asia looking to make a quick buck on the side datamining flashed before my inner eye, but even if these people are all highly trustworthy, that is beside the point. The point is that someone other than me and the sender can access these data without me giving them the key. And then it is not really safer than regular email. And if you still believe that your emails, cloud storage and facebook messages are not stored, tagged and analyzed automatically by at least two governments beside your own, please stop reading. You are outside the target demographic and should keep your current post-it-under-the-keyboard password manager.

But I digress. I was supposed to write about password managers, more specifically 1Password from AgileBits.

I registered and downloaded a trial of the subscriptions based “family”-version, as it came so highly recommended by the website and was the only version targeted at end users with internet sync that didn’t include a known NSA-infected third party.

clip_image001

I was surprised to find that there was no stable version of the Windows Application available, only a beta, but I was feeling adventurous and downloaded the desktop version. The Modern/Metro version reports itself as an Alpha version in the Windows Store and was thus left alone.

clip_image002

clip_image003

Next, I attempted to import my existing data. The online help directed me to a community-built perl script and a pdf at https://github.com/AgileBits/onepassword-utilities. I went through the perl script maze and ended up with a 1pif file in the end, which I was to import into the main program. 1pif is some form of intermediate proprietary import/export format. All that remained was importing it into 1password. To my astonishment, there was no import button to be found. Not even the File menu at which the Import button is supposed to be located according to the PDF was available. The app is almost completely left of buttons and menus. I tried inputting data manually, but the fancy modern UI is not exactly user friendly so I gave that up. Inputting 200+ entries manually at the pace the UI allowed was out of the question. There may be a hidden import function there somewhere, but I was unable to find it.

clip_image004

Rummaging around the 1Password website I found the stable 4.x version. This is the one that only supports DropBox sync or similar. It has the aforementioned import button (which worked), but after the data was imported and I tried opening the resulting vault in v6 (beta), the vault was locked and could not be reopened. After a second try with another file I got it going, and I was able to access the data in v6 through some kind of legacy function whose location I forgot to screenshot. I was about to move the data over to the “cloud” part, but I stopped… Glancing at my main monitor, I noticed it was filling up with security warnings complaining about unsafe access to system resources. By 1password v6. See screenshot below. Sadly, it is written in Norwegian, but it is basically a warning against invalid code signing certificates.

clip_image005

I have once before lost data due to poorly managed updates to a password manager, and here I am about to put my trust in beta software? Remembering the non-decryptable data from some years back and the time spent recovering the lost data, I was not feeling safe at all. If the claim that I am the only one with the encryption keys are true, is it then even possible to restore from a backup if a botched software update garbles the data? Are there in fact any backups at all? The documentation talks about a password history, indicating that delete means tag as deleted but keep in database, but says nothing about a restore function as far as I can tell.

There are stable clients for most other platforms though. I realized that most if not all screenshots on the 1Password site are from the Mac version, so I guess they just couldn’t be bothered to build a proper Windows client before they launched V6 for Mac. A stroll down the memory lane of blog.agilebits.com confirmed my suspicions. In May 2016 they launched 1Password 6.3 for Mac. 6.0 was launched in January, with several updates in-between. The most recent post I can find about the stable Windows version is from July 2015, and as far as I can tell it just confirms that the current stable 4.6 version is compatible with Windows 10. Almost a year ago to the day.

I seriously considered reaching out to AgileBits support, but at this point I doubt there is anything they can tell me that will convince me to move my data to 1Password families. The 4.6 product looks a lot better, but I guess it is the old stuff now, as there does not seem to be any development to it. The MD5 signature on the current download as of July 2016 is from February 23. 2016. Neither does it support the kind of sync I was looking for, and if the horrible UI of families v6 is a sign of what is to come, I am out.

I have since moved on to somewhat greener pastures, and I am currently testing another similar product. If that results in another horrible experience, maybe there will be another review…

Update 2017.03.16

In response to comments, I have written another post here: https://lokna.no/?p=2113