Data breaches that compromise personal accounts have become a frequent occurrence. I was an involuntary participant in such an event in October 2013 when Adobe got hacked. Despite the fact that Adobe stored the passwords encrypted, there is no guarantee that the hackers were not able to retrieve the plain text passwords. With specialized computers a brute force attach can crack an eight character password within a few hours. And that assumes the password is random gibberish and not among the most commonly used passwords. As passwords are often reused, a cracked password opens the doors for the hackers to try to access other accounts as well.1
To minimize the damage from a security breach everyone should use unique, long (10 or more characters) random gibberish passwords for each account. Something you can't possibly remember. This is where password managers come in.
I have been using 1Password for a few years for just that purpose. It has served me well for a while. Then little annoyances started to set in.
1Password 5 introduced support for the iCloud sync engine. I bought a second copy through Apple’s AppStore just so I could use iCloud to store the password vault. My decision was based —not in a small part— on the enthusiastic embrace of iCloud by AgileBits, the developer of 1Password. Unfortunately, after my purchase I found out that iCloud wasn’t fully supported. Password sharing was only available for vaults stored in Dropbox, and I relied on that feature to share passwords with my wife. In AgileBits’ defense, that is documented on their website, just not as prominently. AgileBits’ iCloud FAQ has no information on it, neither did the blog post mentioned above. I figured there are worse things in life than having an extra license of a piece of software, so I moved on.
A few weeks ago Dale Myers pointed out that 1Password doesn’t encrypt the metadata of passwords stored in the vault. URLs, the name of bank cards etc. are accessible to anyone who has access to the vault. Again, in AgileBit’s defense, that fact had been published on their website. In a blog post AgileBits explains further what lead to the data format that contained metadata in plain text. They also pointed out that in late 2012 they released a new file format where all the data is fully encrypted. However, so far they haven’t converted old file formats to the new format.
I felt that AgileBits made it difficult to fully understand what they do to safeguard my data. More importantly, their default seem to err on the side of convenience, not security. But I decided to give them one more chance.
The crypto machine underneath 1Password is solid (see e.g., here and here), so I decided to stay with 1Password and convert to the new OPVault file format. I realized that I would lose access to my passwords on an older Mac for which the new file format was not supported. I was willing to live with that in exchange for a fully encrypted vault.
Converting to the new OPVault file format didn’t work well for me. Twice I had to pull data from backup because I got into a state where a large number of passwords got lost. I also have been unable to get my iPhone to sync with the new vault. I call that strike three, after the two other annoyances described earlier. Time to move on! But to where?
You may have noticed that I listen to security now, a podcast hosted by Steve Gibson and Leo Laporte. In 2010 Steve described the crypto behind LastPass on his show. (Fast forward to around 50 minutes into the podcast.) I hesitated in the past to use LastPass as I didn’t want to trust all my passwords to one company that provides web access. I was afraid that such a large amount of passwords stored in one place would be a highly attractive target for hackers.
After listening to Steve’s podcast I was less worried. LastPass only stores data after it was encrypted on my device. The encryption key stays with me and is not given to anyone else.2 Effectively, a breach into their system doesn't put my data any more at risk than a breach into Dropbox—which has happened before—, where my 1Password vault is stored. 1Password as well as LastPass gain their security by encrypting the data, not by preventing others to get access to the data. Thus, the key to data safety rests on a good password. This is probably why I wasn’t able to find any incident of user data being compromised despite two published security breaches at LastPass.
I started using LastPass a week ago, and so far I'm pretty happy. The majority of passwords were easily exported from 1Password and imported into LastPass. I again have access to my passwords on my older Mac. Sharing of passwords also is less cumbersome. 1Password required me to constantly switch between vaults as a separate vault holds the shared passwords. The mechanism that fills out fields in the web browser is more powerful as well. From a usability point of view the switch certainly was a good move.
I turned on multifactor authentication using Authy to strengthen the authentication process. That is something I have been using for Dropbox, where my 1Password vault was stored. It was nice to see that LastPass supports a large amount of multifactor authentication options,3 including hardware keys. I wish they would also support FIDO U2F, but since that hasn’t been around for long, I’m hopeful that it might be coming.
If this blog post was helpful and you decide to sign up for LastPass I would appreciate if you could do it through my affiliate link: LastPass
Note that this means that LastPass is not able to reset a password! ↩
An interesting differentiation between encryption based system (like 1Password) and systems that have an authentication component (like LastPass) is that the former does not gain any benefit from a second factor. As such, despite many asking for it, 1Password does not offer such a feature. ↩