+- MacResource (https://forums.macresource.com)
+-- Forum: My Category (https://forums.macresource.com/forumdisplay.php?fid=1)
+--- Forum: Tips and Deals (https://forums.macresource.com/forumdisplay.php?fid=3)
+--- Thread: Password Managers vulnerable to severe attacks/hacks (/showthread.php?tid=169164)
Password Managers vulnerable to severe attacks/hacks - pinkoos - 07-14-2014
Interesting Ars article:
http://arstechnica.com/security/2014/07/severe-password-manager-attacks-steal-digital-keys-and-data-en-masse/
LastPass and a few others were named as vulnerable by the researchers. I didn't read the research paper so I don't know if 1Password was vulnerable as well, though I would think Ars would have mentioned it if it was.
I recently switched from LastPass to 1Password when they were having their huge sale and based on the recommendations of many here, particularly Robert M.
Re: Password Managers vulnerable to severe attacks/hacks - N-OS X-tasy! - 07-14-2014
The article specifies that the vulnerability pertains to Web-based password managers. The fact that 1Password is not Web-based, combined with the fact that it is not specifically mentioned in the article, leads me to believe its security has not been compromised by this vulnerability.
Re: Password Managers vulnerable to severe attacks/hacks - Robert M - 07-14-2014
Pinkoos,
Apparently, the topic of the study was web-based password managers like LastPass. 1Password, from my understanding, is not web-based. So, it may not suffer from the vulnerabilities. Then again, that might not be the case if you use the browser extensions. Agilebits should respond to the article to confirm whether or not 1Password suffers from vulnerabilities. This reaffirms one of the reasons why I've never been a fan web-based password managers.
Robert
Re: Password Managers vulnerable to severe attacks/hacks - pinkoos - 07-14-2014
Ah, that's a good point that I had glossed over - yes, I don't think 1Password is web-based. It's local, right?
Re: Password Managers vulnerable to severe attacks/hacks - Robert M - 07-14-2014
Pinkoos,
Yes. I'm 100% positive 1Password is local. But, the 1Password data file can be stored on a cloud service like Dropbox. But, it's encrypted. SO, that's not an issue. I'd be concerned about the browser extensions, though. They could very well be vulnerable. That's why I'd like to see AgileBits respond to the article.
Robert
Re: Password Managers vulnerable to severe attacks/hacks - Black - 07-14-2014
So password managers don't just seem like a bad idea, they actually are a bad idea?
Re: Password Managers vulnerable to severe attacks/hacks - Robert M - 07-14-2014
Black,
No. Most of the companies behind the systems that were compromised already fixed them. One apparently didn't respond to the notification about the vulnerability. That and 1Password and other password managers may not be affected by the problems at all.
Robert
Re: Password Managers vulnerable to severe attacks/hacks - modelamac - 07-14-2014
Black wrote:
So password managers don't just seem like a bad idea, they actually are a bad idea?
Not true. It does not follow that if web-based password managers have a weakness, that all password managers have a weakness.
Re: Password Managers vulnerable to severe attacks/hacks - sekker - 07-14-2014
Black wrote:
So password managers don't just seem like a bad idea, they actually are a bad idea?
I think even vulnerable password managers are better than the way most people work - sticky notes or simple passwords!
At the same time, I use 1password myself.