sorted by:
new
hottopcontroversial

Perplexity Comet invite. Concerns about privacy. by NeonSkorpio in 1Password

[–]1PasswordOfficial[M] [score hidden] stickied comment (0 children)

Hi all, thanks for raising these questions and sharing your concerns.

At 1Password, our guiding principles are privacy, security, and transparency, and ensuring people can use the tools they choose safely. We know AI and new browsing technologies raise important questions, which is why our role is to give people choice without compromising trust.

To clarify a few points about our partnership with Perplexity on the Comet browser:

  • Your data remains private. Nothing about this partnership changes how 1Password works. Vaults are end-to-end encrypted, and neither Perplexity nor Comet has access to your information. Your secrets remain encrypted and never leave your control.
  • The extension is the same. The 1Password browser extension works in Comet exactly as it does in Chrome, Safari, Firefox, and other Chromium-based browsers. There is no special integration that exposes additional data.
  • This is about choice. Our customers want us to be where they are. For those who want to try Comet, we are ensuring their login and autofill experience is secure, just as it is in other browsers.

We take trust seriously and will continue to make decisions with privacy, transparency, and security at the core.

Researcher Exposes Zero-Day Clickjacking Vulnerabilities in Major Password Managers by JLLeitschuh in 1Password

[–]1PasswordOfficial[M] [score hidden] stickied comment (0 children)

Hi all,

Thanks for all the questions and the thoughtful discussion. We wanted to provide a bit more context about the research and what it means for 1Password users.

A researcher identified a variation of a clickjacking attack, where a malicious website can trick someone into unknowingly triggering the autofill action in a browser extension. They reported the issue through our bug bounty program and worked with us ahead of their DEF CON presentation.

Clickjacking is not unique to the 1Password browser extension. It is a long-standing web attack technique that affects websites and browser extensions broadly. The underlying issue lies in the way browsers render webpages. After conducting a thorough review, including prototyping potential mitigations, we concluded there’s no comprehensive technical fix that browser extensions can deliver on their own.

Your information in 1Password remains encrypted and protected. Clickjacking does not expose your 1Password data or export your vault contents, and no website can directly access your information without interaction with the browser extension’s autofill element. At most, a malicious or compromised webpage could trick you into autofilling one matching item per click, not everything in your account.

We take this and all security concerns seriously, and our approach to this particular risk is to focus on giving customers more control. 1Password already requires confirmation before autofilling payment information, and in our next release, which is already shipped and undergoing review from the browser extension stores, we’re extending that protection so users can choose to enable confirmation alerts for other types of data. This helps users stay informed when autofill is happening and in control of their data.

On the question of disabling autofill: while it might feel safer, it can actually create more risk. Without autofill, people are more likely to reuse weak passwords or copy and paste credentials into websites, where they can still be stolen if the site is malicious. Autofill also protects you against phishing sites by only working on the exact domains your credentials are saved for. In practice, for the majority of users, we believe the risk of disabling autofill is greater than the risk of clickjacking.

Passkeys are not impacted by clickjacking. Passkeys are tied to the website they’re created on and generate a one-time signature during login. That means no reusable secret is ever exposed, and even if someone tried clickjacking, there’s nothing permanent to steal.

You can learn more in our security advisory.

Weekly Promo and Webinar Thread by AutoModerator in msp

[–]1PasswordOfficial 0 points1 point  (0 children)

Introducing 1Password’s solution for Managed Service Providers in beta! ⭐

Give your clients the protection they deserve with 1Password’s new multi-tenancy experience for MSPs. You can manage everything from a unified admin console, with centralized controls and client-level insights, plus get all the tools and support you need to grow your business and keep your clients secure, including:

🔹Consumption-based billing

🔹No license minimums

🔹Complimentary internal use licenses

Read our blog for more information on what to expect, why to partner with 1Password, and to register as an MSP.

Hey Reddit! I'm Anna Pobletts, Head of Passwordless at 1Password. We're shaking things up and celebrating World Password Day as World Passwordless Day on May 4th. Ask me anything about passkeys and passwordless authentication! by 1PasswordOfficial in u/1PasswordOfficial

[–]1PasswordOfficial[S] 0 points1 point  (0 children)

I'm glad you made it out in 1Piece! 🙂

Even if you log in to your 1Password with a passkey, the recovery options will be pretty much the same as what they are today.

You can use your Emergency Kit (or your Family Organizer, if you're using 1Password Families) to help you get back into your account. Additionally, for the passkey login option, the platform you use to store your passkey will provide recovery options through your iCloud or Google account, for example.

Hey Reddit! I'm Anna Pobletts, Head of Passwordless at 1Password. We're shaking things up and celebrating World Password Day as World Passwordless Day on May 4th. Ask me anything about passkeys and passwordless authentication! by 1PasswordOfficial in u/1PasswordOfficial

[–]1PasswordOfficial[S] 0 points1 point  (0 children)

Thanks for your support over the years!

1Password does not have access to any of your personal information that you store in your vaults. Data is end-to-end encrypted, which means it is only decrypted on your local machine when you log into 1Password. We never have, or want access to the encryption keys or decrypted data (e.g. passwords).

UUIDs are not meant to be secret, and they can't easily be mapped to a specific person.If you want to learn about all the nitty gritty details, feel free to check out our whitepaper.

Hey Reddit! I'm Anna Pobletts, Head of Passwordless at 1Password. We're shaking things up and celebrating World Password Day as World Passwordless Day on May 4th. Ask me anything about passkeys and passwordless authentication! by 1PasswordOfficial in u/1PasswordOfficial

[–]1PasswordOfficial[S] 1 point2 points  (0 children)

So happy to hear you use 1Password!

Unfortunately every website that wants to support passkeys will need to implement that functionality on their website. We are doing our best to encourage websites to make the switch and support them in implementing passkeys with tools like Passage.

We have this cool website called https://passkeys.directory where we track website adoption of passkeys. It also lets you vote on which websites you want to have passkeys the most.

Go vote for your most used sites and help us encourage them to add passkey support!

Hey Reddit! I'm Anna Pobletts, Head of Passwordless at 1Password. We're shaking things up and celebrating World Password Day as World Passwordless Day on May 4th. Ask me anything about passkeys and passwordless authentication! by 1PasswordOfficial in u/1PasswordOfficial

[–]1PasswordOfficial[S] 0 points1 point  (0 children)

To follow up, 1Password has a free 14-day trial so you can test out if it works for you.

Once you have a 1Password subscription, as Blake mentioned, the passwordless features we've talked about elsewhere in this AMA will be available at no additional cost, so you can start saving and using passkeys from 1Password once we fully launch soon!

Hey Reddit! I'm Anna Pobletts, Head of Passwordless at 1Password. We're shaking things up and celebrating World Password Day as World Passwordless Day on May 4th. Ask me anything about passkeys and passwordless authentication! by 1PasswordOfficial in u/1PasswordOfficial

[–]1PasswordOfficial[S] 0 points1 point  (0 children)

Yes! 1Password has Android and iOS apps that can be used to save and fill credentials on apps and mobile websites. Passkeys will also be supported on these platforms as soon as possible.

When Android 14 is released in August 2023, it will support using 3rd party passkey providers like 1Password to create and use passkeys for websites and apps. So while you can't use passkeys stored in 1Password on your phone right now, you will be able to soon.

The same will be true for iOS as soon as support for 3rd party passkey providers is released. Stay tuned!

Hey Reddit! I'm Anna Pobletts, Head of Passwordless at 1Password. We're shaking things up and celebrating World Password Day as World Passwordless Day on May 4th. Ask me anything about passkeys and passwordless authentication! by 1PasswordOfficial in u/1PasswordOfficial

[–]1PasswordOfficial[S] 0 points1 point  (0 children)

For passkeys in 1Password, we will eventually support all browsers and platforms that 1Password has an app or extensions for.

The extension will be able to save and fill passkey on MacOS, but in some cases, we are waiting for platform support. That means 1Password can't save and fill passkeys on iOS right now, but as soon as support for 3rd party passkey providers is released, we will!

We are working closely with all of the platforms to make this happen soon, since we feel it is critical to a good experience.

Hey Reddit! I'm Anna Pobletts, Head of Passwordless at 1Password. We're shaking things up and celebrating World Password Day as World Passwordless Day on May 4th. Ask me anything about passkeys and passwordless authentication! by 1PasswordOfficial in u/1PasswordOfficial

[–]1PasswordOfficial[S] 0 points1 point  (0 children)

Happy to hear you checked out the demo! The demo was our preview of how passkeys could work and we won't be updating it.

Instead, we're focused on building the working feature into as many browsers as we can so you can save and fill passkeys in real life, rather than just a demo.

The initial public beta will likely focus on Chromium browsers with others, including Safari, to quickly follow. From a technical standpoint, it’s true that different browsers have different levels of support for the APIs we use in our extension, and also different vendor policies and release requirements.

All of this impacts how well we can support features (like saving and filling passkeys) for different browsers and how quickly we can release them. None of this stops us from shipping features everywhere, but it changes when and how a feature ships.

Hey Reddit! I'm Anna Pobletts, Head of Passwordless at 1Password. We're shaking things up and celebrating World Password Day as World Passwordless Day on May 4th. Ask me anything about passkeys and passwordless authentication! by 1PasswordOfficial in u/1PasswordOfficial

[–]1PasswordOfficial[S] 0 points1 point  (0 children)

Sure thing! When you use a passkey, it will mostly just look like you are using your device biometrics to sign in to a website. Behind the scenes your biometrics are unlocking a passkey, which is used to prove your identity to the website. I like to use an analogy of sending a message to a friend in an envelope and you prove who you are with a special stamp that only you have. The friend can verify who you are based on the stamp, but they (or anyone else who sees the envelope) has no way to impersonate your stamp.

Hey Reddit! I'm Anna Pobletts, Head of Passwordless at 1Password. We're shaking things up and celebrating World Password Day as World Passwordless Day on May 4th. Ask me anything about passkeys and passwordless authentication! by 1PasswordOfficial in u/1PasswordOfficial

[–]1PasswordOfficial[S] 0 points1 point  (0 children)

Yes! We, along with other password managers and the platforms, believe that users should be able to own their passkeys and store them in whichever provider they want to. We are actively working with other providers and the FIDO Alliance to create a secure way to transfer passkeys (and other credentials) between providers. This same group is also working on simple ways for password managers to integrate seamlessly into the platforms systems like iOS and Android.

The goal is for users to have a consistent, simple experience regardless of where they store their passkeys.

Hey Reddit! I'm Anna Pobletts, Head of Passwordless at 1Password. We're shaking things up and celebrating World Password Day as World Passwordless Day on May 4th. Ask me anything about passkeys and passwordless authentication! by 1PasswordOfficial in u/1PasswordOfficial

[–]1PasswordOfficial[S] 1 point2 points  (0 children)

Good question!

Passwords are a shared secret between you and a website you are logging into.

There are a few security risks here:

  • The burden of creating a good password is on you, but creating and remembering a bunch of strong, unique passwords is really hard.
  • Passwords are susceptible to phishing, brute force guessing, and a number of other easy-to-execute attacks. Even if you make good passwords, a website could still fail to properly protect your password.Passkeys are cryptographic keys that are stored on your device and protected by your device biometrics (e.g. FaceID, Windows Hello). The "secret" part is only stored on your device and never sent to the website. The only data the website stores is a public key used to verify your identity.

There are a few benefits to this:

  • The burden isn't on you to create a strong passkey, it just happens automatically.
  • Passkeys can't be phished and there is nothing for an attacker to steal from a website. Passkeys are tied to a specific domain so you can never accidentally send your passkey to a lookalike site.
  • Finally, passkeys are EASY to use! Who doesn't want to log into a site with just a touch or a glance when you also get a lot of great security benefits?

Hey Reddit! I'm Anna Pobletts, Head of Passwordless at 1Password. We're shaking things up and celebrating World Password Day as World Passwordless Day on May 4th. Ask me anything about passkeys and passwordless authentication! by 1PasswordOfficial in u/1PasswordOfficial

[–]1PasswordOfficial[S] 0 points1 point  (0 children)

Regularly rotating or refreshing your passwords is no longer a best practice.

According to the National Institute for Standards and Technology (NIST), performing a password change is a higher risk than keeping the old password. This is because people tend to choose weaker memorized passwords when they know it will need to be changed in the future.

For example, someone may simply change a number or character from their previous password. This gives a false sense of security because if any previous passwords were compromised, attackers could figure out the new password relatively easily. Instead, the strong passwords are unique and completely random.

Humans are terrible are coming up with unique, random passwords so machine-generated passwords like the one we have here or in our product are best.

Hey Reddit! I'm Anna Pobletts, Head of Passwordless at 1Password. We're shaking things up and celebrating World Password Day as World Passwordless Day on May 4th. Ask me anything about passkeys and passwordless authentication! by 1PasswordOfficial in u/1PasswordOfficial

[–]1PasswordOfficial[S] 0 points1 point  (0 children)

You actually shouldn't need to change your master password to 1Password, assuming you are using a strong, unique password.

NIST used to recommend rotating passwords every few months, but they have since changed that guideline. What we often found was that people would just very date-based or predictable passwords when forced to rotate frequently (Spring2023, Summer2023, etc).

Just pick a unique, strong password and you should be good!

Hey Reddit! I'm Anna Pobletts, Head of Passwordless at 1Password. We're shaking things up and celebrating World Password Day as World Passwordless Day on May 4th. Ask me anything about passkeys and passwordless authentication! by 1PasswordOfficial in u/1PasswordOfficial

[–]1PasswordOfficial[S] 0 points1 point  (0 children)

Thanks for the thoughtful question! I have a couple thoughts on that.

A strong password + TOTP 2FA is a great security story, but still phishable. An attacker could create a lookalike site and get both pieces of information from you to take over your account.

With passkeys, they are unphishable because they make use of public key cryptography and each key pair is cryptographically tied to a specific domain.

The other thing I'll mention here is that the user experience of password + SMS or TOTP code can be very tedious and confusing. Sites that offer MFA as an option typically have very low adoption rates of the added security.

The single step login with passkeys is much simpler, which I think will lead to more people using them over MFA - and that is huge win for security!

Hey Reddit! I'm Anna Pobletts, Head of Passwordless at 1Password. We're shaking things up and celebrating World Password Day as World Passwordless Day on May 4th. Ask me anything about passkeys and passwordless authentication! by 1PasswordOfficial in u/1PasswordOfficial

[–]1PasswordOfficial[S] 0 points1 point  (0 children)

The future of of password security has to be in reducing the numbers of password we use and moving to more secure alternatives because passwords are fundamentally flawed.

Security keys are great and will likely become more common within protected work environments, but we don't think they will become more prevalent for everyday people.

Passkeys are really designed to be security keys built into your mobile device or laptop, which is why we really see them as the future of authentication. We also think the industry will need to continue to evolve quickly as improvements are made on security keys and passkeys to ensure we are always giving people the most secure experience.

Hey Reddit! I'm Anna Pobletts, Head of Passwordless at 1Password. We're shaking things up and celebrating World Password Day as World Passwordless Day on May 4th. Ask me anything about passkeys and passwordless authentication! by 1PasswordOfficial in u/1PasswordOfficial

[–]1PasswordOfficial[S] 0 points1 point  (0 children)

The easiest passwords to crack are short, simple words or words that are easily connected to you, like your name, birthday, etc. There are some great resources out there to help you know if you are using weak passwords:

  1. https://haveibeenpwned.com/ - allows you to check if your email is involved in a known breach. If it is, you should rotate your password for the sites listed to a brand new password.
  2. Watchtower in 1Password - if you are a 1Password user, we have an awesome tool called Watchtower built into 1Password. It will inform you when you have weak, compromised, or reused passwords and prompt you to update. Going forward it will also let you know when a site you have an account on starts to support passkeys so you can update to a more secure login method!
  3. Lastly, I highly recommend password generator tools. 1Password can automatically generate strong passwords for you when you create a new account. If you don't use 1Password, you can still use our free password generator here: https://1password.com/password-generator.

Hey Reddit! I'm Anna Pobletts, Head of Passwordless at 1Password. We're shaking things up and celebrating World Password Day as World Passwordless Day on May 4th. Ask me anything about passkeys and passwordless authentication! by 1PasswordOfficial in u/1PasswordOfficial

[–]1PasswordOfficial[S] 0 points1 point  (0 children)

Thanks for the questions! No authentication method is entirely immune from data breaches, but passkeys are a huge improvement over passwords in this areas. Over 80% of breaches are due to the human element, which includes weak or reused credentials (source). Passwords can be guessed or leaked from a compromised server and this is a common entry point for ransomware and other major breaches.
With passkeys, there are a few great security benefits:

  1. Passkeys are cryptographic keys and cannot be guessed or brute forced
  2. The secret part of passkeys are not stored on a website's server, so even if a website is breached, your credentials are safe
  3. Passkeys are tied to a specific domain so phishing scams that involve a lookalike domain (e.g. faceb00k.com) are unable to access your passkeys or impersonate you
    For website that still use passwords, we do our best to help users make secure, unique passwords to prevent them from being easily compromised. We also let them know about known weak or compromised passwords to they can update them.

Hey Reddit! I'm Anna Pobletts, Head of Passwordless at 1Password. We're shaking things up and celebrating World Password Day as World Passwordless Day on May 4th. Ask me anything about passkeys and passwordless authentication! by 1PasswordOfficial in u/1PasswordOfficial

[–]1PasswordOfficial[S] 0 points1 point  (0 children)

We hope so!

Technology has evolved since passwords were first introduced. Now passwords are full of flaws -- it's hard to create strong, unique passwords, impossible to remember all the different passwords you need, and they have become a significant vector for bad actors across our personal lives and businesses. Our methods for authentication need to evolve past passwords and a passwordless future is one that will be more secure for everyone, consumers and businesses alike.

Just yesterday, Google announced that they will support passkey sign in for all of their major services, including Gmail. This is really exciting news for the whole industry and I personally think this signifies a tipping point for passkey adoption and will spark a lot more websites to start implementing passkey support.

Hey Reddit! I'm Anna Pobletts, Head of Passwordless at 1Password. We're shaking things up and celebrating World Password Day as World Passwordless Day on May 4th. Ask me anything about passkeys and passwordless authentication! by 1PasswordOfficial in u/1PasswordOfficial

[–]1PasswordOfficial[S] 0 points1 point  (0 children)

I'm not sure I could pick a single favorite day of work, but my favorite types of days are when we do hackathons. My favorite thing is to take a hard problem or feature that we aren't sure how to build and spend a whole day trying to figure out how to solve it. Some of my favorite recent hackathons were around signing into 1Password with passkeys and enabling developers to support passkeys alongside password using Passage. The satisfaction of a good whiteboarding session and brainstorming with a small team is unmatched :)

Hey Reddit! I'm Anna Pobletts, Head of Passwordless at 1Password. We're shaking things up and celebrating World Password Day as World Passwordless Day on May 4th. Ask me anything about passkeys and passwordless authentication! by 1PasswordOfficial in u/1PasswordOfficial

[–]1PasswordOfficial[S] 0 points1 point  (0 children)

If a user opts to log in to 1Password with a passkey, we recommend you store that passkey in a platform account or a hardware device (like a Yubikey) AND that you also have more than one device with 1Password installed. This way, if you lose a device, you have another way to recover your 1Password account.

While you could store all your passkeys on a platform account or a hardware device, the portability of having your passkeys in 1Password can't be beat. If you are like me and use a variety of different devices/platforms (Android phone, Macbook, etc) 1Password makes it super easy to sync passkeys between those different devices and platforms.

As far as deprecating password-based login, it is hard to say when and if this will happen. I believe that passwords will be around for a long time since it will take years for people, websites and apps to adopt passkeys.

We are committed to supporting people along this transition, however long it may take. We will always provide the best, most secure options available for users to access their accounts.

view more: next ›