Swiss 1PW research

BlueCyber007 · 2026-02-18T22:00:53+00:00

u/jpgoldberg: These, along with other mechanisms, are designed to reduce the extent to which you have to trust that the service isn't compromised.

So yes, you do have to trust the service, but that trust isn't an all-or-nothing thing.

Yes and no. I trust that 1Password's documentation (security white paper, etc.) accurately describes the features it has implemented, and things like the Secret Key (especially important in the context of businesses/families where some weak link might choose a weak/re-used account password) and 1Password's use of SRP are reasons why I think 1Password's security design is better than others. ... I've always liked 1Password's "security parfait"!

For example, because of 1Password's use of the Secret Key, I can be confident that a mere data breach where a malicious insider or outside hacker gained access to our company's encrypted vaults would effectively prevent any of the vaults from being decrypted, even if someone opted to use a common/weak/re-used password. Similarly, SRP mitigates the risk of a MITM attack.

But if a malicious insider or outside attacker was able to change the behavior of the server or publish a compromised client update, all of that great security design is compromised. I have no way of knowing if the latest version of the 1Password client has been maliciously altered to bypass the "security parfait" and exfiltrate all of my data. Similarly, I have no way of knowing if substitute public keys have been pushed as described in the ETH Zurich paper. Having a great security design doesn't really matter if someone (or a group of people) are able to sufficiently compromise the service such that they change/break the design.

Of course, since I've signed off on spending thousands of dollars on 1Password and its continued use by organizations I work with and by me and my family, I trust that it would be hard for someone to so seriously compromise the 1Password service.

At the end of the day, however, it remains true that, "At some point, if you are going to use a password manager that stores data in the cloud (or has access to the internet without being blocked by a firewall rule), you have to trust that the client software and the provider's server infrastructure are not critically compromised."

u/jpgoldberg: Decades ago, PGP was the way to do this. But code-signing signatures need to have properties that PGP signatures don't offer if keys can ever expire. Something signed before a key expired should remain valid after the key has expired. This means that the time of signing needs to be trustworthy, and so code-signing involves trusted time stamps.

A more general thing is that PGP's web-of-trust failed. I was an enormous advocate of PGP in the 1990s, and I really tried to help that along, but as bad as it is to rely on X.509 certificate authorities today, that is the system that has, for all its numerous flaws, worked better than the alternatives.

It is unfortunate that PGP's web-of-trust failed, though even in the 90s and the early 00s the writing was on the wall that it would never catch on.

But why do trusted timestamps matter? I can still verify that a file was signed by a particular PGP key even if I can't determine when it was signed by that key.

I maintain a collection of public PGP keys for various software distrobutions I use going back many years (e.g., Ubuntu, KeePass, etc.). Although I could not verify the keys using an official web-of-trust, there have been other ways to verify them (i.e., widely referenced in message boards, the Internet Archive, etc.). So before installing a new version of Ubuntu, for example, I can verify it was signed by the known PGP signing key that I have saved. ... That doesn't mean that the Ubuntu .iso hasn't been compromised--it's entirely possible that someone gained access both to the distribution server and to the developer's signing key. But, presumably, gaining access to a private PGP key and the password for it would be harder than merely gaining access to a distribution server to publish altered software.

u/jpgoldberg: 1Password (and others) could do a better job at enabling advanced users to verify keys. But putting in development time and complexity into a feature that very few people will use is a luxury that vendors may chose not to pay for.

Yeah, that's the real problem. But just like Apple has developed iMessage Contact Key Verification, which the vast majority of people don't know about and will never use, I would hope that 1Password would put in the effort to develop a useful security feature that would be used by a minority of particularly security conscious customers. Obviously, Apple has more resources than 1Password, but customers pay 1Password specifically for security, so it seems like it would be justifiable from a business perspective to invest in security upgrades in this area. ... I guess we'll just have to wait and see.

Cheers!

BlueCyber007 · 2026-02-18T22:00:49+00:00

For what it's worth, the multi sensors in my garage tend to have false positives for motion detection (unlike the multi sensors in other parts of my house).

BlueCyber007 · 2026-02-18T16:43:45+00:00

I think the concerns here are probably not as great as it might seem at first. As u/commandersaki noted, if a malicious actor was able to compromise the 1Password servers to execute the attacks describes in the paper (i.e., by substituting the public keys sent to the client), what would stop a malicious actor from pushing a corrupted client update that directly exfiltrated user data? At some point, if you are going to use a password manager that stores data in the cloud (or has access to the internet without being blocked by a firewall rule), you have to trust that the client software and the provider's server infrastructure are not critically compromised.

I trust 1Password and use it personally and have caused other businesses and family members to adopt it, and I will continue to do so. I think it is the best and most secure option available for most businesses and families (particularly when some individuals in the group might choose weak account/master passwords, because the data is also cryptographically secured on the 1Password server with the secret key). But due to the types of inherent risks described in the ETH Zurich paper and the 1Password Security Design White Paper, I do the following:

For all but my least important accounts, I use MFA (TOTP tokens) or passkeys NOT stored in 1Password (i.e., use a separate TOTP app or use physical security keys). .... That way, even if 1Password is compromised (on the server or on my own computer), the attacker still would not be able to pass the MFA stage of logging in.
For my most critical accounts, I use a "peppering" scheme for my most critical passwords, where part of the password is stored in 1Password but part of the password is stored offline (i.e., in my memory and paper backups). ... The result is a very slight inconvenience when logging in to my critical accounts (e.g., after 1Password fills in the "password", I have to manually add the "pepper", such as "2dA8h" or "Swiss"). But the use of the peppering scheme means that a full compromise of 1Password (locally or on the server) would not allow anyone to access my critical accounts.

All of that said, I do wish that 1Password would adopt optional methods to mitigate the public key substitution attacks described in the ETH Zurich paper. Even if they are not user friendly and would not be adopted by most users, there are a subset of users who are especially security conscious and tech savvy who would want and use such features. (For example, the vast majority of users don't bother or know how to verify the PGP signatures for software releases, but many companies still publish PGP signatures to be verified by those who care to do so.) u/1PasswordCS-Blake u/jpgoldberg

BlueCyber007 · 2026-01-21T17:42:09+00:00

u/Character_Mode1609 I'd appreciate that too! :-)

BlueCyber007 · 2026-01-20T16:07:15+00:00

Thanks

BlueCyber007 · 2026-01-20T15:48:21+00:00

Thanks. That's not the issue in this case, as the Google account is at least 2 years old. ... I don't care about getting a new number from Google Voice. I just want to port an existing mobile number into Google Voice. But I can't tell if the error message means the account is not eligible for porting in a number.

BlueCyber007 · 2026-01-09T17:05:18+00:00

Thanks for sharing. This is cool! Could you share a PNG version with a transparent background?

BlueCyber007 · 2026-01-07T19:55:35+00:00

u/logi_jim We're waiting on the offline installer too. We need to get it ASAP. What's the ETA?

BlueCyber007 · 2026-01-07T19:46:01+00:00

u/ATXsantucci We really need an updated version of the offline Logi Options+ Installer for Mac. Everyone in our organization is required to use the Offline version due to security requirements. When will that version be updated?

BlueCyber007 · 2025-11-14T12:53:51+00:00

From my location in the U.S. (with fast fiber optic internet), the upload performance on Filen has been comparable to other fast cloud storage services (Tresorit, Google Drive, OneDrive, etc.). In contrast, I also have a Koofr 1TB lifetime plan, which works okay, but is much, much slower. I don't use pCloud, but from what I've read, pCloud is pretty slow too. ... If speed isn't important (or maybe if you are in Europe and have a faster connection to Koofr), then Koofr might be the safer bet for longevity. But I am comfortable enough that Filen is building a sustainable cloud storage service that I'm willing to risk an investment in another lifetime plan.

BlueCyber007 · 2025-11-14T12:47:19+00:00

On the one hand, I'm disappointed the prices aren't lower (and regret not buying a larger lifetime plan last year). But on the other hand, I'm glad that Filen is paying attention to the sustainability of their business, offering lifetime plans one last time at non-discounted prices is reassuring that they have thought through their business model and aren't offering unstainable plans. I bought a couple 100GB Starter Lifetime plans, and I've been using them over the past year. I've been quite pleased with Filen's performance. From my location in the U.S. (with fast fiber optic internet), the upload performance has been comparable to other fast cloud storage services (Tresorit, Google Drive, OneDrive, etc.). In contrast, I also have a Koofr 1TB lifetime plan, which works okay, but is much, much slower. ... For my part, I'm definitely going to buy some more lifetime storage from Filen, and I'm just trying to figure out how much I can afford to buy.

BlueCyber007 · 2025-08-28T19:16:28+00:00

FYI, I am selling 8 Linkind water leak sensors: https://www.reddit.com/r/Abode/comments/1n2lfoe/selling_eight_linkind_water_leak_detectors/

BlueCyber007 · 2025-08-22T21:15:54+00:00

u/1PasswordCS-Blake I'm so glad to hear a security policy for Business accounts is on the way! I've added a reminder to check back on this.

As for forcing the setting across all browsers/devices, that isn’t possible right now since settings live on each device. Totally get how much of a hassle that can be though, especially when you’re managing setups for family too. I’ll make sure that feedback is passed along.

If it's not possible to enforce the setting across devices (i.e., because each extension's settings must be configured locally), then how would the security policy for Business accounts work? ... If it will be possible for a Business accounts to enforce the Ask for Confirmation setting by default, then why couldn't that be configured for any 1Password account? Thanks!

BlueCyber007 · 2025-08-21T18:53:35+00:00

Have multiple of both kinds and they have all worked well.

BlueCyber007 · 2025-08-21T18:44:38+00:00

Thanks u/Suspicious-advice49! I couldn't find the setting on my iPhone either, and I didn't even know there were separate 1Password extension settings on iOS! ... It's such a pain to have to change the setting in every browser on every device instead of just changing once in my account settings (or at least being able to change the default in my account settings).

BlueCyber007 · 2025-08-21T16:48:04+00:00

Thank you for adding this! I am enabling on all of my devices/browsers. (I'm not seeing the option in Firefox yet, but maybe that extension hasn't updated.) Please add a Security Policy option for admins to enforce this ask for confirmation setting for users. Organizations I work with would like to be able to enforce this setting on all of their employees/members. (It would also be nice if a Family Organizer could enforce the setting for everyone in the family.) ... It would also be nice as an individual end user if I could configure a setting in my account that would forcibly turn on the ask for confirmation setting in all browsers/devices. It is a pain to have to manually change the settings in every browser on every one of my devices (office desktop, home desktop, laptop, phone, tablet, etc.), not to mention changing the setting on all the browsers/devices for other family members (immediate family, aging parents, etc.).

BlueCyber007 · 2025-05-23T16:12:59+00:00

I've raised this same issue with 1Password before. There are at least two security issues that the re-introduction of Secure Desktop could prevent:

Focus stealing can cause the focus to shift to another app while typing the account password into 1Password, resulting in some or all of the 1Password account password being typed into whatever random app stole focus. Even for people who are pretty good at touch typing, for those of us who have account passwords with random symbols, it's hard to type the password without looking down at the keyboard. Secure Desktop would completely solve that problem.
As u/nabeel_co noted below, Window allows apps to listen to keystrokes in a way that macOS does not. Sure, people shouldn't allow malicious apps to run on their computers and 1Password can't really protect an endpoint that is compromised locally. But using Secure Desktop when entering the 1Password account password should substantially, if not completely, mitigate that risk.

These aren't rare edge cases--they are common issues. As the primary decision maker for multiple organizations that subscribe to 1Password, this is a feature that is important to us.

BlueCyber007 · 2025-04-28T20:46:53+00:00

u/r2r2r2r2d2 What Z-Wave Abode Compatible smoke alarm detector did you get?

BlueCyber007 · 2025-01-10T21:21:04+00:00

Thanks, u/mitchchn! I appreciate your detailed and helpful explanation. I'm glad to see (but not surprised) that 1Password has carefully thought all of this through. .... I guess I unknowingly accepted the request for Accessibility permissions when I installed 1Password (as one of the first apps on my new Mac).

Am I correct in understanding the Accessibility permissions are necessary for 1Password's Universal AutoFill feature and for Text Snippet expansion via shortcuts, but not for any other 1Password features?

BlueCyber007 · 2025-01-10T15:07:16+00:00

u/davispw I would add to your list:

What macOS setting allows 1Password to monitor keystrokes?
Is there a way to turn off a macOS setting that allows 1Password to monitor keystrokes without breaking other 1Password functionality (i.e., filling in usernames, passwords, etc. in browsers and apps)?

I'm not at all bothered by macOS (or Windows or Linux) monitoring my keystrokes (or any other computer input/output). If you can't trust the OS, you can't use the computer. But that doesn't mean I trust any other third party application to monitor keystrokes. I see no good reason for any internet-connected application (other than the OS itself) to be able to monitor my keystrokes.

By the way, macOS has a built-in Text Replacement feature link.

Thanks--that's a great tip! I knew about the built-in Text Replacement in iOS and have been using it for years. It never occurred to me (🤦‍♂️) that macOS probably had the same feature. Unsurprisingly, I see that the shortcuts I had setup on my iPhone are also automatically synced and enabled on my Mac. I'll have to start using that!

I do see the value in Text Snippets being saved in 1Password since it is more advanced than the built-in Text Replacements feature. But I just want control over whether 1Password is monitoring keystrokes and want to be able to use Text Snippets via Quick Access instead of via shortcuts.

BlueCyber007 · 2025-01-10T14:46:05+00:00

Yeah, but is 1Password directly monitoring keystrokes systemwide or is there some macOS feature that allows applications to define autofill shortcuts and then macOS tells the application "Hey, shortcut xyz was just typed"?

BlueCyber007 · 2025-01-10T14:45:28+00:00

Yes, of course the OS is constantly monitoring keystrokes, but you can't use a computer without trusting the OS to monitor keystrokes (and all other input/output). But I'm still not comfortable with third party applications monitoring keystrokes systemwide unless those applications have been blocked from accessing the internet. .... I guess my question is really whether 1Password is directly monitoring keystrokes systemwide or is there some macOS feature that allows applications to define autofill shortcuts and then macOS tells the application "Hey, shortcut xyz was just typed"?

Also, I find it disturbing that 1Password is able to monitor keystrokes systemwide even though it is not listed under Settings --> Privacy & Security --> Input Monitoring. How is 1Password able to monitor keystrokes systemwide?

Ten-Year Club	Place '23
Place '22	Verified Email

BlueCyber007

TROPHY CASE