Forums Help & support I can't log in (android) Reply To: I can't log in (android)

#7742 Reply

Svante
Spectator

Harvey P,

Thanks for your input, it’s much appreciated.

Just for the record, no we can’t decrypt the passwords stored in the password manager. We don’t know the password, and it’s encrypted using strong XML Encryption on the server. (Yes, in theory if our code is evil, we could – but that applies regardless of online / offline – including LastPass and 1Password. If their programmers are evil, they can get your information from your system. So you have to trust the code and the programmers. The difference is that our code runs on a locked down, single purpose server. Their code runs in the most hostile and dangerous environment known to man – privately managed PC’s).

As for the “if intercepted by hackers, allow decryption” – well, that’s just why we are strengthening the SSL configuration. And, while I know this view is not shared by all, I still would like to ask you what would you trust more:

– Encryption technology that is all pervasive, publically reviewed both from specifications and from implementation code, and used by essentially all networked devices on the planet – with known weaknesses mitigated by proper and validated configuration.

or

– Encryption technology that is closed source, proprietary, relatively new and never publically reviewed and used by relatively few users.

The former describes SSL/TLS, the latter describes  the “zero knowledge” schemes used locally by for example LastPass and 1Password.

Both services also use SSL/TLS for example for signing in to your account via the web. LastPass supports the weak algorithm 3DES on their web site, so a downgrade attack could possibly succeed.  1Password has actually gone one step further than we do, and simply drop backwards compability for a lot of clients by only supporting TLS 1.2.

1Password is run on Amazon Web Services – which means that anyone with access to that infrastructure can potentially intercept data or plant code there. As you probably know, there have been several well-documented cases of national agencies gaining access to large providers infrastructure.  We use physical owned servers located in Sweden.

I’m not saying that LastPass or 1Password are bad or insecure services. They are not. However, it’s not a simple equation to determine what is “more secure”. It really depends on both objective and subjective factors when you evaluate it.