Impact of @1password on my @Evernote and @Lastpass usage

Keeping your information secure is an important factor in our daily lives. For a long while, I’ve kept a lot of my important private information hidden inside of Evernote. And never have I been confident in it, I knew it was not a safe solution, but I took the risk.

As the time goes by, and more and more of my financial and identity information reside in the cloud, I’ve decided to pull a plug, and make it at least a little bit secure, yet still retain the benefits of the cloud.

Recently I was lucky enough to get a review copy of 1Password and wanted to honestly compare it with LastPass. While my honest opinion of the battle between the two is a close match on the functionality side, 1Password is in the lead when it comes to design and user experience. But something more important happened. 1Password made an impact on my Evernote usage.

Meet Wallet

Even though LastPass has similar functionality as 1Password wallet, it simply doesn’t have the details and time invested into it the same way as the former does. And then there is another reason. As with any large database, your LastPass is compromised to a certain degree. It is found in a centralized location, with a layer of a hashed password as a protection. Though I am not a security expert, I can safely assume that your username database is located with everyone else residing in the cloud. It’s centralized database.

So if I was a hacker, all I would need to do is to obtain the database, and I would have all the usernames, and I could attempt brute force attacks from there. The same would go for Evernote, which happened a couple of months ago.

Let’s take it from another angle now. You have 1Password, and your database is within Dropbox. I am a hacker attacking a large Dropbox database. Once I breach the database, I brute force your account, but once I am in, instead of having the access to your sensitive information, I actually have another layer of protection. If I want to access your sensitive information I have to breach the master password of your encrypted database of 1Password.

In my mind, this is giving me a peace of mind, that it will be really hard for anyone to hijack my sensitive information. And that is why I started storing my credit cards, passports, id copies and other sensitive information in Wallet instead of LastPass and Evernote.

So how does it look like now?

Well, now I have another layer of fragmentation of my data, but I believe it was necessary. Perhaps some of my information is scattered across the services, but I have a necessary peace of mind in the world where digital information is equally important as physical one. I don’t have to worry nor wait when will Evernote introduce 2-factor authentication. I can safely sleep knowing that my data is mathematically impenetrable for the duration of my life.

Also seems like I am moving away from LastPass for the majority of my passwords, and making 1Password slowly but surely my only password manager on my main browser. LastPass will certainly have its place and purpose. Kinda feel bad that I stated that LastPass is a more secure password manager because it seems they are on the pair. And in the end, I always yearn for a more qualified user experience.

Comments

  1. Manuel says

    Disclaiment: I’m not affiliated with LastPass and I currently use a setup similar to the one you describe.

    I’ve studied the architecture of LastPass and I think that there is a misunderstanding here: LastPass password database is encrypted client-side and LastPass goes to great length to NOT be able to open and read your password store. So basically you get the same level of protection: an encrypted password store stored in the cloud, with the difference that LastPass is actually a cloud service and storage specialized to manage sensitive data with encryption end-to-end.

    • says

      That was my opinion, and I am in no way a security expert. This way I am also fragmenting my data, so I feel more secure, than holding all the eggs in the same basket.

      • Manuel says

        OK, I see where you come from. Let’s just say that I use a similar solution for different reasons.

    • says

      I personally use LastPass, but more because I’ve got so many passwords there that I don’t want to move it.

      One thing I think you’ve not mentioned yet is formatting. Security strength wise they maybe about the same. The issue with LastPass is that everything is stored in a database for passwords: url,username,password in neat little rows. If someone hacks LastPass and gets the database they can easily script brute forcing each user and getting all their passwords, account by account.

      With Dropbox, sure you are in the cloud. But the odds of someone getting your passwords is much lower because it’s so much harder to script it. Hack dropbox -> maybe account has passwords -> who knows where the file is -> find said file and attempt to hack it (or not, what maybe .1% of dropbox users use 1Pass). That process doesn’t scale beyond a handful of users, and dropbox would notice if someone tried downloading all their data and block them way too fast to make a dent.

      • Manuel says

        Well, there are several factors to consider. The solution described in the blog post is certainly acceptable, especially if you use a service like Dropbox but with client-side encryption (for example SpiderOak or Wuala).

        But on the other hand that solution is less convenient (no nearly ubiquitous access). I have a similar setup and I can use the cloud service mobile app to download the password file and then open it with a native mobile client, but this is more cumbersome than LastPass.

        Another advantage of LastPass is that you don’t have sync problems. Several times now I had to modify the password database from different PCs not connected to the internet. Then when I finally managed to sync them a conflict arised, and since the password file is encrypted there is no facility to merge the conflicting versions. In the end I had to remember what I have modified and merge the updates manually. Several times. Since LastPass is build specifically to store passwords and engineered from the ground-up and security-wise for this purpose it has a nice synergy between cloud storage and clients that gives you advantages over other solutions.

        All the eggs may be in one basket, but on the other hand LastPass team thought about this problem and they also decoupled passwords from users identities. This way, if I want your passwords and assuming an average amount of luck, I have to download and brute-force _half_ of LastPass database. And consider that this platform was built and is managed by security experts.

        My concerns about that are others: clients are closed-source (even if audited by third parties) and in theory anytime some angry LastPass employee could push an update to the clients that sends the passwords, unencrypted and tied to a specific identity, to some external service. But these concerns are still valid even for 1Password.

        In the end however, as always, it’s a matter of the amount of _trust_ that you are willing to give to someone or something. Overall, I currently consider the LastPass system a sufficiently secure one.

        Disclaiment: in the end I’m being the devil’s advocate 🙂 In fact, I currently use the same solution that you describe: a password database stored in a general cloud storage service with client-side encryption.