Hi! We see you’re using an ad-blocker. We’re fine with that and won’t stop you visiting the site.
But as we’re losing ad-revenue from this then why not make a donation towards website running costs?. Or you could disable your ad-blocker for this site. We think you’ll find our adverts are not overbearing!
Joined: Mar 05, 2007 Posts: 1058 Location: The green bit between the M40, M4 and M25.
Posted: Fri Nov 22, 2013 9:09 am Post subject:
Paul, where have you been all these years?
You should have a regular spot discussing Internet security and the options available.
Having said that, you probably already have your hands full _________________ Triumph Tbird 1700. And now a Bonnie T100.
Joined: Feb 27, 2006 Posts: 14901 Location: Keynsham
Posted: Fri Nov 22, 2013 8:57 pm Post subject:
OK. I've reached Step 1. I have a good password on my WI-FI router - a phrase 48 characters long, garbled by a mis-spelled word, a grammatical error and six uppercase letters. For 1password, I'd only use it with the misspelling and stick with all lowercase - I think 48 characters should be enough and I think I was rather over-enthusiastic with the other customisations! (and I can never remember which are the uppercase letters - guess what? I of course have it written down on a piece of paper tucked away in a drawer!!).
So, when I want to use 1password, do I have to type that in every time?
So, having arrived at step 2, do I buy a copy of 1password for every device (I'm going to abandon the Win laptop and the older MacBook Pro, leaving me with only desktop iMac, MacBook Pro, iPad and iPhone) do I buy 4 copies of 1password? Or just one to cover all 4 iOS devices?
When I've done step 2, I'll come back to ask about step 3, which is so far as clear as mud. _________________ Dennis
The fact you've used the password on another device is reason enough to change it completely, especially when the original is a WiFi router... which frequently store them in plain text.
Don't get too caught up with length; concentrate on entropy (randomness) first. For example, a password of "ihatechoosingpasswords" is longer than "iH8Ch0os1ngP.w0rds" but considerably weaker.
You not only need a mixture of upper & lower case alphanumerics, special chars and numbers, but it must also be long enough (8-12 minimum) to sufficiently slow attempts to break it. Writing it down isn't ideal either
How often you need to type your 1Password master password depends on your usage. I typically login twice a day... once when I arrive at work and once after lunch. While the machine is active, 1Password keeps you logged in unless you specifically logout (if you leave your desk for example). Logging in to sites throughout the day is simply a case of hitting the CTRL + \ shortcut.
1Password's licenses are on a per user, per platform basis. So if there's only you, and you only use Mac/iOS... you only need to buy 1 license.
Step 3...
1Password will work perfectly well on a single device (single silo). If you work from several devices, the chances are you're going to want to use your 1Password data elsewhere (multi silo) To do so, you can sync your data manually using a USB stick, or automatically using one of the many cloud storage services (Dropbox, Google Drive etc). If you intend to use Dropbox, install that first. During 1Password setup, it'll ask you if you want to use Dropbox to store your data. It takes care of the rest.
When you come to install Dropbox on your other devices, 1Password detects the existence of a 1Password keychain in Dropbox and uses it automatically.
Joined: Apr 04, 2006 Posts: 10118 Location: Bexhill, South Sussex, UK
Posted: Fri Nov 22, 2013 11:51 pm Post subject:
DennisN wrote:
So, when I want to use 1password, do I have to type that in every time?
Only if you use your ridiculously long password that you have on your router as your master password on your password manager.
I use RoboForm and on that you can chose whether to master password your passwords. For instance I can logon to PGPSW without entering my master password by the merest click of a button when the logon screen appears, but have to enter my master password when logging on to my bank etc. Once you have logged into RF, it stays logged in for a user definable time, so you don't have to keep entering the master password.
RoboForm does work on Android devices but not as transparently as on my Windows machines. If you go for RoboForm Anywhere, you can have as many copies of RF as you have devices, and sync them all to your master password repository held on the RF secure server that you need to enter your master password to access. All your passwords are kept and used locally on your device and synced to the master database as and when necessary.
@PaulMoore Any thoughts of the pros and conns of RF v 1Password?
RoboForm isn't bad, but it can't be compared with 1Password (AgileBits should really be paying me to promote them this much! )
1. They actively use the term "military grade encryption" - which makes me cringe. The military spend billions on encryption & enterprise-grade security. The suggestion that a cheap, consumer-grade app affords you similar protection is misleading... not to mention dangerous. The same applies to 1Password too, which is why they do not mention military grade in the marketing literature.
2. Both apps use PBKDF2, a key stretching process which bolsters security of even short & weak keys. Back in 2000 when PBKDF2 was released, the recommended MINIMUM was 1000 iterations (loops through the process). Moore's law (PC's double their computational power every 2 years) and countless other risks mean today, PBKDF2 now needs at least 8,000-10,000 iterations to offer a similar level of protection as 1000 iterations in year 2000. 1Password uses 10,000. Roboform still uses 1000.
3. Roboform (similar to LastPass in this respect) also claims not to be able to access your data under any circumstances, because they don't store your master password.
Whilst that's true, the authentication process is handled by the same domain where your data resides. That worries me. If they're hacked, or even have a rogue employee, a single snippet of javascript placed on the login page would very easily allow the master password to be intercepted. 1Password wins here too, as you control the storage silo's... not a 3rd-party. Even if you decide to use Dropbox to store your 1Password keychain, the authentication process is handled offline... massively reducing the risk. Forget comparing 1Password to Roboform for a moment... encrypted data is at it's safest when its furthest away from the key required to decrypt it. Putting them both in the same location is simply asking for trouble.
4. The "secure" web site isn't as secure as you'd hope. I can't go into specifics, but I wouldn't trust it.
Not exactly a short answer, but it's a difficult topic ;) _________________ 1
Joined: Apr 04, 2006 Posts: 10118 Location: Bexhill, South Sussex, UK
Posted: Sun Nov 24, 2013 12:32 pm Post subject:
Thanks for that Paul. Sorry about the delay in responding. Most interesting.
I am having a bit of a problem understanding this
Quote:
1. 1Password wins here too, as you control the storage silo's... not a 3rd-party.
2. Even if you decide to use Dropbox to store your 1Password keychain, the authentication process is handled offline... massively reducing the risk. Forget comparing 1Password to Roboform for a moment... encrypted data is at it's safest when its furthest away from the key required to decrypt it. Putting them both in the same location is simply asking for trouble.
1. Presumably 'storage silo' means where your encrypted data is located. In the case of RF, it's on their server but in the case of 1P it's wherever you want it to be, possibly dropbox?
2. '1Password keychain?
Once you have access to the data location, presumably via your master password, where is the actual de-cryption of the data done? How does that work?
Thanks for your time.
1Password, regardless of where you choose to sync your data (storage silos), always handles decryption offline... ie the master key never leaves your PC in any format (plain, encrypted, hashed or otherwise).
It doesn't matter if you run a single silo on your own PC or choose to sync with Dropbox, the data resides on and is processed by your PC/device.
In theory, the encrypted keychain can be stored anywhere quite safely... as it can only be decrypted with the master key.
Reading Roboform's FAQs...
"your encrypted Passcard will be downloaded in encrypted form to your computer and decryption will be performed on your computer."
They, like LastPass, say that because the process is handled offline (it's actually done in the browser), not even RoboForm/LastPass can access your data. That's true for 1Password, as the entire application resides on your PC, and is therefore covered by local permissions, firewalls etc. Roboform Everywhere/LastPass on the other hand, it's not quite that simple.
Once you're in a browser environment, you're instantly at greater risk. As I mentioned earlier, RoboForm doesn't collect/store the master key because it was designed that way. If it can be designed not to collect it, it can just as easily be re-designed/re-written TO collect it. A single line of javascript injected by a careless developer, a rogue employee or a hacker means the next time you enter your master key, it can be collected and stored elsewhere.
As I mentioned in the article... the key, on its own, is useless. The encrypted data, on its own, is useless. Put the two together and it's as safe as plain text. _________________ 1
Posted: Today Post subject: Pocket GPS Advertising
We see you’re using an ad-blocker. We’re fine with that and won’t stop you visiting the site.
Have you considered making a donation towards website running costs?. Or you could disable your ad-blocker for this site. We think you’ll find our adverts are not overbearing!
All times are GMT + 1 Hour Goto page Previous1, 2, 3, 4
Page 4 of 4
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
Or you could disable your ad-blocker for this site. We think you’ll find our adverts are not overbearing!
Hi! We see you’re using an ad-blocker. We’re fine with that and won’t stop you visiting the site.
But as we’re losing ad-revenue from this then why not make a donation towards website running costs?. Or you could disable your ad-blocker for this site. We think you’ll find our adverts are not overbearing!