It is now over five years that I have started to organize the way I store my sensitive data. From using TrueCrypt for personal documents to programs to help me store my passwords. Actually, in 2007 I have mentioned that I started using info.xhead. And it sure did help me make a start. But, it was unable to grow as a company or stay with the times. I have communicated with the developer a few times, but eventually had to inform him that I was quite disappointed and felt I was forced to find another solution. And a handful of months later I have done so.
After the introduction of the iPhone and getting an iMac in 2009, I decided I would soon need a solution that does a few things, and matches my policy of ‘trust no one’. I believe it was through the MacHeist bundle I got my first Mac license of 1Password, and it seems to be actively developed, meets my requirements and doesn’t store any data of mine on their servers. Time to convert my data over from info.xhead to 1Password.
At the writing of this blog article if you google for info.xhead, you won’t even find their web site anymore. You can find 1Password through AgileBits.com.
My requirements are that the application does not only support the operating systems that I am using, but that at any time I could restore my data – without an Internet connection. And that any data I store stays stored on my system. That there’s no encryption going on where any decryption keys are stored on the server of the owners of the program. And that it works on my mobile devices, as well as have really good support for syncing.
Because during the last five years I have learned that the inability to sync between devices will mean that you lose data. You have out of sync databases, and it’s hard to keep track of what’s what. 1Password syncs over Wi-fi, as well as over Dropbox, and it is made for almost every possible platform out there.
AgileBits mentioned there is a Windows Phone 7 version available too.
The trust no one policy means that I should only trust myself. I am responsible for storing the data, and securing it with a strong and unique master password. Ensuring that I know that only I have access to my encrypted data. I’ve taken the time to make sure I understand how 1Password is storing, sharing (for syncing) and encrypting the data I provide it. And this is important. Steve Gibson introduced me to the ‘TNO’ policy, and he also has a great Security Now! podcast #347 / http://www.grc.com/sn/sn-347.txt where he discussed various password managers and their blatantly embarrassing lack of security. Programs such as LastPass and 1Password basically received Steve’s stamp of approval, which gave me the go-ahead to go full-1Password. I’ve purchased a license for each of my machines and the accompanying iOS apps for my iPhone and iPad.
Through e-mail I’ve been in discussion with the guys from AgileBits and asked them a few questions about their product, it’s security and their care for customer support and privacy:
Q: I believe that my data is stored only locally, using AES-128? Are there any plans to use AES-256?
Yes, that is correct. AgileBits has absolutely no way to decrypt your data without access to your master password or private encryption key. And yes, we currently use AES-128 encryption. We are looking at using AES-256 in the future. (more info)
Q: Can you tell me if all the communication between say (iMac)=>(DropBox)<=(iPad) is transmitted in a secure manner?
Yes, all communication of your 1Password data is encrypted. (more info)
Q: How secure is my data stored on something like DropBox? Someone could gain access to the 1Password file if they have unauthorised access to my DropBox account.
Yes, your 1Password data is encrypted, so that even if you gave someone your data file (which we don’t recommend), they could not access your sensitive information without your master password. The only information that is not encrypted is the title and URL of each item. These are currently kept unencrypted for program efficiency, though we are planning to introduce a fully encrypted data format in the future.
All of this information is great, and together with their blog posts it is clear that their development is on-going and that they understand crypto and customer needs. But that is not all. The apps are simple to use, dynamic and flexible, and look great. The apps are quite affordable, especially considering what data you’re storing. They use browser extensions so it’s hardly any work to generate new accounts or to login to existing sites. And they support a wide variety of devices and operating systems. I also use the app to store credit card details, secure notes, software license details, and other snippets of sensitive data.
Supporting the Apple community in regards to design is something they understand as well. The programs and apps look great, are intuitive to use and easy to search through. They have a unique look, and adapt to various screen sizes very well. Apple releases a Retina display laptop? AgileBits releases 1Password with Retina display support. And not six months later. Just saying.
It really is so much better to have a single app that covers all aspects of managing your passwords, and securely storing your personal data, It also gives you the power to easily access it at any time, on any platform, and having this data with you on go via apps for mobile devices. I really think people are stupid for not investing a little bit of money into an application to take preventive measures against having data stolen, lost, or to simply improve the way they browse online. With a password manager you start using a unique login for each account you create, with a strong and long password. And you do not have to remember any of them. So stop using ‘monkey’ or ‘password’ ok?