Hacker News new | past | comments | ask | show | jobs | submit login

How can one be sure that the passwords are even encrypted, without having seen the program?

Audits don’t mean much for various reasons, including the conflict of interest.

Agencies such as NSA don’t have to say loudly that they have agreements with such and such companies through PRISM-like programs.




>How can one be sure that the passwords are even encrypted, without having seen the program?

We have seen the program. We can have as many binary copies of it as we’d like.

> Audits don’t mean much for various reasons, including the conflict of interest.

[citation needed]

> Agencies such as NSA don’t have to say loudly that they have agreements with such and such companies through PRISM-like programs.

The product uses end to end encryption. The database is encrypted locally before being uploaded. They would have to be using bad encryption or stealing your password to get at it. It is understood how 1P works, they have written about it extensively.


But that's the point the OP is making, you have to trust what 1password is telling you. And they do have a very clear business interest in telling you that it uses best security practices even if they don't.

I'm doubtful that you are able to look at the binaries and extract the inner workings from that.


>But that's the point the OP is making, you have to trust what 1password is telling you.

Yeah, I have to trust a lot of software authors not to be actively malicious, because I don't have the time to audit literally everything I rely on. I have more reason to trust the authors of 1Password than those of almost any other package I use.

>And they do have a very clear business interest in telling you that it uses best security practices even if they don't.

It's been audited several times, and the authors are well known, respected, and vocal in the infosec community. And you think they have more of a business interest in hiring security professionals and lying about their practices than they do actually building a product that safeguards their users' data as they say it does? A backdoor in a product like that would be the end of their business, professional reputation, and career.

>I'm doubtful that you are able to look at the binaries and extract the inner workings from that.

Me personally? No, but there are absolutely people with that skillset, this sort of thing is perfectly doable. As far as "is this sending all my stuff to China in plaintext" goes, it's not even that hard to evaluate. You could do that without any reverse engineering at all.


These are great answers. Thank you. - Ben, 1Password




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: