1Password Help

1. What is 1Password?
2. Installation and Setup
3. Requirements
4. Registering 1Password
5. How to Contact Us

3-Minute Expert Guide

Features

1. Data Protection
2. Web Forms and Logins
3. Wallet
4. Secure Notes
5. Identities
6. Password History
7. Strong Password Generator
8. Access Your Data Anywhere
9. Keeping Your Data in Sync

Tutorials

1. Changing Login Passwords
2. Sync to Palm
3. Using 1Password for Palm
4. Syncing to iPhone/iPod touch

Frequently Asked Questions

Knowledge Base

Data Protection

All the information you add to 1Password is stored into an encrypted Mac OS X keychain file. The keychain technology is developed by Apple and comes with every copy of Mac OS X.

Apple’s Keychain uses Triple Data Encryption Standard (TDES) to encrypt the password field of every keychain entry. While the TDES algorithm is an older algorithm, it is still cryptographically secure and has stood the test of time from the attacks of many cryptographers. From Wikipedia:

As of 2005, the best attack known on 3TDES requires around 2³² known plaintexts, 2¹¹³ steps, 2⁹⁰ single DES encryptions, and 2⁸⁸ memory (the paper presents other tradeoffs between time and memory). This is not currently practical. snip… This attack is highly parallelizable and verges on the practical, given billion-dollar budgets and years to mount the attack, though the circumstances in which it would be useful are limited.

Newer algorithms such as AES and Blowfish are technically “harder to crack” than the Apple OS X keychain. However, this does not necessarily mean that the AES or Blowfish algorithms make you “more secure”. Industry legend Bruce Schneier said it best:

For years, I have said that the easiest way to break a cryptographic product is almost never by breaking the algorithm, that almost invariably there is a programming error that allows you to bypass the mathematics and break the product.

In other words, it is far more likely that your security is compromised by a programming error rather than a criminal taking the time to launch a brute force attack on the algorithm itself. Apple’s keychain is arguably “more secure” than any other database storage used in any other password manager available on Mac. The rationale for this statement is as follows:

• The Keychain code is Open Source. This gives the entire security community the ability to review the code to ensure the best security practices are followed. There is no way to validate the implementation of the encryption algorithm (i.e. blowfish, etc) in a particular program if this program is closed source.
• The Keychain is owned and maintained by Apple. Not only was an entire team dedicated to making the Keychain the best it could be, but you as a user are guaranteed that the Keychain will be maintained by Apple for the foreseeable future.
• The Keychain code is used by every single Mac user. This widespread usage necessitates that the Keychain code is robust. It also means it has already been the target of thieves and criminals, trying to crack it. This may seem counter-intuitive, but the more people trying to break an encryption algorithm, the more secure you are because any potential problems will be fixed by Apple.

One of the biggest security threats is accidental file deletion or hardware failure. The keychain can sync with .Mac so you can always have a backup. Also, 1Password automatically creates keychain backups to better protect your information.

In addition to the benefits of the keychain, 1Password provides several additional benefits enjoyed from its direct browser integration:

• Phishing sites are unable to steal your online account information since 1Password will only provide your account information to sites whose top-level domain matches exactly.
• Keyloggers cannot steal your online account passwords because 1Password never uses the keyboard to type your information nor does it use the clipboard to store information.
• 1Password makes it easy to generate and fill strong passwords. Once you get used to the process, you’ll never be tempted to use a weak password again.