Let's Go on a Journey. A Roundtrip From 1Password to LastPass and Back to 1Password

Posted on

Password managers are back in the news. This time the news cycle is driven by a breach at LastPass. In 2015 I recommended LastPass and stated why I preferred it over 1Password at that time. However, as time moves on, things change and some products fall behind while others move ahead. As such, I kept watching both password managers’ continued development – or lack thereof. Long story short, in early 2021 I switched back to 1Password. Time to explain why.

LastPass wrote a blog post about the latest breach they suffered. They state that someone gained access to their customer’s vault, account information and metadata. That data is the crown jewel that LastPass was entrusted to keep safe. To their detriment, that post had to be updated three times, going from “No data within the user’s vaults have been compromised” and “there is nothing you need to do, your data is safe” to “yep, they got your data, expect phishing attacks and attacks at accounts that are stored in your LastPass vault”[1]. You might be wondering, as I was, how a company goes from “We’ve implemented AES-256 bit encryption with PBKDF2 SHA-256 and salted hashes to ensure complete security in the cloud.” and “Your data is encrypted and decrypted at the device level. Data stored in your vault is kept secret, even from LastPass.”, —statements I copied from their website— to the admission that the breach did expose a variety of data supposedly stored in encrypted form in the vault. There seems to be a misalignment between their marketing and what the product truly delivers, to put it lightly. The only conclusion one can come up with is that LastPass’ claimed “zero-knowledge security model” turns out to be a “we have lots of knowledge about your data” model as evidenced by the data that was leaked from users’ vaults.

But besides LastPass’ blog, where they disclose security breaches (as required by law), we learned even more from other sources. LastPass’ market success brought scrutiny from security researchers, who in turn discovered many flaws over the last few years. Issues were found in their browser extension. Several people (here and here) pointed out that the user interface side of things is less than stellar. On top of that LastPass suffered 6 security breaches since 2015. Throw in the fact that in 2021 it was found that LastPass added web trackers into their password manager to create a record of sites the user visits, and it became clear that it was time to move away from LastPass.

I was using 1Password up until 2015. At that time my 1Password version was using the Agile Keychain file format to save the data. It had its shortcomings, keeping some metadata unencrypted was one of them. Switching to 1Password’s OPVault was supposed to eliminate many issues; the problem of not encrypting metadata was one of them. However, if one trusted LastPass’ marketing material —a dubious choice in hindsight— that switch seemed to bring those two password managers only into even standing. And as I had some issue switching to the new 1Password vault I decided to move LastPass. LastPass had received praise from Steve Gibson on his Security Now podcast; my decision to move to LastPass seemed reasonable.

Fast forward to today, or Spring 2021 for that matter as that is the date when I switched back to 1Password. Why you might ask? I will tell you: 1Password has considerably improved its product in terms of usability and security. They introduced a secret key to strengthen the master password to the point that the content encrypted by 1Password cannot be cracked if their cloud service gets compromised[2]. That move makes it easier to trust them with data that will be stored on their server. And last but not least, they are using a secure protocol that allows authentication with their servers without sending the password or leaking any secret during the process.

1Password has a vision forward that includes managing passkeys in 1Passord[3]. Passkeys are a technology developed by the FIDO Alliance that promises password-less login. That technology is embraced by Apple, Google, and Microsoft, all but assuring that it will be widely supported.

I would be amiss if I didn’t mention the 1Password developer tools. While I do not need to integrate 1Password into my development environment or sign any commits, I do enjoy the ability to authenticate an ssh connection with a double press on my Apple Watch. It is fun and way quicker than looking up the password to decrypt the ssh-key.

I have been happy with my switch back from LastPass to 1Password. Steve Gibson seems to agree, as he titled his latest podcast Leaving LastPass.

Picture Credits:

  1. I’m paraphrasing their statements here to highlight what in my opinion the blog post is saying between the lines. ↩︎

  2. Jeffrey Goldberg, the 1Password Principal Security Architect had talked about the Secret Key in 2015, but it was not introduced into their products (outside of the beta program) after their 1Password.com service launched in 2016 ↩︎

  3. I hope I am not the only one noticing the irony of needing a password manager when we are supposed to move to password-less logins. ↩︎