1Password Developer Promises No Deliberate Weakness Due To NSA Pressure


FBI director isn't too keen on Apple's security measures.
FBI director isn't too keen on Apple's security measures.
Photo: 1Password

In light of yesterday’s shocking news that the NSA has deliberately inserted weaknesses into computer security products, the developer of popular password and security app for Mac and iOS, 1Password, has written a fairly telling blog post on their vulnerability to this type of NSA intervention.

Here’s what AgileBits says:

Has 1Password been deliberately weakened?


Have we, AgileBits, ever been asked/compelled/pressured/contacted by any entity asking us to weaken 1Password?


That’s the easy part; anyone could say that. Let’s look a bit deeper.

AgileBits spends quite a bit of time explaining why the above is true. It makes sense, as its entire business model is predicated on the fact that its encryption–and therefore its customer’s data–is safe, even from the NSA.

The blog post explains that AgileBits has developers in Canada, the US, the UK, and the Netherlands. Even if the NSA had bound AgileBits, a Canadian-owned company, with a gag order, it could not bind non-US citizens who live outside of the country. Any orders from other countries would likewise not bind any US citizens living here. The only way to keep the company’s silence, then, would be to coordinate at least four separate NSA-like agencies across all four countries. Possible, but not probable.

Secondly, the system that 1Password works within is totally in the customer’s hands. “Out of the box,” the company writes, “1Password creates a local data file (your “vault”) and sync is disabled. We never have the opportunity to see your Master Password or even your encrypted 1Password data.”

The company never sees how you use 1Password. None of your private browsing data or sensitive financial records pass through the 1Password systems. They don’t even know if you’re using the software or not once you’ve bought it. They do offer some data sync, but even that is done locally, according to the web site. “When 1Password 4 for Mac arrives soon,”says the blog, “Wi-Fi sync (currently in testing) will allow you to sync locally, meaning your data never has to leave your local network.” This can, of course, be verified with a program like LittleSnitch or any other network analysis tool.

Finally, the company says that their data format is verifiable, as well. They’ve provided details of the encryption that 1Password use, which lets anyone concerned about its relative strength or deliberate weakness test it themselves.

The post continues to say that they would most likely follow the precedent set by Lavabit, a company that has gone public with its own alleged gag orders by shutting itself down. AgileBits (not related) says, “… the very real possibility that we would shut ourselves down (which would be public) rather than sabotage what we do and love should act as some deterrent to those who might wish to compel us to introduce a backdoor.”

The blog post finally states that, to AgileBits’ knowledge, only communication tools have been targeted, and not tools that protect consumer passwords and data locally, like 1Password.

These are a fairly robust set of reasons why AgileBits might be trusted with the encryption of our data. In addition, they didn’t have to step forward and call it out; while this may be the sign of a conspiracy, again, it’s not probable. Ultimately, we all give up a bit of our security by using digital tools, and potentially more if we use products like these.

Other companies who make similar products have not made statements to this effect, as far as we know, and one, LastPass, may have already been breached.

The AgileBits blog post sums it all up, by saying,

Even if you don’t find any of the individual reasons listed above to be persuasive, they interact powerfully. In combination, they make it much harder to get a weakness into 1Password without taking on large risks of getting caught and failing. Any attacker, including the NSA, will avoid high risk, high cost attacks if there are safer and easier alternatives. I’m therefore confident that the NSA would rather go around 1Password than through it.

What do you think, Mac users?

  • Gregory Wright

    I think they went public because they are concerned about losing customers to Apple’s new password system that will be part of OS X Mavericks when it is released. As I understand it, syncing Mavericks password data will be done through iCloud. If you are a 1Password customer and is concerned about password security, you are more likely to stay with 1Password where syncing will be done locally via WiFi as AgileBits explains it in 1Password 4 for Mac OS X. That’s what I think is going on. Like you said, there was no reason for them to go public with this unless they wish to retain and/or acquire more customers.

    Full disclosure, I am a 1Password user and I will stay with them even when OS X Mavericks is released.

  • SulaymanF

    1Password really is a great app. Even though Apple is going to have iCloud keychain in iOS 7 and OSX Mavericks, 1password is still more secure (and with the Safari plugin, works just as well on desktop and has a good iOS app).

  • SulaymanF

    Hey where’s the link to the actual post?

  • dteare

    Full Disclosure: I’m the founders of AgileBits.

    @SulaymanF: Thank you for the kind words! Regarding Jeff’s full post, it can be found on our blog at http://blog.agilebits.com/2013/09/06/1password-and-the-crypto-wars.

    @Gregory: We went public about this as we were receiving a lot of questions from users who were concerned about the recent reports from the Guardian and New York Times. We thought this would be a good time to remind 1Password users that they are in full control of their data and why this is so important.


    –Dave Teare
    AgileBits Founder

  • mguhlin

    What happens with 1Password info as it is transmitted from your computer to the 1Password web site? I ask because if NSA can crack SSL encryption–or to be more clear, it already has the keys so it need not crack–then won’t https traffic to 1Password simply be viewable in plain text to NSA?

    Thank you for future enlightenment,
    Miguel Guhlin
    Around the Corner-mGuhlin.org

  • Kenhagemann

    Maybe they did not ask because they were able to crack without their help–