Security best practices

aegos
aegos
Community Member
edited October 2018 in Lounge

I know that 1 password itself is quite nigh impenetrable. But users make mistakes.

I asked this in https://security.stackexchange.com/questions/194867/what-are-most-dangerous-vulnerabilities-of-users-of-password-management

And I don't get any answers.

What dangerous typical mistakes users do that I should watch and avoid?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • Greg
    Greg
    1Password Alumni

    Hi @aegos,

    Since your post is not related to 1Password for Windows, I moved it to Lounge. I hope you don't mind.

    The first thing that comes to mind, if I think of a mistake you should avoid, is creating a weak Master Password. Since you need to enter your Master Password quite often (and you need to memorise it), the temptation to choose an easy-to-remember Master Password is quite strong. However, a good Master Password is not always hard to remember. That is why we wrote this article:

    How to choose a good Master Password

    Secondly, I would recommend you not to write your Master Password down on a sticky note attached to your monitor. If you have 1Password account, we recommend to print out your Emergency Kit, write the Master Password in the space provided, and keep it somewhere safe and secure. A safe deposit box, for example.

    Additionally, please avoid creating similar passwords for your accounts – create unique strong password for each item you store in 1Password. After all, this is one of the reasons why you use a password manager, right? :)

    Let me know if you have other questions, I will be happy to help. Thank you!

    Cheers,
    Greg

  • AGAlumB
    AGAlumB
    1Password Alumni

    Ultimately this is a very broad topic. The most important think is to practice skeptical computing, and not behave promiscuously, especially online. So there are some basic rules of thumb we can live by to achieve this:

    • Don't go to shady websites
    • Don't accept things you haven't sought out yourself
    • Nothing is truly free

    Regardless of whether you use 1Password, another security app, or nothing at all, no software can stop you from compromising your own system, and at that point all best are off. Better safe than sorry. :blush:

  • aegos
    aegos
    Community Member

    Putting master password in the same place of my master key seems like a 1 point failure. Anyone with those 2 can just install 1 password in his computer and get all my password.

    What do you think?

    Also are there any actual data breach of users using 1 password? What's that guy's mistake?

  • aegos
    aegos
    Community Member

    Also I can access my 1 password from my android with my fingerprints. What about if I "forget" my master password but can access 1password from my finger prints. Can I reset that or what? Assume I don't store my master password in 1 password.

    In fact, is it a good idea to store 1password master password in 1password?

    https://security.stackexchange.com/questions/195364/is-it-a-good-idea-to-put-1password-master-password-or-lastpass-in-1password-or

  • aegos
    aegos
    Community Member

    Are there any case someone lose bitcoins because a spybot steals his 1password account?

  • AGAlumB
    AGAlumB
    1Password Alumni

    Putting master password in the same place of my master key seems like a 1 point failure. Anyone with those 2 can just install 1 password in his computer and get all my password. What do you think?

    @aegos: I think you can do whatever you want. :) If you don't want to save your account credentials anywhere, that's your prerogative. Just keep in mind that you will not be able to access you 1Password data without them.

    Also are there any actual data breach of users using 1 password?

    Nope. We don't ever have access to 1Password users' data, so an attacker can also not gain access to it through us. It's all encrypted locally on the user's device using the Master Password and Secret Key, and those are never transmitted to us. The security white paper goes into detail on how that works, if you're interested.

    What's that guy's mistake?

    What guy?

    Also I can access my 1 password from my android with my fingerprints. What about if I "forget" my master password but can access 1password from my finger prints. Can I reset that or what? Assume I don't store my master password in 1 password.

    The Master Password is needed to decrypt the data and cannot be "reset". You can, however, have another Owner, Organizer, or Admin help you recover your account if you're part of a 1Password Family or Team, so you can create a new Secret Key and Master Password:

    https://support.1password.com/recovery/#begin-recovery

    Otherwise you'll need to either remember it or have it saved somewhere, like the Emergency Kit greg mentioned already.

    Why the heck not? Someone would not be able to access data in your account without your Master Password. It won't benefit them at all if you have it saved there, if they know it to get in anyway.

    Are there any case someone lose bitcoins because a spybot steals his 1password account?

    Pardon? If you mean that someone could have information stolen from them by accessing it on a compromised machine, absolutely. But that has nothing to do with 1Password. Once someone else controls your device, all bets are off.

  • aegos
    aegos
    Community Member

    Pardon? If you mean that someone could have information stolen from them by accessing it on a compromised machine, absolutely. But that has nothing to do with 1Password. Once someone else controls your device, all bets are off.

    I understand. So that's the Achilles heels. Right? Do you have any actual samples?

    Do you know any way to ensure that no spyware is running on my computer?

    What guy?

    .

    The only confirmed case of a 1Password data breach that I've seen is when someone used the same master password as she used for her unencrypted POP3/HTTP Road Runner email. The same password was also used for her Dropbox account, which was also taken over and is how we presume the attacker obtained the 1Password data.

    from

    https://security.stackexchange.com/questions/45170/how-safe-are-password-managers-like-lastpass?noredirect=1&lq=1

  • jpgoldberg
    jpgoldberg
    1Password Alumni
    edited October 2018

    Hi @aegos,

    Do you know any way to ensure that no spyware is running on my computer?

    As @brenty mentioned no software (including 1Password) can protect you if you are accessing your secrets on a compromised computer. And while there is no (practical) way (for most people) to ensure that a machine is never compromised, there are things that anyone can do which will substantially reduce their risks.

    1. Keep your system and software up to date.
    2. Prefer software from curated stores (Mac App Store, Microsoft Store) or directly from trustworthy vendors.
    3. Avoid "scareware"

    What is nice about the first two is that they are not "all or nothing". You get a meaningful security benefit from keeping just some of your software up to date (though start with the operating system). The more the better, but every bit counts. Most exploits of vulnerabilities are exploiting security bugs that have already been fixed by the vendor. So the more pieces of software you keep up to date, the more you reduce the risk of having your system compromised that way.

    Likewise, you don't have to use app stores for everything to gain security benefits of using it for something things. Using curated app stores substantially reduces your chances of installing malicious software on your system. It doesn't eliminate it entirely but it very substantially reduces the risk.

    Fear is the safety killer

    Panicked people make very bad security choices, and so a lot of malware tries to trick people into installing it by scaring them. You visit a web page and start getting pop ups of "Alert: Your computer is infected!", which then encourage you to click on stuff to run more checks or to clean things up. Don't let those things frighten you. They are trying to trick you into installing malware. Stay calm instead of letting yourself be scared into dangerous behavior.

    Risk reduction, not elimination

    The safest way to avoid dying in a car accident is to never ride in a car. And for some people that is a reasonable choice. But for most of us (at least in many parts of the US) that is not a viable option. So we cannot seek to eliminate the risks. But safer roads, safer vehicles, and safer driving habits along with seat belts and airbags dramatically reduce ones risks. The point is to aim to take reasonable steps to reduce your risk instead of driving yourself crazy by trying to entirely eliminate risks.

    Using 1Password is a big thing you can do to reduce your risks, but just as a seatbelt won't help you if a bridge collapses on your car, 1Password cannot help you much if you are running it on an actively compromised computer.

  • AGAlumB
    AGAlumB
    1Password Alumni

    What guy?
    "The only confirmed case of a 1Password data breach that I've seen is when someone used the same master password as she used for her unencrypted POP3/HTTP Road Runner email. The same password was also used for her Dropbox account, which was also taken over and is how we presume the attacker obtained the 1Password data."
    from https://security.stackexchange.com/questions/45170/how-safe-are-password-managers-like-lastpass?noredirect=1&lq=1

    @aegos: Ah, thanks for clarifying! Indeed, reusing passwords is bad news, because it means that an attacker who obtains your password from on place (say, a website breach) can then have success trying that same password other places, like to get into a Dropbox account, or even to decrypt a 1Password vault, if the same password is used for those too.

    1Password can help with that though:

    Use Watchtower to find passwords you need to change

    Identifying passwords that need to be changed is the first step to ensuring that a compromise of something you don't really care about doesn't lead to the compromise of something more critical. Cheers! :)

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    Oh, that guy!

    I'm the one who wrote that very old stack exchange answer half a decade ago. There have been a few other cases like that that have come to our attention like that. Calling it a "breach" was probably a poor choice of words on my part.

    There have also been cases where someone deliberately shared the 1Password master password with someone and then came to regret doing so later. Again, those really don't count as "breaches".

  • aegos
    aegos
    Community Member

    I understand. About that case, even if a hacker knows the master password, how can the hacker also know the secret key? Oh, the secret key is in dropbox with the same master password. And I bet he doesn't have 2FA.

    And that's your only case of breach? You know anything else?

    One of the thing I look for if a breach is likely or not is to see if something ever happened. If something has actually happened, then yes, that's something I need to watch for.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @aegos: No matter what, we don't have the "keys" to anyone's data, so they cannot be stolen from us. They'd have to get them from you.

    In order for an attacker to get your Master Password, Secret Key, etc. from Dropbox, you'd have to have put them there and given them access to it. That has nothing to do with 1Password.

    Again, since we don't have access to anyone's data or the means to decrypt it, you are the weak link in your own security. That's what you need to watch for.

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited October 2018

    I understand. About that case, even if a hacker knows the master password, how can the hacker also know the secret key? Oh, the secret key is in dropbox with the same master password. And I bet he doesn't have 2FA.

    Just a couple quick clarifications here:

    Only 1Password accounts have a Secret Key, and Dropbox is not at all involved with 1Password accounts. So the only way for someone's Secret Key to end up in Dropbox is if they intentionally saved it there. It's not something we recommend doing. Rather, it's best to save your 1Password account Emergency Kit in a secure location, like a safe deposit box, in case you need it in an actual emergency. That way you'll have your account credentials to be able to access your data even if all your devices are lost, stolen, or destroyed.

    Also, that Stack Exchange post was written by Goldberg many years ago. A lot has changed since then. The most secure way to use 1Password today is with a membership. There are many reasons for that (which we're more than happy to talk about! lol), but the main ones are the Secret Key for 2-Key Secret Derivation and Secure Remote Password to ensure your Master Password and Secret Key are never transmitted to our servers. Cheers! :)

  • aegos
    aegos
    Community Member

    Yes. Membership. Why is that more secure. And I think I will upgrade to some membership once the trial is expired.

    I count that as breach. Yes I understand. It's not 1password fault. However, as a customer, I am not interested in "whose fault is it". I am interested in potential actual breach. Yes, it's most likely the customers' fault. That's what I want to know so I don't repeat the same mistake as my customers.

    As of now, the only thing that can penetrate my system is spy bot. I am working on that. My 1 password is also protected by master password, secret key, and 2 factor authentication. If someone have all 3 and they need to wait for a week, it would be airtight. Because there is no way a hacker can get in and I don't "do something" within 1 week.

  • aegos
    aegos
    Community Member

    Here is a possible breach I can think of. Someone change secret key. It's displayed in his screen. A spybot is there. Someone put 2fa. Again, secret key is displayed in screen. So attacker can know. Now, if the secret key and 2fa key is filled from a "secure" computer, that is recently formatted, then things will sort of be save.

    Sometimes, I type my master password. I thought I am typing it in 1password, but it turns out the cursor is in normal field.

    In any case, any one have breach because of anything.

    I once lost bitcoin because a hacker somehow manage to know my API secret. Granted, that's the weakest link in my security. Anyone knowing API secret can steal money right away from any cryptocurrency account. Still, it shouldn't have happened at all.

  • AGAlumB
    AGAlumB
    1Password Alumni

    Here is a possible breach I can think of. Someone change secret key. It's displayed in his screen. A spybot is there. Someone put 2fa. Again, secret key is displayed in screen. So attacker can know. Now, if the secret key and 2fa key is filled from a "secure" computer, that is recently formatted, then things will sort of be save.

    @aegos: That's not a "breach" by any definition I've heard. That's just a compromised user device.

    Sometimes, I type my master password. I thought I am typing it in 1password, but it turns out the cursor is in normal field.

    Indeed, it's important to be careful where you enter sensitive information. 1Password can protect you from phishing attacks since it can refuse to fill login credentials at a webpage whose URL does not match what you have saved in your Login in 1Password. But it cannot stop you from typing things.

    In any case, any one have breach because of anything. I once lost bitcoin because a hacker somehow manage to know my API secret. Granted, that's the weakest link in my security. Anyone knowing API secret can steal money right away from any cryptocurrency account. Still, it shouldn't have happened at all.

    1Password can't stop you from giving your secrets away if your device is compromised. But when you are not actively decrypting and accessing your 1Password data, it's encrypted with keys which only you have/know, provided you don't give those away.

    Yes. Membership. Why is that more secure. And I think I will upgrade to some membership once the trial is expired.

    I count that as breach. Yes I understand. It's not 1password fault. However, as a customer, I am not interested in "whose fault is it". I am interested in potential actual breach. Yes, it's most likely the customers' fault. That's what I want to know so I don't repeat the same mistake as my customers.

    I'm not sure anyone would agree with this use of terminology, but I guess it's your prerogative what you call your mistakes. Unfortunately we can't stop you from making them, and giving your secrets away, though. :(

    As of now, the only thing that can penetrate my system is spy bot. I am working on that. My 1 password is also protected by master password, secret key, and 2 factor authentication. If someone have all 3 and they need to wait for a week, it would be airtight. Because there is no way a hacker can get in and I don't "do something" within 1 week.

    Indeed, two-factor authentication would prevent a replay attack, in a situation where the attacker does not have your TOTP secret or real-time access to your machine to capture a TOTP code when you enter it.

  • XIII
    XIII
    Community Member

    I don’t understand the suggested 1 week delay.

    How would that help?

  • AGAlumB
    AGAlumB
    1Password Alumni

    @XIII: I'm guessing that's something like a "dead man's switch" feature, but I could be mistaken.

This discussion has been closed.