Is anything safe anymore?

More and more hacks are happening it seems. Is anything safe? I am confident that my master password is strong, long, and no one knows it. I made it from scratch, changed it a few times to make it stronger (I re-encrypted my vault too), but it seems scarier out there. I am tempted to use the wifi sync and drop 1Passwordanywhere, but I love that "back up" there. I have a decent password for Dropbox and use 2 step verification, but I wonder if that's good enough sometimes.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • brentybrenty

    Team Member

    @prime: With all the mayhem out there it's certainly easy to get rattled, but you're on the right track there: if nobody is going to guess your Master Password (and it isn't weak enough to brute force), no one can access your 1Password data. Dropbox 2SV is there for all the files you store there unencrypted (and I know you do — we all do!)

    The scary thing is that each of us is the weak link in our security when it comes to 1Password. But unless someone holds a gun to my head and says "your Master Password or your life", I ain't givin' it up to nobody. ;)

  • It just seem hackers are finding other ways of getting in lately. But I do wish 1Password had brute force protection.

  • hawkmothhawkmoth
    edited August 2015

    @prime,

    But I do wish 1Password had brute force protection.

    I'm curious what that would look like to you? Are you wishing for a limited number of tries to log in to 1Password before the application deleted everything? Most likely the brute force attacks won't be directly on the master password anyway, or so I've read somewhere in the materials on the various AgileBits pages. (Sorry, I haven't been able to turn up a direct reference.)

  • I'm not sure to be honest. I know a lot of stuff things have a "cool down period" after so many attempts have failed. I once locked myself out of my phone for an hour because I put the wrong password in a few times (don't ask hahaha).

    Maybe an option after 10 tries, it does delete the data. One idea I thought about is after x amount of tires, that device is disconnected from the syncing, and that app itself doesn't have anymore data on it (maybe show the set up screen at that point?). This idea would only work if they person does sync to another device somehow.

    I like the Dropbox syncing a lot, but seems like clouds are under attack. I'm even rethinking using Crashplan now too.

    Just ideas.

  • brentybrenty

    Team Member

    I'm not sure to be honest. I know a lot of stuff things have a "cool down period" after so many attempts have failed.

    @prime: A lockout timer/throttling ultimately is only useful in a locked-down environment like iOS. On Windows and OS X, where an attacker who has access to 1Password also has direct access to the filesystem can simply bypass the app altogether and attack the data in the vault itself. Desktop OSes just don't have any restrictions on the number of read/write attempts made on a file, or nothing would work. :angry:

    Maybe an option after 10 tries, it does delete the data.

    If someone has access to your device, they can simply make a copy of the vault and attack it 'offline' (i.e. separate from the app, which then wouldn't be able to delete the vault, or would simply delete the original and not the copy).

    This idea would only work if they person does sync to another device somehow.

    I know there are some who don't sync their data anywhere (Dropbox, iCloud, Wi-Fi, or otherwise), but I think these days this the exception rather than the rule.

    But while 1Password doesn't have brute force protections in the way you're thinking, this is precisely the function that PBKDF2 serves: it slows down computation significantly by requiring extra computational work for decryption. This is why there's a perceptible delay when unlocking your vault: it actually takes a bit of time to do these calculations, as opposed to being able to unlock instantaneously (which would be possible on current hardware where PBKDF2 is not used — such as full-disk encryption, which we need to be fast). So while it might not be exactly what you were looking for (or expecting), 1Password is already doing this for you without you having to worry about it. :)

  • thanks for the info. I think I was mad because a close friend got hacked and it nearly put his company out of business. He actually finally woke up and is taking this password stuff seriously and got 1Password for his Mac. I have been telling him about this and I been helping him out. I will be helping him set up vaults too so only certain people will have access to certain passwords who work there.

  • brentybrenty

    Team Member
    edited August 2015

    thanks for the info. I think I was mad because a close friend got hacked and it nearly put his company out of business.

    @prime: I don't blame you! It's understandable to feel pessimistic when something like that happens — especially to someone close to you! :angry:

    I will be helping him set up vaults too so only certain people will have access to certain passwords who work there.

    That's awesome! It's good to have a friend like that. Be sure to reach out if you or your friend need any assistance. We're always here to help! :)

This discussion has been closed.