What if my 1Password account is hacked.

In light of the recent OPM attacks, in which 5.6 million federal employees lost their fingerprints to attackers, how can I trust one website to have my passwords, bank accounts, credit cards, and fingerprints? If 1Password ever gets hacked, either now or in the future (should 1Password become vulnerable to a future form of attack), I would lose all of my identity, conveniently stored in one location for the hacker.
If one person discovers my master password, I could lose everything.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:with you storing fingerprints, how do I keep those from getting stolen

Comments

  • dancodanco Senior Member Community Moderator

    Yes, if someone had both your master password and your database (vault) they could get everything. But just one of the two is no use to anyone. The vault is strongly encrypted, and if you set a strong master password it would be impossible to decrypt without the password.

    Beyond that, your concerns are a large part of the reason why 1PW does not store its data outside your computer unless you ask it to. You can (and many of us do) use iCloud or Dropbox as a way of syncing between devices (and also as a kind of backup). But you aren't forced to use either.

    If you only keep your data locally, then an attacker would have to have access to your computer (or local external drives). And if that happens, whether by theft or by hacking into your machine, all bets are off anyway.

  • brentybrenty

    Team Member
    edited October 2015

    In light of the recent OPM attacks, in which 5.6 million federal employees lost their fingerprints to attackers, how can I trust one website to have my passwords, bank accounts, credit cards, and fingerprints? If 1Password ever gets hacked, either now or in the future (should 1Password become vulnerable to a future form of attack), I would lose all of my identity, conveniently stored in one location for the hacker. If one person discovers my master password, I could lose everything.

    @hungryhuntsman: I think the most significant difference here is that 1Password cannot be "hacked" in the way you describe. AgileBits has neither your data nor the Master Password you use to secure it, so we can't be targeted in order for someone to gain access to it. You best defense is a long, strong, unique Master Password, so that no one — even with access to your data — will be able to brute force it within your lifetime. And danco makes an excellent point:

    If you only keep your data locally, then an attacker would have to have access to your computer (or local external drives). And if that happens, whether by theft or by hacking into your machine, all bets are off anyway.

    The idea being that, if someone has unrestricted access to your computer (essentially becoming you, thus "owning" the machine), they could easily install malware to collect data as you access it. 1Password stores your data in encrypted form, but it must be decrypted for you to see or use it. And anyone else with the same privileges will be able to do the same.

This discussion has been closed.