Stolen Device Precautions

Quietwalker
Quietwalker
Community Member
What to do if your mobile device is stolen/lost
Hello, Forum Moderators
This is a request that you consider some sort of a whitepaper / Q&A / preventive suggestion list, perhaps together with DropBox -- with recommendations as to what to do if your mobile device is stolen or lost. I have located the "Wipe with Mobile Me" forum, but I'm wondering if perhaps some other safeguards could be built in and, even so, a basic list might be on your website - something simple with perhaps "Second, Call your Banks on the telephone and tell them to freeze your accounts!" The other safeguards -- maybe there could be "de-authorize mobile device" within 1P that sends a command to DropBox to lock out the mobile device? That, at least, would maybe allow time for the user to change the passwords that are of paramount importance.

The convenience of 1P is wonderful; thanks for considering this.

Comments

  • khad
    khad
    1Password Alumni
    edited November 2010
    Hi Quietwalker,

    Thanks for raising this question. We are really glad you appreciate 1Password! :-)

    With a device passcode lock, all your data is encrypted on the device. 1Password uses its own encryption on top of this which is locked with your good master password (and unlock code on the iPhone and iPod touch). If someone has the computational power to crack all that, you probably have bigger problems than freezing your bank accounts. The government has probably already frozen them. :-D

    In all seriousness, though, by them time you deactivate 1Password in Dropbox you could just as easily have changed your Dropbox password.

    Remote wipe after a failed GPS recovery is probably your best bet if you are truly concerned about your data, but a thief is probably much more likely to wipe your device before you even can in order to sell the hardware and turn a quick profit.

    I really don't want to sound dismissive. Perhaps you could specify exactly what you are concerned about other than having to replace a very expensive piece of hardware. :-)

    Please let me know. Thanks!

    UPDATE: Please also consider reading up on iOS security discussed in a previous thread.
  • jpgoldberg
    jpgoldberg
    1Password Alumni
    Hi, I'm always sorry to hear about a stolen device, but with respect to your 1Password data you have nothing to worry about. In the words of the Hitchhikers' Guide to the Galaxy, "Don't Panic."

    The short answer is that we designed the file formats and protocols used in 1Password anticipating that some people would have their devices and computers stolen.

    There are multiple layers of security, Apple's and ours. Both of these can look deceptively simple, but there is actually a lot more security going on behind the scenes. To better understand those, please do read the documents that Khad referred you to, but with respect to all of your 1Password data you can relax.

    I hope that this is of some help and reassurance.

    Cheers,

    -j
  • Quietwalker
    Quietwalker
    Community Member
    -j, Chad,

    Please excuse my delay in responding; was traveling. I've read the threads and externals you've referred me to, and my response is.....I still worry, with the intention of NOT having to panic. I'm very old school, grew up with the first PCs in the '70s, and learned security lessons sometimes the hard way -- like the time I felt absolutely stupid when a friend asked me how many people had keys to my server room and the room didn't even have a lock in the door! Another example -- I still carry a scrap of paper in my billfold (the real one, in my pants) that has the 800 numbers of my credit cards and the last 4 digits of the card numbers -- if I lose a card 300 miles back down the road, I want to make that call immediately [assuming, of course, that my cell carrier has coverage there....].

    My point is, as good as your product is [and, I absolutely totally appreciate it!] I don't think individuals should, in the event a portable device is stolen or lost, simply yawn and presume they can just go buy another device, install a replacement 1P license, sync to DropBox, and go down to the beach.

    I suggest that best practices, in the event a mobile device is stolen or misplaced, demand proactive actions by the user in addition -- starting with, as I suggested, a phone call to the human running security at your brokerage house or bank to get the accounts frozen to prevent transfers out. Then calls to the credit card companies to cancel those numbers and have new cards issued. Then, and only then, re-build passwords on all the web sites. Other users certainly might have other thoughts that could be consolidated.

    Your company is in a particularly beneficial position to pass on security recommendations -- to paraphrase a totally overworked phrase, "Trust 1P but remember to do some things yourself, also."

    Best wishes and Happy Holidays.

    QW
  • khad
    khad
    1Password Alumni
    edited June 2011
    Hi Quietwalker,

    Welcome back! :-)

    There really isn't anything to worry about or reasons to change any accounts or passwords. The data in 1Password is heavily encrypted, so it is not at all like losing a notebook with pages full of information. All the thief will have is a paperweight with regard to your data. From your perspective it is as though nothing has happened (except being out an expensive device). You have only lost your device — not your data.

    My point is, as good as your product is [and, I absolutely totally appreciate it!] I don't think individuals should, in the event a portable device is stolen or lost, simply yawn and presume they can just go buy another device, install a replacement 1P license, sync to DropBox, and go down to the beach.

    Why not? I love the beach! :-) Seriously, though, I certainly wouldn't yawn at having to drop some hard cash to buy another device, but I am still curious what the real concern is with regard to your data. How would a thief have access to any of it? :huh:

    Being prepared with phone numbers to call in case you lose credit cards is a great idea. That is why we include room for this information in 1Password's credit card templates. I'm ready at a moment's notice to call and cancel if I ever lose a card. I simply look up the card in 1Password and dial the number stored in the entry. The main difference with losing your iPhone is that the credit card is not protected/encrypted in any way. You have actually lost the "data" (i.e. the number on the front of the card and stored unencrypted in its magnetic strip) in addition to the thing itself. Your 1Password data is not in this unenviable position.

    Your company is in a particularly beneficial position to pass on security recommendations -- to paraphrase a totally overworked phrase, "Trust 1P but remember to do some things yourself, also."

    And that is why we recommend using 1Password to store your sensitive information. :-) I'm really not trying to be cheeky. If someone was walking around with all the information that 1Password stores in an insecure, unencrypted format (written on paper, stored as plain text on a device with no passcode, etc.) I would recommend they use 1Password instead. Rather than a crutch, it's the cure to the problem you are discussing.

    Of course, setting 1Password to never auto-lock and not having a device passcode would be akin to carrying around a piece of paper with the information on it, but that is why the default settings in 1Password are set the way they are. ;-) Also, as I mentioned in my previous post, it is imperative to set an iOS device passcode.

    Now that Apple has announced that Find My iPhone is free for all users with a new model iOS device — only one is required to reap the benefits on even your older devices — you can even more easily lock your device remotely (even if you did not have a passcode in place when the device was lost), and remotely wipe the entire contents of the device. This is in addition to GPS location of the device for possible recovery.

    Even if you do nothing, though. Your 1Password data is still secure.

    I hope that helps. Best wishes and happy holidays to you as well! I hope you had a great Thanksgiving! :-D
  • Question
    I have by the program 1password and i must say i love it with the 'small items'.
    Now i put in de mobileme password for the program lost my iphone and must i generate it or not.
    Now i go to a city and 'lost' my iphone. Fast go to a internet cafe for delete my data.
    Now i log in and 'shi.....' what's the password . So what is good thing to do?
    This is not for the negative for 1password its only a question so i can more out the program.
  • bswins
    edited June 2011
    Hello hgp and welcome to the Forums!

    I'm not sure I totally understand your question, but I'll describe what I believe you are asking and respond to that.

    My interpretation:
    You bought the 1Password program, and you love it!
    You saved your MobileMe password in 1Password.
    You are visiting a city and you lose your iPhone.
    You rush to an Internet Café so you can access the MobileMe website and initiate a data wipe of your iPhone.
    You get to the website, but can't remember the MobileMe password because it's in 1P.
    What do you do now?


    Presuming that I understand your question, or some of it, I'll tell you what I would do in a similar case.

    1st: If you cannot remember your MobileMe password, you can go to the following Apple site to reset it: My Apple ID: Reset your password (not sure if this is a US only address)
    2nd: Once you reset your password, login to MobileMe and initiate the iPhone data wipe. (this presumes your iPhone is turned on and can be found by the Find My iPhone app)

    Since we are discussing a "what if this happens?" scenario, I'd like to offer the following recommendation.

    1st: If you haven't already, download the 30-day Free trial 1Password's desktop application for Mac and/or Windows.
    2nd: Download and install the Dropbox cloud syncing application: Dropbox web site
    3rd: Setup Dropbox syncing between your desktop and your iPhone: Automatic Syncing Using Dropbox (note: once you setup automatic syncing, you can delete the desktop app...you don't have to buy it)
    4th: Now, if you lose you iPhone, you will be able to access your 1Password data from any desktop using 1PasswordAnywhere. This will allow you to avoid having to reset your MobileMe password.
    5th: Next, you can find your password, login to MobileMe and initiate the iPhone data wipe.

    I want to add that my comments are based on limited information. If you would be willing to provide more details regarding your current setup (Mac or Windows desktop, etc.), I or another member will be happy to offer additional opinions.

    Please let me know if I correctly interpreted your question. I'd want to be sure you receive the answer(s) you need.

    Cheers!

    Brandt

    P.S. In the event that you use iDisk, please note that syncing between 1Password and MobileMe is not recommended: 1P data file sync solutions

    In addition, there are some current limitations using 1PasswordAnywhere: Troubleshooting 1PA issues

    Please let us know more about your situation so the information we provide is accurate and will actually work with your current setup.
  • Your interpretation was correct.
    So thanks for the answer.
    I dont use idisk but i only want to know wat to do in this case ore other.
    Now i look for 1passwordanywhere, must i install this on a pc or is this a internet isseu?
    And i have dropbox so i know to sync but so far as i know dropbox has no isseu for delete dat on remote.
    But i like to find the possibility's

    Thanks
  • bswins
    edited June 2011
    hgp wrote:

    Your interpretation was correct.
    So thanks for the answer.


    Whew! Glad I understood. You're very welcome!

    I dont use idisk but i only want to know wat to do in this case ore other.


    I'm glad you don't use iDisk to sync, as that method is not recommended for 1Password.

    Now i look for 1passwordanywhere, must i install this on a pc or is this a internet isseu?

    And i have dropbox so i know to sync but so far as i know dropbox has no isseu for delete dat on remote.


    You will need to execute a file named 1Password.html. It is located in your 1Password.agilekeychain.

    Quoting an AgileBits' Administrator:

    The 1Password.html file is actually inside your data file and used for the 1PasswordAnywhere feature. 1Password.agilekeychain is your data file. Technically it is a bundle rather than a single monolithic file. That is why you can find other files inside it.


    Since you use Dropbox, you can access the 1PasswordAnywhere function directly from your Dropbox folder using most browsers on any Mac or PC. The following post shows screen shots highlighting the file's usual location in Dropbox: 1PAnywhere file location

    To my knowledge, Dropbox does not have an option to wipe data from your iPhone. However, using 1PasswordAnywhere, you will be able to access your MobileMe password and the website to initiate the wipe from there.

    Please let me know if you have any further questions.
  • danco
    danco
    Volunteer Moderator
    So this suggestion relies on knowing your Dropbox password? Is there any advanrage in having to remember that rather than the MobileMe password?

    On a related matter, I am wondering whether or not to set a passcode on my iPad. The advantages of doing so are obvious.

    The disadvantages are that the Undercover theft-prevention can only work if the iPad is on, and I think the same applies to Find My iPhone.

    For a Mac (laptop or desktop) this issue does not arise, as a guest account is available, so that anyone who has the machine can use it without being able to access one's own files.
  • bswins
    edited June 2011
    Hello danco,

    Great question!

    So this suggestion relies on knowing your Dropbox password? Is there any advanrage in having to remember that rather than the MobileMe password?

    You are correct. Presuming you've stored your 1Password.agilekeychain in your Dropbox folder, you will need to know your Dropbox password in order to access 1PasswordAnywhere (1PA).

    The advantage/disadvantage is a matter of personal opinion. The answer depends on you, alone.

    I use Dropbox for much more than just syncing my various 1Password platforms. Truthfully, I almost never use 1PA. Primarily, I use Dropbox to sync and share pictures, documents and 1P and Knox backup files.
    So, to me, if I have to decide on whether to remember my MobileMe password vs. my Dropbox password, I would rather remember the one that provides the greatest bang for the buck...or Pound Sterling, Euro, etc.
    By remembering just the Dropbox password, I can still access all my passwords...which includes the password I need to initiate an iOS device wipe.

    In the "lost" iPhone scenario previously mentioned, knowing only your MobileMe password would allow you to access the wipe device function, but you wouldn't have access to any of your 1Password vaults....some of which you may need to call credit card companies, banks, etc. in the event that you "lost" more than your phone (i.e., someone helped you "lose" your wallet/passport/etc.)

    On a related matter, I am wondering whether or not to set a passcode on my iPad. The advantages of doing so are obvious.


    I think you just answered your own question!

    Once again, the issue is up to personal preference. It's up to you to decide on which security options work best for your situation. You've chosen 1Password, so your already on the right track!
  • khad
    khad
    1Password Alumni
    edited June 2011
    I merged this thread with a previous one on the same topic. Please see above for some possibly "new to you" information. :-)

    The disadvantages [of having an iOS device passcode] are that the Undercover theft-prevention can only work if the iPad is on, and I think the same applies to Find My iPhone.

    Find My iPhone not only works while your device is locked, but you can even use it to remotely lock your device even if it did not have a passcode set when you lost it! Nice.

    I can't think of any reason to not have an iOS device passcode, though. I can think of plenty of reasons why you should set an iOS device passcode, however.

    • If you have Mail set up with your email account, anyone who obtains your phone can access practically any account you have by resetting the password and having it sent to your email address. Egads. :S
    • It adds an additional layer of security to your 1Password data. (A thief would need to get past your iOS passcode to even begin to attempt to get into 1Password).
    • All your contact information is available to the thief if your device has no passcode.
    • A thief could easily masquerade as you via text message, email, Facebook, Twitter, or any other app you have configured to use one of your accounts.
    • Depending on how much use Calendar sees, a thief could make a note of when your vacation is marked on the calendar, find your address in Contacts and then more easily rob you while you are out of town.
    • If you have saved any login information for websites in Safari (which we strongly recommend against: use 1Password instead) a thief could access those sites as you. I hope there is not a saved password for your bank. :blink:


    Those are just the ones off the top of my head. There are likely more. I don't use Undercover on my iPhone for these reasons.

    Security is a personal choice, but I also believe in full disclosure and security education. An informed user is the best user. :-)

    For a Mac (laptop or desktop) this issue does not arise, as a guest account is available, so that anyone who has the machine can use it without being able to access one's own files.

    Agreed. The Guest Account feature in Mac OS X is simply perfect for users of Orbicule's Undercover (which I do use on my MacBook). It allows you to password protect (and even FileVault encrypt) your actual account, takes up no additional drive space, and gives thieves a nice playground to have their photo taken, screen captured, and location tracked. :-)

    For better or worse, iOS is essentially a single user OS which means that not having a passcode is like not password protecting your user account on your Mac. As they say in Los Angeles: ¡No bueno!

    I hope that helps. Stay safe out there!

    Cheers,
  • danco
    danco
    Volunteer Moderator
    khad wrote:

    Find My iPhone not only works while your device is locked, but you can even use it to remotely lock your device even if it did not have a passcode set when you lost it! Nice.

    I don't use Undercover on my iPhone for these reasons.



    Good to know about Find My iPhone.

    The developer of Undercover says he is working on a way to make it work on a locked iPhone, but it doesn't have that ability at present.

    I have set a passcode on my iPad to use while I am away. Now there are two things to think about.

    1. Is it worth having the passcode on when I am at home. It could get stolen from home, but that isn't too likely.

    2. I'm used to having a password with letters and numbers, but perhaps that is too inconvenient on a virtual keyboard.
  • bswins
    edited June 2011
    1. Is it worth having the passcode on when I am at home. It could get stolen from home, but that isn't too likely.

    Almost every time I say something is unlikely, I increase the odds of it happening exponentially! ;)

    I set Auto-Lock to Never and Passcode Lock>Require Passcode to Immediately. That way, I don't have to worry about constantly unlocking my iPad, but I can lock it up at the touch of a button.

    2. I'm used to having a password with letters and numbers, but perhaps that is too inconvenient on a virtual keyboard.


    I use a password with upper and lower case letters, numbers and symbols. Personally, I do not find it any more inconvenient than typing a phrase with nothing but lower case letters. However, I only have to type it once or twice a day, so perhaps that is why I don't find it annoying.
  • khad
    khad
    1Password Alumni
    The developer of Undercover says he is working on a way to make it work on a locked iPhone, but it doesn't have that ability at present.

    Orbicule's Mac software is the bomb! Full stop.

    I can't speak to their iOS app(s), but they are a great company from everything I can tell. I am curious how they would possibly accomplish what you describe, though. I do not believe it is possible at this time. Maybe they know about some secret iOS 5 sauce which I don't yet. :lol:

    I have set a passcode on my iPad to use while I am away. Now there are two things to think about.

    Woohoo! Score one for team security. :-)

    1. Is it worth having the passcode on when I am at home. It could get stolen from home, but that isn't too likely.

    I don't know about you, but even working from home, I am not actually at home that much. Do you ever go to the store? For a walk? Out to dinner? Anything can happen. To me the hassle of turning the passcode on and off during different circumstances is not worth the negligible gains in convenience at the expense of security. Once you have it for more than a few days, your fingers will enter it almost as fast as the "Slide to unlock." It really isn't a hassle.

    2. I'm used to having a password with letters and numbers, but perhaps that is too inconvenient on a virtual keyboard.

    That is where I draw the line, but I know Jeff here advocates using an alphanumeric passcode (Settings > General > Passcode Lock > Simple Passcode > OFF). I suppose I could follow my own advice above and be surprised at how quickly I adjust to entering a longer alphanumeric password. Maybe I will try that now. Oh heck, you just convinced me. :-P

    I don't know if you are old enough to remember actually dialing a telephone. (Who does that anymore? All the numbers are saved in your iPhone!) I used to be able to dial my friends' numbers so fast it scared me. It was because I dialed them a lot. It's a similar thing with the passcode.

    Muscle memory FTW!
  • bswins
    edited June 2011
    I suppose I could follow my own advice above and be surprised at how quickly I adjust to entering a longer alphanumeric password. Maybe I will try that now. Oh heck, you just convinced me. :-P


    Woohoo! Score two for team security!

    I don't know if you are old enough to remember actually dialing a telephone.


    Yes. Yes, I do. Actually, I remember dialing by putting my finger into holes on a dial and pushing down to the left.

    Thanks for that Khad. I just realized how old I really am! ;)
  • jpgoldberg
    jpgoldberg
    1Password Alumni
    If mixed alphanumeric isn't a problem for you, then continue with that, but for an iOS pass code, simple alphabetic should be sufficient.

    This is because even with a jail break, automated software can only try about 4 guesses per second. I did some calculations based on this over in

    http://forum.agile.ws/index.php?/topic/4854-elcomsoft-claims/page__view__findpost__p__27760

    With just six all lower case letters (randomly chosen) it would take on average 15 months to crack. This is done on the iPhone, so the phone can't be used for anything else during that time.

    My main conclusion was that for realistic threats, six random lower case letters is enough on iOS. My overall conclusion was,


    My main advice is to be realistic and not to make things too hard for yourself. It is tempting to say "oh I want a passcode that would take centuries to crack" but you will need to remember this passcode and type it into a small keyboard frequently, so do consider what a thief would be willing to do to get at your data.


    So it's great that some people are able to use more complex passcodes on their phones and iPads. That certainly bumps up the strength a great deal, but for those who end up entering their passcodes frequently, all lower case letters is also a very reasonable choice.

    Cheers,

    -j
  • khad
    khad
    1Password Alumni
    edited June 2011
    Jeff, you are way too pedantic for me. :lol:

    I did write "alphanumeric," but only meant not using what Apple calls a "Simple Passcode" (exactly four digits). :-P

    Thank you for following up with those details, though!
  • bswins
    edited June 2011
    As we were recently discussing the Find My iPhone app, some readers may be interested to know that Apple released an update to the app yesterday: Find My iPhone (1.2)

    There were some customer reviews stating that the app was crashing and/or didn't work, but I tested it and had no problems on my iPhone (4.2.8.) or iPad (4.3.3).
This discussion has been closed.