1Password Keychain hackable?

corrales1
corrales1
Community Member

Very interesting (and scary) video about social hacking techniques. At the 5:23 mark, the hacker says that he steals the 1Pass keychain, and gains access. How is this possible? My understanding of the 1Pass keychain is that even if it is stolen, a hacker cannot get into it without having the master password to 1Pass.

https://youtu.be/bjYhmX_OUQQ?t=5m23s

Comments

  • danco
    danco
    Volunteer Moderator

    You somehow managed to post the same question three times and so I have deleted the other two posts.

    Basically, the user let the attacker gain control of his computer, and when that happens all bets are off. The 1PW database itself can be stolen, and (I think it was by using screenshots rather than a keylogger) the attacker also waited until the use entered the password and stole it at that point. This definitely isn't a hack of 1PW itself, any more than someone who stole a safe deposit box and also stole its keys would be showing a weakness in the safe deposit.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @corrales1: The moral of the story is that, just like you, anyone who has your data and Master Password can access your 1Password vault. Be sure to not give out your Master Password, and — this applies not only to 1Password, but in general — do not use a machine which may have been compromised to access sensitive information. be sure to let us know if you have any other questions!

  • corrales1
    corrales1
    Community Member

    Thanks for the feedback, @brenty and @danco! (sorry for posting three times BTW!) I think your answer @danco, best describes how this particular hack can occur -- via screenshot or keylogger.

    So what you are saying is that in order for 1Pass to get hacked, the hacker would have to have both your OS admin pass + 1Pass master password. If, on the other hand, the hacker ONLY has your OS admin pass, but NOT your 1Pass, then 1Pass is safe. Is that correct?

  • danco
    danco
    Volunteer Moderator

    The OS admin password would probably not be needed (except maybe to get the malware onto the computer). But 1PW is safe unless the hacker has your 1PW master password and also the 1PW data.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @corrales1: Keep in mind that you're more likely to be tricked into doing an attacker's work for them (misleading password prompts, installing malware masquerading as a benign app, etc.) And again, there are two things they would need in order to access your vault: a copy of the data and the Master Password used to secure it. So long as you're vigilant and don't install software from unknown sources or allow someone unscrupulous access to your machine, you have nothing to fear. It's easier said than done, but it's within our power. :)

This discussion has been closed.