Feature Request: Purge Data After 10 Attempts When Using Pin

StecykStecyk
edited September 2016 in Families

One of my devices is an iPad Air that uses 1Password with a four digit Pin code in addition to a complex password. My iPad predates fingerprint recognition. I would like to have the option to instruct 1Password to delete its data from the device after ten unsuccessful attempts. As it is now, it only takes 10,000 brute force trials to hit every Pin combination.

My iPhone uses fingerprint recognition, so that's not an issue.

Granted, my iPad and iPhone are locked. However, if my device is stolen before the lock resets itself, my apps are accessible. Passwords are critical.

mSecure has this delete data after ten unsuccessful attempts feature, regardless of app password complexity. I don't recall if mSecure offers a Pin. I do know, however, that even with a complex password, you can set an option to limit to ten attempts. If you lose your data because of ten unsuccessful attempts, you can always restore your data using your encrypted backup with your password.

I hope you found this suggestion useful.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • BenBen AWS Team

    Team Member

    Thanks for the feedback! I'll certainly pass the vote for this request along to our development team.

    If you lose your data because of ten unsuccessful attempts, you can always restore your data using your encrypted backup with your password.

    In which case hopefully you've made such a backup:

    1Password backups

    iTunes / iCloud backups have proven unreliable at restoring app data in our experience.

    Ben

  • Just giving my idea some further thought, here's some additional comments for your consideration.

    Allow the user to option to choose a Pin number, between four and six digits. Further allow the user the option that if there are ten unsuccessful attempts at using the Pin, then App will revert to requiring full blown password (not even a fingerprint will suffice).

    That would satisfy me. The odds of another person randomly guessing a six digit Pin within ten attempts are poor. And, my password is sufficiently strong that I am not worried.

    Thanks for your reply @Ben.

  • BenBen AWS Team

    Team Member

    As no new devices are being produced, and Touch ID enabled devices do not have the option of a PIN, I don't see us going back to implement a lot of changes to the way PINs work. But I could certainly see the ability to enable a "delete after N attempts feature," perhaps requiring a backup to be made before it could be enabled.

    Certainly all things to consider. Thanks again for the feedback!

    Ben

  • edited December 2016

    I have a set-up that uses my Wifi for syncing between devices. I'm extremely pleased with 1Password. But would very much like to have this 10 strikes = out feature, should one of my devices ever get stolen. So at least the data is deleted on that particular device.
    Thanks for considering.
    John

  • brentybrenty

    Team Member

    @halewijn69: It's certainly something we can consider, but it's important to keep in mind that this would be merely a placebo. After all, someone who has access to your data can simply make a copy of it and keep trying without regard to a "10 attempts" rule, which cannot be cryptographically enforced. Rather, we've built 1Password to withstand such attacks, and strengthen your Master Password with PBKDF2 to slow down brute force attempts significantly. Cheers! :)

This discussion has been closed.