No peek passwords and incorrect password acceptance delays?

skippingrock
skippingrock
Community Member

Hello, there is something with iOS that I've always been concerned with.
That is the habit of showing the character of what you type for a second before masking it out with a •.

This is especially concerning when I'm entering in my 1Password master password.
macOS doesn't have this "feature".

I understand the original reasoning behind this is to allow the user to ensure that they don't thumb the wrong "button", but when I'm entering a password that is as sensitive as this one, I really don't like these characters appearing. Especially in the days of pervasive surveillance and nosy neighbours. Often I use a Bluetooth keyboard and don't need this "reassurance" of seeing my password. (That said, I am wondering how strong is the security of Bluetooth protocol? Could I be broadcasting my keystrokes to everyone around? But regardless…)

Is there any subroutine in iOS that can be used to prevent this from happening and being masked immediately as in macOS? Maybe an option to turn this on or off. This iOS feature really seems as a detriment to the security of this app.

Along the same subject there is one thing of iOS that I'd like to see in 1Password.
Can we please see a similar iOS practice adopted when a user enters a series of incorrect passwords?

After a few incorrect passwords iOS, as you know, will give the user an exponentially increasing delay between its acceptance of another password attempt. I really would like to see this in 1Password.

I know at there has been resistance in giving us a self-destruction option, but I really would like to see 1Password on all platforms have the option to resist brute force logins. It really needs to be here. As with iOS, I would like to see an advanced option for the eventual deletion of the vaults on the device, at the very least the deletion of any 1Password account vaults as these could be restored from the cloud once a user regains control of their device or sets up another.

I know that there will be a temptation to post the obligatory XCD monkey wrench comic, but in another blog a rebuttal position is made. There is a real desire to get this app to the point where we can truthfully say "I can't", rather than "I won't". How we can achieve this I think should be the ultimate goal.

Thx.

Comments

  • Good morning @skippingrock! Thank you for taking the time to write such a thoughtful collection of feedback. I completely appreciate your desire to have the Master Password field not show the last character you typed, but at this time that's just not a possibility.

    As for your other question, I'm going to point you to a blog post by our resident security expert, @jpgoldberg. It does a much better job of explaining how 1Password's data format works to keep you safe: https://blog.agilebits.com/2014/03/10/crackers-report-great-news-for-1password-4/

  • skippingrock
    skippingrock
    Community Member

    Thanks @MrRooni, I have in fact read this blog posting before.

    I do appreciate and understand the near impossibility for someone to guess that master password.

    But as I mentioned in my previous post having a near un-crackable master password and vault still leaves the owner of the data in the "I won't" camp. More specifically "I won't tell you what my password is and you'll just have to try and guess it." That's when the monkey wrench or imprisonment comes in.

    I want to have the ability to move the answer into the "I can't" camp.
    If the data is no longer there to crack or to coheres out of you then there little reason to keep you. Now mind you if by not keeping you meant that you are no longer kept around for anyone, that's a risk that the holder of the device needs to take. But at least you could leave in what ever manner knowing, and them knowing, that it wasn't that you wouldn't do it for them, but because you couldn't do it for them.

    I point to this article to where I draw this reference:
    https://www.zdziarski.com/blog/?p=6918

  • AGAlumB
    AGAlumB
    1Password Alumni

    @skippingrock: Indeed. I'm glad Apple has hired him. :)

    You make some really good points yourself, but I hope you'll forgive me for saying that you may be overthinking this to an extent. Just because the answer truly is "I can't" doesn't mean that the jailer with the wrench is going to take your word for it. As far as they're concerned, the real answer is probably still "I won't", and if you're in that position in the first place, odds are that they're determined to get the answers they want one way or another. So unless a destructive option is able wipe out your data in any location it exists in the world (and it can't really, not reliably), they can simply "encourage" you to get it from somewhere else. And again, the true absence of an offsite/offline backup of any kind doesn't mean they'll believe you, so you're still gonna have a bad time.

    We don't have plans to implement even a basic "self-destruct" feature or slowing down guesses in the 1Password UI because once the attacker has your device we should assume that they can take all the time they want to hammer on the actual data, without having to interact with the app at all. So we use PBKDF2 to slow down brute force attempts on the actual data, since that's more effective.

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    Hi @skippingrock and @brenty

    I would like to take an example of what Skippingrock said to illustrate a larger point.

    If the data is no longer there to crack or to coheres out of you then there little reason to keep you.

    I believe that someone who is able to coerce you into revealing a Master Password has the power to retaliate if you destroy the data. Although you might wish to play on a distinction between "I can't" and "I won't", I strongly suspect that if you deliberately took actions to put yourself in the second category, the authorities would find ways to punish you for that.

    What can your adversary do?

    My more general point is that I think that a lot of people asking for these sorts of features are not modeling the threat very well. For the most part, someone who is able to coerce you into unlocking stuff is able to punish you for what they see as non-cooperation.

    Even if you have some legalistic theory that makes you think that you "cooperated" or "complied to the best of your ability", I don't think that that is something that you can realistically depend on. In our heads we can construct adversaries who must play by some very specific rules, but I don't think that the real-word adversaries play by our imaged rules.

    Interesting ideas

    These ideas are interesting and worthwhile to discuss. But when it comes to putting in a feature that might leave someone with no access to their data ever again, we need to make sure that that real risk (losing all your data) is something that is providing a sufficiently large data confidentiality gain.

  • skippingrock
    skippingrock
    Community Member

    Hence the next part of my paragraph:

    Now mind you if by not keeping you meant that you are no longer kept around for anyone, that's a risk that the holder of the device needs to take.

    "no longer kept around for anyone" In other words, I'm saying "jailed" or worse.
    I know that this may seem extreme, but for some this risk of losing data might be far preferable to having it fall into the wrong hands.

    I guess what I and others are wanting is some sort of mechanism to either obscure highly sensitive data or to obliterate it all together.

    I will end this thread with a final question:
    If in a crunch I needed to delete 1P app and 1P data from my device, if I go into Advanced Settings and Select Erase All 1Password Data, what is being done? Is the reference to the data just removed and still possibly recoverable? Or is the data first overwritten with garbage and then deleted?

    What happens to the app and data if someone just deletes the 1Password app from the Home screen?

    I see an Erase iCloud Data, but what of an Erase Dropbox Data?
    If I don't use iCloud to sync, is there even anything stored on iCloud at all?

    I guess and assuming deleting beforehand is our only option we are ever going to get.
    I just would like to know what actually happens to the data when you choose the Erase All 1Password Data option. Is it actually erased or is just the reference to the data erased?

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    You are right, @skippingrock. I quoted you very selectively for rhetorical effect. I was trying to emphasize this point that you had already acknowledged, but for anyone else reading this thread. But I know that you were aware of the point. Sorry for that.

    And at the risk of repeating myself, I'm going to repeat myself by saying that we really try to make it hard for you to erase all of your data everywhere. We are judging that the circumstances in which people want their data to disappear from the universe are much smaller than the cases where people might accidentally destroy their data. So where you say,

    but for some this risk of losing data might be far preferable to having it fall into the wrong hands.

    I have to say that that is not where we see the overwhelming portion of 1Password users. Their Master Passwords are what prevents their data from falling into the wrong hands, and we do not offer an additional line of defense against coercion. In the situation for the people that you describe, I would think that a mechanism for destroying the device itself would make more sense. I suppose you could stick to things that aren't as water resistant as the latest models. But now I am going down the road of bizarre speculations.

    I just would like to know what actually happens to the data when you choose the Erase All 1Password Data option. Is it actually erased or is just the reference to the data erased?

    It is the local copy of the data on the particular device you are doing this with. The data will remain on the sync services.

    What happens to the app and data if someone just deletes the 1Password app from the Home screen?

    It is the data on the local device which is removed. The data will remain on sync services.

    Is the reference to the data just removed and still possibly recoverable?

    It is not recoverable, but it (probably) isn't being zeroed either. This has to do with how iOS manages data and data removal. In a case like this, iOS will destroy its own keys for the particular data. Remember that iOS offers its own layer of data encryption. I am not 100% certain of how this is managed in the innards of the iOS file system, but when something in a protected data class is removed, then the keys that allow the app that owns the data to read the data will be destroyed. The cool thing about encryption is that you can destroy information simply by throwing away keys without having to actually overwrite the encrypted data. This is how Apple's Remote Wipe works.

    As you note there is an Erase iCloud Data because Apple have set up iCloud to enable that, but do not know exactly how quickly or irrevocably that data is removed. Remember that an entity that is capable of coercing you to reveal your Master Password may be able to coerce Apple into restoring data from their own backups. This, of course, would go for Dropbox or any place else that copies of your encrypted 1Password data live.

    Not everyone has the luxury of multiple Teams and Families, but it is nice

    Now, I should say that I have taken to removing some data from my phone before I cross boarders now. In particular, I remove my AgileBits Teams so that if I am forced to decrypt everything on my phone at a boarder, none of my work related secrets (ranging from my password for this discussion forum to the ssh keys used logging into our code repository) are on that device. Sure, I don't want my personal stuff being snooped on by governments or anyone, but if someone is going to go after that, I want it isolated to that.

    So I keep my Family account on my phone when re-entering the US, but I remove my other teams before crossing the boarder. This is hardly fool proof if they want that other information. As I am actually capable of getting back into those Teams, I could presumably be coerced into doing so. But it does mean that if it is only the stuff on my phone that gets searched at the boarder than that will be fewer credentials that will have to be blocked and changed after the event.

  • skippingrock
    skippingrock
    Community Member

    Thanks for following up with this. I do understand the need to help people not lose their data.
    Vise Versa, I do feel that a user should ultimately be able to control the existence or extinction of their data as well.

    This is a bit off this topic, but of a particular mention, there have been a couple of items that got moved into our Family account's Shared vault but never should have. I can delete hide them, but there is no way to ever remove them except by waiting a year. As mentioned quite a bit elsewhere on this forum, an Admin should be treated as such, an Admin. And to have the ability to permanently delete an item.

    Not everyone has the luxury of multiple Teams and Families, but it is nice

    A thought: I haven't tried this, but is one able to use multiple family member slots for themselves?
    Storing items of one sensitivity in one member account and others of a higher sensitivity in the other? When the need arises, can a user remove their device's access to that one member but keep the other?

    Remember that an entity that is capable of coercing you to reveal your Master Password may be able to coerce Apple into restoring data from their own backups. This, of course, would go for Dropbox or any place else that copies of your encrypted 1Password data live.

    Afraid to ask, but I will… does that include Agilebits as well, or are you and your servers able to sit in the "We can't" camp for this one?

    Thanks for chiming in here @jpgoldberg, I appreciate everyone's input into this topic.
    @skippingrock

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited May 2017

    Thanks for following up with this. I do understand the need to help people not lose their data.
    Vise Versa, I do feel that a user should ultimately be able to control the existence or extinction of their data as well.

    @skippingrock: You totally can. Admittedly, as it does with many things, iOS makes this super easy. Goldberg was right on:

    I am not 100% certain of how this is managed in the innards of the iOS file system, but when something in a protected data class is removed, then the keys that allow the app that owns the data to read the data will be destroyed. The cool thing about encryption is that you can destroy information simply by throwing away keys without having to actually overwrite the encrypted data. This is how Apple's Remote Wipe works.

    Each iOS app has its own private data container, and when you delete it, the keys for it are destroyed as well. Other OSes don't have it streamlined, but there are great secure erase utilities for each. Of course, none of this is guaranteed given that data recover has advanced as well, but trying to recover deleted data that was encrypted to begin with is infeasible. And when the disk itself is encrypted (as is standard on iOS and many Android, Mac, and Windows devices today), you're talking about secure erasure over multiple levels of encryption.

    This is a bit off this topic, but of a particular mention, there have been a couple of items that got moved into our Family account's Shared vault but never should have. I can delete hide them, but there is no way to ever remove them except by waiting a year. As mentioned quite a bit elsewhere on this forum, an Admin should be treated as such, an Admin. And to have the ability to permanently delete an item.

    That's a great point. You're right that there isn't currently a "delete forever" option for item history, but it's something we can consider.

    A thought: I haven't tried this, but is one able to use multiple family member slots for themselves?
    Storing items of one sensitivity in one member account and others of a higher sensitivity in the other? When the need arises, can a user remove their device's access to that one member but keep the other?

    I do. I have an extra admin account I don't use, as a backup in case I do something stupid...or die.

    Remember that an entity that is capable of coercing you to reveal your Master Password may be able to coerce Apple into restoring data from their own backups. This, of course, would go for Dropbox or any place else that copies of your encrypted 1Password data live.

    Afraid to ask, but I will… does that include Agilebits as well, or are you and your servers able to sit in the "We can't" camp for this one?

    Never be afraid to ask. In fact, since your Master Password is chosen by you, the Account Key is generated locally on your device at signup, and neither is ever transmitted, AgileBits never has the keys to your data. So it's definitely "I can't" for us, and that's by design. That's the good news. The tough part is that if you could legitimately say "I can't", you'd also lose access to your data. So there isn't really a solution for that.

  • skippingrock
    skippingrock
    Community Member
    edited May 2017

    Did I just read something elsewhere about Travel Mode?

    Thank-you Thank-you!!
    Does it or will it work on the Mac client too?

    … Ah, I see, it is done online.

    When in travel mode, is there no indication that your account is in fact in travel mode?

    I think I would still like to see more granular control of not just vaults but individual items.

    Also why is enabling Travel mode for all members a PRO feature? If we all go on holiday and say we both share a vault, what happens if one person (me) has the vault marked as not safe, but my mom who isn't tech savvy doesn't? I'm assuming that the sensitive vault would be shown on her device even if she put her device in travel mode too?

    As a family organizer, I should be able to have the ability to mandate if a vault is safe for travel or not for all users, not just me. I should also have the ability to put member's profiles in travel mode in case they forget to do it themselves and don't have a network connection where they are located in order to do it themselves.

    Well, there is a flaw in that last comment, if they don't have a net connection, there can't be a signal sent to the device to put it into travel mode. That said, there should also be a way to verify that a device connected to that user account is confirmed in Travel Mode. Basically, when a user activates Travel Mode, and 1P.com pings out to the devices to go into such mode, it would be great if the device could ping back to the website to say, "Yup, I got the message and I'm confirmed in Travel Mode.", or vice versa when exiting Travel Mode.

    Again, another issue, I see that the device is required to be unlocked in order to go into Travel Mode. Will this happen before the unlocking animation is completed, or would a person see these deleting when unlocked? (I'd prefer the former. Even if that means that an unlocking takes a split second longer to check and a few seconds to delete during a stalled unlocking animation… that happens sometimes anyway.)

    If a device is order to go into Travel Mode, but a user opens 1Password using the 1Password extension (on Mac) or the 1Password Share sheet button (in iOS Safari) or a 1Password enabled App like Tumblr, will 1Password.com still be able to send the signal to the device to remove the un-travel-worthy vaults? It should if it doesn't.

  • AGAlumB
    AGAlumB
    1Password Alumni

    Did I just read something elsewhere about Travel Mode?
    Thank-you Thank-you!!
    Does it or will it work on the Mac client too?

    @skippingrock: Yep! And you're welcome! I'm glad to have this myself. It's not a panacaea, but it's saved me a lot of steps already. ;)

    The cool thing about this is it's handled by the server, so the clients don't even require an update. It just works.

    I think I would still like to see more granular control of not just vaults but individual items.

    You can always create a separate vault for your "travel data", but we may add more in the future.

    Also why is enabling Travel mode for all members a PRO feature? If we all go on holiday and say we both share a vault, what happens if one person (me) has the vault marked as not safe, but my mom who isn't tech savvy doesn't? I'm assuming that the sensitive vault would be shown on her device even if she put her device in travel mode too?
    As a family organizer, I should be able to have the ability to mandate if a vault is safe for travel or not for all users, not just me. I should also have the ability to put member's profiles in travel mode in case they forget to do it themselves and don't have a network connection where they are located in order to do it themselves.

    It's a brand new feature, and until now it wasn't possible to enable travel mode at all. So all vaults were effectively "safe for travel". So you're no worse off today. It's certainly something we can consider though. Cheers! :)

  • skippingrock
    skippingrock
    Community Member

    You can always create a separate vault for your "travel data", but we may add more in the future.

    But for this to be truly effective one still could benefit from the ability to permanently purge items deleted from Vaults tagged as "Safe for Travel".

  • Thanks skippingrock,

    We'll keep that in mind for future enhancements.

    Cheers,
    Kevin

This discussion has been closed.