"I stole your 1Password keychain"...

bulbuls
bulbuls
Community Member
edited March 2018 in Lounge

I was just watching this video:
https://www.youtube.com/watch?v=F78UdORll-Q

half way through, the hacker, who has been hired by the host to hack him, reports that he has stolen the host's 1Password keychain and subsequently has access to all of this passwords, accounts, etc.

why would a hacker be able to steal and read/decipher a 1Password keychain?

there is a general consensus that security is getting better with 2FA, Touch ID, Face ID, etc, but why do I have the feeling that it's actually getting easier for anyone who really wants our data to simply steal it?

cheers
Gregory

Comments

  • Hi @bulbuls

    Even having access to a person’s 1Password keychain would not be sufficient to access their data. The Master Password for the keychain would be required to decrypt the data. If you’re using a strong Master Password it would be incredibly difficult, possibly bordering on impossible, for someone to access your data. This article is a little bit dated at this point, but the concepts are still relevant:

    AgileBits Blog | Toward Better Master Passwords

    I hope that helps!

    Ben

  • wkleem
    wkleem
    Community Member

    @Ben, I think this video had been posted here previously. The video and article is 2 years old:

    https://splinternews.com/i-dared-two-expert-hackers-to-destroy-my-life-heres-wh-1793854995

  • AGAlumB
    AGAlumB
    1Password Alumni

    I recall that as well. Social engineering is pretty scary. All the more reason for us to not have the "keys" to 1Password users' data, and to ensure we know as little about our customers as necessary for them to get service from us.

  • prime
    prime
    Community Member

    So, I am guessing a key logger was installed on that person computer. Again, human error because he clicked on a link he had no idea what it was for.

  • prime
    prime
    Community Member

    He said “I stole your 1Password Keychain” he never said anything about the master password, or is he implying that he did have access to the master password?

  • AGAlumB
    AGAlumB
    1Password Alumni

    @prime: I think a lot of people will take it that way, but it isn't clear if that's what happened. (Though, ironically, that YouTube channel stole that video from Kevin Roose...with no attribution. :unamused: )

    However, since the hack-ee installed malware on his computer, the hack-er would be able to capture information by presenting fake password prompts and seeing what the hack-ee did anyway. So we should just sort of assume that the hack-er would be able to get access to 1Password data, if nothing else, by collecting information as it was accessed, if not by capturing the hack-ee's Master Password at some point.

    That's the beauty — and horror — of social engineering: no technological exploits are needed. It's just manipulating humans to give up information. With 1Password, someone will have to go through you to get access to your data, one way or another. It's yet another case of "great power" with "great responsibility"; both are yours, which can be terrifying, but also liberating.

  • Janis
    Janis
    Community Member

    Hi everyone!
    I was thinking what about two-step verification after master password typed wrong 3 times and then again master password need type?
    Then we shoud know that someone try stole...

    Oh yes only when pc is connected to internet and try hack master password from stolen 1password keychain then only works two-step verification...

  • AGAlumB
    AGAlumB
    1Password Alumni

    @Janis: Indeed, that has two clear problems: you'd have to be online any time you want to access your data, or if it's possible to get around that requirement an attacker could just disconnect the device from the internet before trying.

    That's the bad news. The good news is that 1Password's security isn't dependent on authentication (or it would be subject to social engineering attacks like those described in the video, where the service provider is tricked into giving an attacker access). Instead, we've built 1Password's security on encryption, so that even if someone has the encrypted database they will not be able to decrypt it...unless you give them the "keys" to do so. Cheers! :)

  • Janis
    Janis
    Community Member

    Thanks for excellent explanation! ;)
    And good point is that, if somebody stole pc or smartphone, then if have 1P account membership, then can disable from account that Device and vault is removed. That is nr. 1 reason why membership is better than standalone version.

  • AGAlumB
    AGAlumB
    1Password Alumni

    Absolutely! And, when in doubt, you can also change your Secret Key and Master Password if you have any reason to believe either is compromised. Better safe than sorry. :)

  • wkleem
    wkleem
    Community Member

    I think a lot of people will take it that way, but it isn't clear if that's what happened. (Though, ironically, that YouTube channel stole that video from Kevin Roose...with no attribution. :unamused: )

    That's the thing about YouTube, emails etc, anyone can share content without attributing back to the source, although the original video site (Fusion) is blocked for my country.

  • AGAlumB
    AGAlumB
    1Password Alumni

    Very true, and for all the amazing things the internet makes possible... What a mess! :lol:

  • Janis
    Janis
    Community Member

    I was thinking again... What if 1password keychain (vault) is automatically removed if 10 times is typed wrong master password?
    Like already have that feature in membership account when we already can set vault safe for travel and then vault is removed from all devices.
    And that feature can built in vault for self destruction after many times typed wrong master password if somebody stole vault.
    How you think about that 1P team?

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited March 2018

    @Janis: We've always intentionally not done the "X strikes and you're out" thing, because it won't provide any security against an actual attacker; they'll just make a copy of the data and work on brute forcing that rather than trying to sit there typing into the 1Password app. Very inefficient. So this would really only hurt you as an actual user by nuking your data if you have a bad day and have trouble entering the correct password.

    Travel Mode is very different, as it allows you to easily choose to remove data from your devices beforehand. Not everyone has to use that, but for those who were doing that anyway before Travel Mode, it is so much easier. Cheers! :)

  • Janis
    Janis
    Community Member

    Ok, thanks for explanation and I agree with the saying everything!

    Cheers you too! :)

  • AGAlumB
    AGAlumB
    1Password Alumni

    Likewise, thanks for bringing it up! I know it isn't obvious, so I'm sure others have the same questions. :chuffed:

This discussion has been closed.