Regarding security considerations of failed Master Password attempts

SystemSystem

Team Member
This discussion was created from comments split from: I need to reset my Master password but I do not remember the original..

Comments

  • "Just remember that even if you forget your Master Password, you can try to enter it as many times as you want." I understand why (so someone can't DOS the service), but at the same time, would hope that you have rate limiting in place to prevent brute force.

    This thread is exactly why I want to block my family users from accessing 1Password.com via a browser (and forcing the app) - the last thing I want is for an insecure browser password cache to hold the master passphrase.

  • brentybrenty

    Team Member

    @dougl: This thread is not about that. The original poster was asking for help because they've (seemingly) locked themselves out of their data. This is definitely off topic, and not an appropriate venue for trying to make a personal stand like this. Please be more considerate of others on this support forum. I've split you off into a separate discussion.

    I understand why (so someone can't DOS the service), but at the same time, would hope that you have rate limiting in place to prevent brute force.

    Absolutely, but throttling login attempts to the website is completely separate from people being able to access their data, as that can also be done in the apps.

    This thread is exactly why I want to block my family users from accessing 1Password.com via a browser (and forcing the app) - the last thing I want is for an insecure browser password cache to hold the master passphrase.

    Major browsers don't "cache" data entered into password fields. I'm not even aware of any alternative browsers that do. And if they did, it would be be reported and fixed. Mozilla, Google, Microsoft, and Apple know there's too much at stake to allow this. However, if the user tells the browser to save it, that's another story. But you can always disable browser "autofill" features, and we always recommend that for many security and usability reasons. Definitely something to consider, but fortunately there's a solution. :)

  • Fair point :-). Unfortunately the password cache features are either on by default, or all too easy to activate by accident. Perhaps a feature for the mini would be to warn users when they're enabled and offer a web page with instructions on how to migrate the data out of the browser and into 1Password?

  • BenBen AWS Team

    Team Member
    edited May 2018

    I’m not in a position to test on a new install right at the moment, but I’m pretty sure it does do that, and links to this guide:

    Turn off the built-in password manager in your browser

    Ben

  • Very cool - should have known you guys had it covered :-)

  • about the rate limiting, honestly, it's good to have, superb even, but if my password is heat death of the universe length right now, against a very well endowed GPU rig, I am not too too worried about something as sluggish as HTTP banging on a web service even if they singled me out for attention.

  • BenBen AWS Team

    Team Member

    Good point. :)

    Ben

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file