Some Questions before taking a plunge.

kroman
kroman
Community Member
edited November 2018 in Lounge

Hey, guys! I have a few questions to ask before signing up for the service.

  • First, where are my passwords stored? Locally or remotely? Both?
  • In what form are they stored? (I hope not raw).
  • Does 1Password ever have access to my raw password inputs?
  • If 1Password servers go down (or you go out of business, heavens forbid), do I get locked out of all my passwords?
  • If someone gains access to my primary email account, would they be able to access my Vaults or account w/out my knowledge?
  • I'm infected with a key-logger. Is my Vault seriously compromised?
  • When generating a new strong password for a site, do you use the clipboard to insert it into the pw field. If so, how secure is my clipboard from interception/substitution?

Thanks a bunch!

P.S.

  • Can I use 1PW from within apps or programs on my PC? How can use 1PW to access those? Can I even do that?

P.P.S.

  • Say I forgot my Master Password but I kinda remember what it was. Is there a penalty for incorrect login attempts? Can I set up a script to brute-force it? I guess, the real question is, is there feature to make brute-forcing less attractive but not so that I couldn't ever get locked out if I do more than a few invalid login attempts?

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni

    @kroman: Thanks for getting in touch. Great questions! :)

    First, where are my passwords stored? Locally or remotely? Both?

    Technically both with 1Password.com accounts, but since the "source of truth" is the encrypted data on the server, the local data is used as a cache so that you can access it offline.

    In what form are they stored? (I hope not raw).

    Encrypted. You can find details in the security white paper: https://1pw.ca/whitepaper

    Does 1Password ever have access to my raw password inputs?

    The app does, absolutely. Otherwise it couldn't understand any of your data to do anything with it. I don't think that's quite what you meant to ask, but precision is important. Suffice to say that only encrypted data is ever transmitted -- it's all encrypted locally on your device -- and the "keys" to decrypt it are never sent to us. I think maybe that's what you were wondering.

    If 1Password servers go down (or you go out of business, heavens forbid), do I get locked out of all my passwords?

    Nope. You'll have a copy of the data on any of your authorized devices, and you can export from there if necessary. But we also have been around for over a decade now, and charge sustainable prices for our products so that we'll continue to be able to work on 1Password for more to come. :)

    If someone gains access to my primary email account, would they be able to access my Vaults or account w/out my knowledge?

    Possibly. To be clear, even with access to your email account, they would need your 1Password.com account credentials to access that. However, if you are part of a 1Password Business/Families plan and they are able to trick another admin on the account into putting it into recovery mode, they could go through that to gain access. That's why we recommend that recovery be initiated only due to an in-person request, since email can be spoofed and hijacked even without direct access to the account.

    I'm infected with a key-logger. Is my Vault seriously compromised?

    Probably not, but you should assume that it is. Don't presume that the attacker is stupid. When someone else has control over your device, they can potentially "see" anything you do, and so when you access your data they'd be able to capture it at that time. If you believe your machine is infected, it's better to not use it at all. 1Password's data will be fully encrypted on disk, and it cannot be decrypted without the correct Master Password. So an attacker would need to either get your password or let you unlock it for them.

    When generating a new strong password for a site, do you use the clipboard to insert it into the pw field. If so, how secure is my clipboard from interception/substitution?

    It's as secure as the device. So in the above scenario, not at all. It's also important to note that the clipboard is, in nearly all cases, accessible to any running software. Even if there is nothing malicious, another app could log it (a lot of people use "clipboard history" software), and that could be stolen or misused down the road. Copy and paste is necessary at times, but you should use the 1Password extension to fill whenever possible, as that not only avoids the clipboard entirely, but also saves you some effort as well.

    Also, be careful about what other browser extensions you install, and the permissions you give them. Many request access to everything you do on every webpage, which would also include anything you do there with 1Password. Shady extensions that offer you something for "nothing" are the devil.

    Thanks a bunch!

    Sure thing! :)

    P.S. Can I use 1PW from within apps or programs on my PC? How can use 1PW to access those? Can I even do that?

    No. There are no frameworks in the OS or in apps (apart from major web browsers) to allow that. You can, however, use the 1Password for Windows "Type in window" feature (right click the login and select the field) in many kinds of apps.

    P.P.S. Say I forgot my Master Password but I kinda remember what it was. Is there a penalty for incorrect login attempts?

    No.

    Can I set up a script to brute-force it?

    Yes.

    I guess, the real question is, is there feature to make brute-forcing less attractive but not so that I couldn't ever get locked out if I do more than a few invalid login attempts?

    To be clear, you won't ever be "locked out". The issue a script will run into is throttling, when the server (rightly) thinks it is under attack. The apps themselves will also throttle attempts. For humans, this isn't really a problem though. Sometimes it's good for our memory (and our stress level!) to step away and take a break, so that it might come back. ;)

This discussion has been closed.