Security worries

pol
pol
Community Member

Hi! I was talking to a friend the other day about how great having a password manager is, and he asked me something I didn't know what to reply to, and got me kind of worried.

So I have all my passwords, credit cards, etc; in 1Password. The 1Password file itself with all the passwords is in Dropbox, so I can easily link to it in my cell or my computers.

  1. Now... what if Dropbox had a security leak or something and someone got access to my account? I'm assuming the passwords are encrypted, but may this be an issue?
  2. What if this someone deleted all my files? I hadn't thought of this really until he asked... I mean, I know I have a local copy as well, but if the files are deleted on dropbox, they'll also delete on my computer.

He also mentioned how dangerous it would be if someone stole your phone with all your passwords in it... but this is another topic already. "Just imagine him forcing you to unlock everything"... yeah...

Thanks!


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • littlebobbytables
    littlebobbytables
    1Password Alumni

    Hi @pol,

    I hope you don't mind but I've moved your post. We don't have a really appropriate location for these general kind of queries, it isn't about a specific platform or explicitly about our 1Password accounts so I'm using the Lounge section as a bit of a catch-all.

    Regardless of what method a 1Password user goes with, whether it is a 1Password account, Dropbox or iCloud, the stored data is always encrypted. The strength of your Master Password is what protects it just like its the Master Password that protects the actual copy of 1Password for Mac or 1Password for Windows that you interact with. Anybody obtaining a copy of the encrypted data will be forced to decrypt it before being able to do anything useful with it. So if your Master Password is password you probably shouldn't feel too safe but if its something more complex, maybe a passphrase then things tilt massively in your favour.

    Dropbox and iCloud are only ever used as a sync point, the actual data stored there isn't what the application uses when accessing your vault, its just there to act as a mid-point between copies of 1Password to communicate changes. If the OPVault in Dropbox was deleted, and don't forget that Dropbox allows for file recovery, all that would happen is 1Password would report that sync is broken and that you would need to set it up again. Nothing would stop that copy of 1Password being useable.

    A lost or stolen phone does mean the user needs to start thinking about what was on the device. A strong passcode coupled with security options like locking after 10 failed attempts can help stop most casual opportunists from getting anywhere. Lets say they are more determined though and they're able to access the filesystem. If all they can do is grab a copy of the encrypted SQLite database file then the next hurdle they need to face is decryption. I keep a copy of all of my vaults on my iPhone, my work account is connected to the iPhone and I would be quite surprised if that didn't hold true for everybody that works at 1Password. I'm not worried about what the loss of my device would mean beyond the massive annoyance factor.

    If you have any follow-up questions please do ask and we'll do our best to answer. Just to finish on a lighter note here are two personal favourites of mine; Randall Munroe, truly a god who walks amongst us :lol:

  • pol
    pol
    Community Member

    Thank you very much littlebobbytables, your response was very precise and useful. It definitely sounds safer than one would expect.

    On those comics, well, the security one kind of reflects a real fear of mine when having 1Password on the phone. I mean, I don't really care that much if they got access to that one forum I once registered to do whatever, but my credit card information... Ouch.
    There's nothing we can do about it really, except maybe having 1Password only at home, but that's not really convenient...

    Maybe you could add the feature of "profiles", kind of. You could have a main computer or device, from which you select which categories/profiles or whatever you want to sync with each extra device you link to your OPVault. Would be nice!

    Thanks for the info though!

  • @pol

    On those comics, well, the security one kind of reflects a real fear of mine when having 1Password on the phone. I mean, I don't really care that much if they got access to that one forum I once registered to do whatever, but my credit card information... Ouch.
    There's nothing we can do about it really, except maybe having 1Password only at home, but that's not really convenient...

    Do you carry your credit cards with you? If so it seems you'd be in the same situation, 1Password or not. Fortunately most credit card companies are very good about dealing with theft and fraud. There are a fair number of consumer protections in place to help if your credit card information is stolen.

    Maybe you could add the feature of "profiles", kind of. You could have a main computer or device, from which you select which categories/profiles or whatever you want to sync with each extra device you link to your OPVault. Would be nice!

    If you're going to be in an area where you are particularly concerned you might consider using the Travel Mode feature of 1Password membership:

    Use Travel Mode to remove vaults from your devices when you travel

    I'm not aware of any plans to implement a similar feature beyond that, but we'll certainly continue to listen to feedback on these sorts of situations and see where we can improve.

    Ben

  • pol
    pol
    Community Member
    edited July 2019

    @Ben

    Do you carry your credit cards with you? If so it seems you'd be in the same situation, 1Password or not. Fortunately most credit card companies are very good about dealing with theft and fraud. There are a fair number of consumer protections in place to help if your credit card information is stolen.

    Totally true yes. Actually I guess the average thief will be more aware of this scenario than cards being on 1Password...

    If you're going to be in an area where you are particularly concerned you might consider using the Travel Mode feature of 1Password membership

    Very interesting indeed! It's not exactly what I said, but very close! That can definitely work.

    Thanks for the replies!

  • You're most welcome. Happy to help.

    Ben

This discussion has been closed.