Weakness of 1Password with multiple vaults

Boerny
Boerny
Community Member
edited September 2019 in iOS

I'd like to discuss a situation which led me to request an enhancement for 1Password.

Lately I was robbed. The thief got an open iPhone with opened 1Password right out of my hand.
Likely a desaster situation. I'm pretty sure, nothing bad happened (as so fare I don't have evidence for that), but who knows.

However, this led me to the following thinking: the human and the situation is the most weak part of the security chain.
It also led me to: what data to actually store in 1Password? Luckily I'm separating identity information (like recovery questions, recovery separate phone numbers) in a different place (or possible vault?).

BUT: if I would carry two vaults on one device with 1Password, it wouldn't help to just have two different passwords on the vaults.
1Password ALWAYS unlocks all vaults stored on the device with the same MasterPassphrase you use to unlock the app.

So my security enhancement wish: please implement a way to mark certain vaults to require a separate authentication even after 1Password was successfully opened.

Most users likely use 1Password to store – passwords! It's easy to change passwords after a robbery. However, if you store more sensitive information, you might want to protect this further. The current architecture of 1Password unlocks everything with a single password (hence the name, :-) ) and in this case is a disadvantage here. I'd need to run two apps to separate data.

Best, B.


1Password Version: 7
Extension Version: 7
OS Version: macOS, iOS
Sync Type: iCloud, Dropbox, WLAN, …

Comments

  • Lars
    Lars
    1Password Alumni

    @Boerny - first of all, I am SO sorry to hear you were robbed. That's just an awful, gut-wrenching feeling of violation; I've experienced it. :(

    The thief got an open iPhone with opened 1Password right out of my hand. Likely a desaster situation.

    That's about as bad as it gets, yes. Assuming your attacker knew what (s)he was doing, they could have added their own fingerprint/face ID scan to your existing one, which would have made their face or fingerprint as good as yours for purposes of unlocking. In such a scenario, you'd have to assume ALL your 1Password data was compromised -- as well as non-1Password stuff which is beyond the scope of what I'm able to assist you with here. But yes, the proper working assumption in such a case is: total loss/disclosure of data. I would strongly recommend you change, as quickly as possible, all of the passwords for any data you have in 1Password -- as well as contacting your bank and credit card companies.

    Regarding your wish, I don't think we'll be making that specific change, since an attacker in possession of your unlocked device could add his/her face/fingerprint and just access things that way, assuming you had biometrics enabled. We're always looking for ways to improve 1Password's security, but making users remember multiple passwords would be likely to cause more problems for more users -- including potentially data loss -- than it solves for those few like you who find themselves in this situation you did recently. The kind of attack you experienced is quite rare indeed -- 1Password's defenses against brute-force attacks on your data are quite robust assuming you used a good Master Password. So in an ordinary theft scenario (you leave your phone in an airport lounge, someone steals your laptop out of a hotel room, etc), either the device is off or at the very least it is not unlocked, and 1Password is not also running and unlocked.

    In terms of 1Password details, we recommend users print out things like their Emergency Kit and save it offline -- such as in a safety deposit box, floor safe, or with a trusted attorney, for emergency situations.

    I'll pass along your idea to the development team, and I hope you can recover quickly and completely from this loss. Stay safe out there.

  • Boerny
    Boerny
    Community Member

    @Lars thanks for your anticipation. But luckily I‘m fine and password changes are underway :-) (I find it interesting how long it takes to actually change all that data.)

    However, I really want to talk about the enhancement request and less the robbery. The situation just provides a scenario as what I consider „worst case“. It made me start thinking more thoroughly about how and what data I could store in 1Password, now that I need to refresh everything anyway.

    I’m sorry, but there are two things you mentioned, which are not fully correct.

    1) changing biometric data on iOS, like a fingerprint (TouchID) or Face (FaceID), will actually be detected by 1Password, and 1Password will ask for the MasterPassphrase again. In general changing passcodes or biometrics on iPhone will trigger an alert detection by the OS triggering a fallback to the initial accesscode for the app. Your company is doing the right thing here! This is safe! A thief CANNOT add his face or a new finger and gain access to all apps protected by Face-ID or Touch-ID. I‘ve tested it, this is not working.

    2) There is actually a real need to have two distinctive separate containers available if you have to. E.g. in my country there is a law, that you are not allowed to store e.g. a password together with the recovery question in the same encryption container. So it has to be separated. In addition I also would just feel more safe if there would be a second layer of protection for even more sensitive data other than simple passcodes.

    For 2) I was under the impression that it‘s actually possible with 1Password to be safe, but you aren‘t. The benefit of different protections you implement per vault with different passcodes gets wiped out but unlocking everything (without an option to not do so) with a single „super passcode“.

    It‘s not about that difficulty to remember multiple passphrases to unlock multiple vaults, but more about separating data types and protecting it separately.

    Think about the two common situations today: passcode&access theft vs identity theft.

    One should NEVER EVER store identity information together with access information in the same data container. However 1Password is encouraging users to do exactly this by providing the appropriate categories with forms asking for that data.

    But what would happen if a thief could gain a access to a data entry, where not only the access to an account is stored, but also all the identity information of the user of that account?

    Think about banks! A thief could very easily take over the full account in minutes, if you filled out the full bank template and even added eg security questions. Something which wouldn‘t be possible if you‘d separate passcode and identity.

    You could argue now: that‘s what we expect from users to do anyways, but in today‘s world with multiple identities per user (multiple bank accounts, critical account with Microsoft, google, Facebook, Apple, instagram, Twitter, etc it becomes more and more important to also consider (and store somewhere) these data types because we also forget about where we stored what type of identity information.

    Truly it wasn‘t a need when 1Password was invented (I‘m paying for it since V3), but our world changed a bit since then ;-) And this is where I‘d like to hint you to take the chance to support us users more in this changed enviroment by helping us staying secure in this more and more Information distributed world.

    Does it make sense?

  • Boerny
    Boerny
    Community Member

    Oh and I just saw, that LastPass is implementing something in this area. An option to always ask for the Masterpasscode again if you want to access a given data entry in-depth.

  • Lars
    Lars
    1Password Alumni

    @Boerny - we don't have any plans to add secondary passwords for separate vaults at this point, but I'll certainly pass along your ideas to the development team.

  • 1pwuser31547
    1pwuser31547
    Community Member

    Hi Lars.
    Regarding the above situation, would it be possible to add password protected/ encrypted PDFs/ Excel/ Word documents to the vaults?

    I understand that individual 1PW accounts are allowed 1 GB of storage.

    Are there any adverse security issues generated by saving a separately encrypted file within another encrypted app? (obviously with totally separate and unrelated passwords)
    Thanks

  • Lars
    Lars
    1Password Alumni

    @1pwuser31547 - nope, that's perfectly fine. There are often multiple layers of encryption when using various services around the web or even locally on your own device, and we (users) are frequently not even aware it's occurring. You'd need to make sure you have the passwords for those pre-encrypted PDFs or other files, as what's uploaded as a Document item if you encrypt it separately will be of no use to you if you don't have the password you used for it; you'll only get the encrypted form in 1Password.

    I should also make sure I point out that 1Password was never intended as any sort of hierarchical online file storage system. That's why there's a 1GB total for personal accounts (1Password Business have higher limits, but it's still nothing like iCloud or Gdrive or Dropbox's capacity): we know you may want/need to attach a few small files such as a photo of your Driver's License or Passport (in case it's stolen, etc), or scans of important documents...but if you're looking for an encrypted online file-storage system that allows you multiple layers of folders, etc, there are already services you can use for that. 1Password is (essentially) an encrypted, specialized database for saving and using sensitive and important information you use frequently, not a multi-GB encrypted digital filing cabinet.

This discussion has been closed.