how secure are my vaults after a data breach?

m_w
m_w
Community Member

I used to have individual vaults that I synced to Dropbox when I first started using 1Password in 2010; since then I have moved to family based vaults. We know that Dropbox had a data breach in 2012 which resulted in email addresses and password being exposed.
Let's assume someone got hold of my 1Password vaults that were then stored in Dropbox. What would they need to access the data? Do they only need to guess the master password? And which master password do you need? I'm asking this question as I'm still able to log into my 1Password client on my iMac or iPhone using the master password from the individual vaults even though I have given the family-based vaults a newer and much stronger master password.


1Password Version: 7.2.5 (70205002)
Extension Version: 7.2.5
OS Version: 10.14.3
Sync Type: Family

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited March 2019

    @m_w: With a local vault, yes, only the Master Password is needed. Otherwise you would not have been able to decrypt it using only that yourself. So ultimately it will depend on the Master Password you chose and how hard it is to guess that. For reference, last year we ran a contest where it took more than six months for someone to guess a random three-word Wordlist password, and that was with hints and a cash prize at stake. So if you were using something similar to that or better, you could expect that it would take longer than that at least. But 1Password also slows down guessing by automated tools using PBKDF2, so it would be substantially harder with an actual vault, when compared to just running through a list pf passwords.

    Again, all of this applies to the Master Password you setup for that particular vault. It sounds like you still have it hanging around on some of your devices, and that's causing some confusion. A Primary (local) vault is not part of any 1Password membership account, but the app will unlock using the Master Password of the first vault/account you have setup in it.

    With a 1Password membership account, the Secret Key is also needed to decrypt the data. That way if the encrypted database is stolen from us, the attacker cannot even perform a brute force attack against your Master Password. I hope this helps. Be sure to let me know if you have any other questions! :)

This discussion has been closed.