Security question

A quick security question. Does 1Password block access to an account for a period of time after a certain number of failed credential attempts? And, if so, does the user get an e-mail informing them of the attempted access?

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided


  • jpgoldbergjpgoldberg Agile Customer Care

    Team Member
    edited November 2020

    1Password rate limiting

    Does 1Password block access to an account for a period of time after a certain number of failed credential attempts?

    There are three answers

    1. Yes, but not in the way that you are asking for.
    2. No, not in the typical sense (because 1Password login is different)
    3. We do something better and is designed for the way that 1Password works.

    1. Server-side rate limiting

    There is server-side rate limiting, but it is aimed at highly automated attacks that hammer the server. These are configured in terms of requests per second. So it is, in a sense, a "yes" answer to your question in a technical sense, but it really isn't what you are asking about.

    2. Unlocking 1Password and logging in are subtly different

    When you unlock 1Password you aren't necessarily logging in (unless you are doing so in the browser or setting up a new device). It is possible to unlock and use 1Password off-line with no connection to the server. Your Master Password and Secret Key is used to derive a key that is used to decrypt (other keys that are used to decrypt) your data.

    A sophisticated attacker who has access to your local encrypted data isn't going to use the 1Password app to try various Master Passwords. Instead they will make a copy of your local data and run cracking attempts of it that don't go through the app itself. So lockout isn't going to have any effect on a sophisticated attacker. So such limiting for an encryption app (as 1Password is) would really be what is derisively called "security theater." It wouldn't actually defend against anything, but it would make these appear more securie to the user.

    A naive attacker actually typing in Master Password attempts into the 1Password app aren't going to get anywhere unless your Master Password is terrible. Don't have a terrible Master Password.

    We could put in limits in the case where authentication is required, such as for setting up a new device or in the web-client, but the very limited security gain for that isn't worth the confusion that the apparent inconsistency would lead to when we don't have it in the local apps. But an attacker isn't going to guess your Secret Key, and attackers who have your Secret Key would probably have a copy of your local data and would do their attacks off line.

    3. Where we get the effect that you want

    As I've been trying to say (it is a subtle and unfamiliar concept) the kind of limiting that you are asking about doesn't really make sense for something that's security is based on encryption more than on authentication. But there is a way to get. a similar effect and that is slow hashing. When you (or an attacker) enter your Master Password (and Secret Key) the computation needed to derive the keys used to actually unlock or authenticate is deliberately intensive. Your computer might have to do 1/4 second of computation to process those secrets. The steps in the computation can't be skipped.

    A quarter of a second isn't going to be very noticeable to you, but an attacker who has a copy of your encrypted data (or somehow has your Secret Key and is trying to log into the server) is going to automate things to try hundreds of thousands of different Master Password guesses. And that is where this quarter of a second adds up. So there is rate limiting built into the math of the key derivation.

    Do we email on failed login attempts?

    does the user get an e-mail informing them of the attempted access?

    No. We do email when a new device (including browser) is set up, but we do not automatically send email in case of authentication failures. Again, not all attempts to unlock 1Password have an authentication attempt. Our use of slow-hashing client side strongly discourages the kinds of attack you are worried about. This means that pretty much all the emails would be about false positives. In the tiny number of cases where something looked like a serious attack to us, we investigated and reached out to the affected users.

    Again, let me remind you that nobody is going to guess your Secret Key; they would have to steal it from one of your devices. And a serious attacker with access to data from one of your devices isn't going to do an online attack as those are far more expensive and subject to detection. So the kinds of notifications that are very useful for many other services would only help in the case of a user whose Secret Key is stolen, has a really bad Master Password, and has an attacker trying an online attack. So please have a decent and unique Master Password.

  • Great info. Thank you.

  • brentybrenty

    Team Member

    Glad that Goldberg was able to help. We're here if you need us. Cheers! :)

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file