How important are device passwords?

quickbyte
quickbyte
Community Member

After years of paying for 1Password Families, I've finally managed to convince my parents to start using it with me.

They had no problems understanding the need for a strong master password for their 1Password account, given that it's online (secret key being beyond the scope of our conversation), but it will be an uphill battle convincing them why their home computer password shouldn't be our dog's name, or their iPhone PIN shouldn't be something fairly guessable. There aren't a lot of articles out there that explain the threat model for "local-only" passwords.

From a 1Password point of view, are there any technical reasons why a device needs a strong password/code?

The only one I can think of is keylogger-type malware, which, at least for my Apple-ecosystem low-risk-behavior parents, isn't a major concern.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • danco
    danco
    Volunteer Moderator

    For a computer, there is always the "evil maid" scenario to consider as well as the possibility of it being stolen in a burglary of the home.

    For a phone, which is presumably taken out of the house, there is the risk of losing it, of a pickpocket, etc.

  • quickbyte
    quickbyte
    Community Member

    Acknowledged, but I think the harder story to sell is what happens after that. Assuming the burglar or pickpocket isn’t after you specifically, the argument is “isn’t a simple password enough?”, since it’d prevent casual data theft.

    But assuming I live in a fantasy/paranoid world where I store no information locally and log out of every service at the end of each session. Does 1Password’s model rely at all on the security of the device itself?

  • hawkmoth
    hawkmoth
    Community Member

    Does 1Password’s model rely at all on the security of the device itself?

    It certainly doesn't. If you have a strong master password, a thief who gets access to the data file itself has no realistic way of gaining access to its contents. If this were not true, you would probably not trust having it all stored in the cloud. There is lots of information on the 1Password web site explaining all of that.

    I'm with your parents on security for a home computer. The odds of anyone targeting me specifically and wanting to break into my computer are small enough that I'm comfortable with a fairly simple password. Not an obvious one, mind you, but one that I can quickly type in when I wake the machine for the first time each day. If I were worried about a machine in an open office, I would feel otherwise.

    I'm also comfortable with a six digit PIN on my mobile phone, but I can easily see the argument for more security there.

  • jmjm
    jmjm
    Community Member

    I'm also comfortable with a six digit PIN on my mobile phone, but I can easily see the argument for more security there.

    You got me thinking as I use a fingerprint or "only" a 4 digit PIN to unlock my Pixel....hmm

  • quickbyte
    quickbyte
    Community Member

    Not an obvious one, mind you

    Ah, but therein lies the rub: what's your standard for obvious? Not "password" or "1234", sure, but what about {wife's name} or {home address}?

    There is lots of information on the 1Password web site explaining all of that.

    I should clarify, I'm familiar with the general 1Password security model, but not all the specifics of its implementation. I didn't want to assume that because 1Password doesn't instruct us to use strong device passwords that they were irrelevant.

    And I do find it hard to believe that a compromised device in no way increases the risk to my 1Password data, even if the risk is more academic than practical. But 1Password has always run a really tight ship, and if anyone were capable of designing an entirely foolproof system, it'd be them.

  • Lars
    Lars
    1Password Alumni

    @quickbyte - excellent questions!

    But 1Password has always run a really tight ship, and if anyone were capable of designing an entirely foolproof system, it'd be them.

    I'm grateful for the trust you place in our product security, but there IS no such thing as a 100% foolproof solution. If there were, everyone would already own it and the game between attackers and defenders would be over for good. However, a lost or stolen device is indeed one of the situations for which 1Password is specifically designed. On your local device, your Master Password is what protects your data. This has been true since the early days of 1Password. Should someone gain unauthorized access to your device, the worst they could do immediately is copy the encrypted 1Password database and remove it to their own device to run automated password cracking software against it. That's why we urge people to choose a good Master Password. If a thief or hacker manages to access your user account, they don't get your 1Password data as well.

    And I do find it hard to believe that a compromised device in no way increases the risk to my 1Password data.

    Your instinct is quite right. Leaving 1Password data aside for a moment, there are numerous reasons not to use an easy-to-guess passcode (or user account password) on your devices. The most important one I can think of off the top of my head has already been mentioned: theft or "evil maid" scenarios. The real underlying threat there is that a weak(er) password for the device makes it that much easier for the thief (or "maid") to access your data. Sure, given enough time, it's increasingly possible that someone truly dedicated and skilled could do so anyway, but why make it easy for them? Most modern devices have some form of remote erase feature (Apple's "Find My Device" feature is one example). If your device passcode is your birthday, or your dog's name or something similar, it increases the likelihood that it will be discovered before you can remotely erase the device. And your 1Password data isn't the only valuable data on your device (or your parents' devices), I'm guessing?

    In the case of a laptop, most users also run only one account on the device, meaning by definition that account has administrator privileges. This means that someone able to unlock a user's account could do all sorts of things to the device in a relatively short time, and not even need to steal the physical device itself -- say, during a trip to the restroom at the coffee shop. If the device can be unlocked, a USB flash drive or SD card could be inserted and data copied (including encrypted 1Password data), and unless the user checked the logs, they'd never even know, nor think to take any countermeasures. Or the attacker could insert a USB flash drive and upload malware running as root from an automated script -- and then remotely capture every keystroke or even take screenshots or video. The possibilities are many, for a resourceful and determined attacker. Most of us will never face such a threat because, quite frankly, most of us aren't well-known, rich and/or interesting enough to warrant that kind of energy/attention. But opportunistic attacks carried out by prefab scripts are much more likely to be successful if it's trivial to access a user's account on a device. "Use strong, unique passwords" is good advice everywhere. 1Password can help you remember all the ones for the various dozens or hundreds of websites/accounts you have, but you should remember your Master Password and a short list of others, device passcodes among them.

  • williakz
    williakz
    Community Member

    Very useful thread. Thanks to OP, commenters, and @Lars. Off to harden all my MacBooks, iPads, iPhones, PCs, gateway routers, smart TVs, and other gizmos currently, um, protected by '1234' or 'Spot'...

  • jmjm
    jmjm
    Community Member
    edited January 2021

    On your local device, your Master Password is what protects your data.

    I am know I am misunderstanding but for my phone isnt it my PIN (to access the phone) and my fingerprint (to open 1P) that is protecting my 1Password data (that can be accessed on the phone)?

  • williakz
    williakz
    Community Member

    Suggest you avoid powering down your phone until you get a response from a 1Password Team Member.

  • Lars
    Lars
    1Password Alumni

    @jmjm - not really. Your Master Password is still what protects your data, but when you enable biometry (Touch ID or Face ID on iOS devices), you are instructing 1Password to allow you to use either of those methods (built into iOS) to access a secret stored in the iOS keychain which will unlock your 1Password data (assuming the fingerprint provided is the correct one). You can read more about Touch ID security here, and Face ID security here. While there are certainly trade-offs to enabling either one, for most people, the benefits outweigh the risks considerably.

  • jmjm
    jmjm
    Community Member
    edited January 2021

    @Lars thanks for taking the time to reply. (FWIW I was referring to an Android phone).

  • Lars
    Lars
    1Password Alumni

    @jmjm - ah, well in that case, you'd be wanting this page from our support site. ;)

This discussion has been closed.