iCloud Keychain sync secret key security

Options
georgysavva
georgysavva
Community Member
in Mac

Hi. I use 1Password on my Mac and iPhone. I know that 1Password stores my account information including the secret key in the Apple keychain. I am totally fine with storing that information in the device's local Keychain, but I as the majority of Apple users have iCloud Keychain sync turned on. It means that my 1Password account information will be stored online on Apple servers. I know that Apple encrypts data on the device and data never leaves the devices unencrypted. The question is, what they use as the key to encrypt the data.
I totally trust 1Password because data on your servers protected with encryption with the secret key so brute force isn't possible.
But from the Apple documentation that I was able to find and other third-party articles, I've come to the conclusion that the key they use to encrypt iCloud Keychain data is derived only from the device passcode, so in case their servers were compromised it's easy to brute-force the data. Please correct me if I am wrong.

If my conclusion is correct, it means that the 1Password secret key that holds a lot of entropy to protect the data from the online threat is itself stored online and it's protected with significantly lesser entropy (device passcode).

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:iCloud Keychain sync secret key security

Comments

  • ag_ana
    ag_ana
    1Password Alumni
    Options

    Hi @georgysavva!

    I have passed your question directly to our security team :+1: We will post back here as soon as we have an update :)

  • Lars
    Lars
    1Password Alumni
    Options

    Welcome to the 1Password Support Community, @georgysavva! Thanks for the question. Lars from the Security team here. You're correct that we do use iCloud Keychain to facilitate the setting up of 1Password accounts between Apple devices. I won't comment upon the security Apple employs to defend its users' iCloud data against breach by attackers, other than to observe that breaches of iCloud data are not common sights in the tech press and that Apple has a very definite interest in protecting their users' privacy, especially given how deeply intertwined their hardware and software are.

    As an Apple device user myself, if I were worried that the security Apple applied to iCloud was somehow substandard or not reliable, 1Password would actually be among the least of my concerns, as a potential breach of iCloud would disclose things like all my Contacts, email history if I was using an @icloud.com email address, photos, and more. We consider iCloud keychain certainly robust enough for the purpose you've mentioned, but for anyone who's worried about potential breach of their data held by Apple, there are mitigating steps you can consider taking:

    1. Use a strong alphanumeric device passcode, not the default six-digit one. It will take you longer to enter each time you unlock the device, but you will indeed have greater protection
    2. Disable biometry. Touch ID and Face ID are marvels of technology and wonderful conveniences, but for the most-secure device, using a lengthy alphanumeric passcode without enabling biometry.
    3. Do not set up iCloud (and iCloud keychain) at all on your device. This will result in individual datasets on every device, without sync, but you will avoid the potential of someone compromising iCloud.

    If some of those steps seem cumbersome to you, and you're wondering whether it would be worth your effort for the security gain, I'd offer this: the Secret Key protect your data on OUR servers. On your own device, the Secret Key is stored locally (so you don't have to remember/enter it each time), so if a device of yours is lost or stolen, it is your Master Password that protects you. That's why we consistently urge 1Password users to choose a good Master Password that cannot be easily guessed and isn't shared with anyone or used for any other sites/services.

    If an attacker managed to breach iCloud and acquire your Secret Key, they would still need a copy of your encrypted data itself, as well as your Master Password in order to decrypt it. If you've used a good Master Password that you don't share with others or re-use on other sites, then any attempt to crack encrypted 1Password data stolen from our servers would be no more likely than data stolen from your own device (not likely at all). You can additionally enable 2FA on your account to make such a possibility even more remote.

  • georgysavva
    georgysavva
    Community Member
    Options

    @Lars Thanks for such a detailed answer! I will use your recommendations to improve the security of my 1Password data.
    Regarding the iCloud Keychain encryption, since I can't completely understand it, I will just disable the iCloud sync, It solves my original problem.
    Thanks again!

  • Absolute
    Absolute
    Community Member
    Options

    2FA is definitely the way to go! Thanks to 1Password, I've moved over 40 of my accounts to MFA/2FA as it's soo much easier than Microsoft Authenticator on my iPhone.

  • ag_tommy
    ag_tommy
    Options

    :+1: :chuffed: We're happy to hear you're enjoying it.

This discussion has been closed.