Alternate "black-box" vault for safety
I've heard of some security softwares (in other fields, not directly pass-managers), which have a safety-in-mind design in terms of the 'black-day' occasions.
For example, when a person is under a illegal forced pressure to open-up his vault (which s/he doesn't want to do, but because of robbery/forced request, has to unlock his/her vault), then there are 'second password' which, once entered, opens up account really, but actually the data present in that 'account' is not real/important for that person. So, the person in-advance sets-up a 'second' data specifically for that occasion, and once that happens, no-one can force you more than that : account is open and 3rd party side can't prove that you haven't opened an account or haven't entered the password correctly. as your password really opened account and there is the data present. So, only you know which password opens which account between those 'real' and 'blackbox' account. (i.e under each item in main account, there might be a checkbox named 'include this entry in blackbox', so we can turn off that checkbox for important items, and thus, we only retain unimportant website passwords in 'blackbox' vault).
I don't hope you listen to user feature-requests at all (my past year's experience, according to communication either through emails or here, even simple & important bugs being not addressed), but as is- for historical purposes I'm leaving this feature-request too.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Comments
-
@ttod Have you looked at the feature of travel mode? This is included with a 1Password.com account.
0 -
@tomatoshadow2 Travel-Mode is inherently different - i mean, with 'travel-mode' it's you who can enable that beforehand and disable that later. so, it's obvious that you can do that.
the main thing in my post was to express the case, when you don't know/except in advance, and suddenly you have to unlock your 1 pass under forced pressure (so, as you couldn't in-advance except that, you dont have 'travel-mode' turned on).
So, maybe the solution boils down to the scenario, where you enter 'another master password' which automatically activates 'travel-mode' like something and opens up the unimportant vault (so, no-one could guess that you inserted different password, and they thought that it is your real account vault).0 -
@ttod Yes, I understand more now what your saying, I could see this as a useful feature.
0 -
Hi @ttod:
This is something we've discussed a lot previously. At the end of the day, 1Password cannot protect you from a physical threat to your life. All the encryption in the world can only do so much against an attacker with a wrench. At that point, your defense is how many times are you willing to be hit with the wrench before you turn over the data they're looking for.
With that said, a duress password would only help you in the following situation:
- The attacker is physically coercing you to turn over access to the data
- The attacker does not know what the valid information would look like
- The attacker does not inspect the information or try it and verify it prior to letting you go
As a slightly contrived example, my name is obviously not Wendy Appleseed. If I created a full duress vault full of items that were "Wendy Appleseed" items, an email account, a Facebook account, etc., and I used that duress vault while being coerced to unlock my vault, the attacker would very obviously know that I was trying to pull a fast one on them, and if anything would be more upset with me, not less upset with me.
This applies in a slightly more realistic example too. If an attacker is at the point of coercing you to unlock your data, they likely have a rough sense of what they're trying to get at. If they're attacking you for access to a Twitter account, then they'll likely know the Twitter account username, and as such will immediately know that you've used a duress password when they search for "Twitter" in your 1Password vault.
Jeffrey Goldberg, 1Password's principal security architect, has touched on this as well here: https://1password.community/discussion/comment/79821/#Comment_79821
Let me know if that helps explain things for you!
Jack
0 -
Thanks Jack for thorough answer, but i think you are not answering the subject with correct examples. ( i will also check that referred post now).
I didnt mean to say (sorry if i said that) that we should be able to create 'fake' items.
Instead, I say that, very much like 'travel mode', we should be able to 'protect' several security notes or several items specifically, which will not be exposed in the second vault.
for example, i have 200 items in my 1p account now. 195 of them are non-crucial ones for me, and i want those one 'market as important' shouldn not be available in second-vault, and no one will find out that. all other 195 ones will not be "Wendy Appleseed" or fake, but will be real accounts of mine.
Hope now you understand my concern.0 -
Understood, but I think you're focused too heavily on one example Jack provided. It's the same concept either way: "plausible deniability." I'd refer back to Jack's second example:
This applies in a slightly more realistic example too. If an attacker is at the point of coercing you to unlock your data, they likely have a rough sense of what they're trying to get at. If they're attacking you for access to a Twitter account, then they'll likely know the Twitter account username, and as such will immediately know that you've used a duress password when they search for "Twitter" in your 1Password vault.
The argument against employing plausible deniability in a case like this is the continued threat of violence. If someone is willing to threaten you with violence to obtain your valuable items, it isn't reasonable to expect they'll be satisfied with anything less than what they're demanding. I'm afraid I don't see where this would fit into 1Password. If someone threatens you with violence, if you don't hand over your valuable items, handing over other less valuable items seems unlikely to appease them.
Ben
0 -
@ttod As long as your keeping your devices around you, and have your 1P account info to log in backed up in a secure place, like your password and secret Key, you're pretty much set, I would worry a little less. As Jack pointed out remember we have to separate the ideas also, if it's a physical threat or something against your 1P account.
0 -
@tomatoshadow2 you are saying "worry a little, etc", but making users to feel safe is not any near to solve the problem that user faces. thanks for good wishes, but it doesn't help.
To really help, i say, the only solution to the problem is probably something what I've proposed (or maybe you can invent better something?). that is not much rocket-science -just another password which unlocks same person's account, but in vault there will be excluded some 'important-marked' accounts. is that hard to understand what I am discussing in this topic? Ah no, please don't say - "physical threat vs remote internet threat". 1P shouldn't say that one is less important than another, while you can (if you wished and expressed a will, that will require a slight work from developers) to address both threats, and users were happy. If you want to really know if my suggested feature is worth of implement or not, please ask any random 10 customers (not just average-joe - sorry for this term, but instead who are a bit tech-savvy and have some deeper experience in IT field and security/software engineeringm than average-joe), and all of them probably will confirm that the feature will be important. Even, there are cases that we might open our 1P vault on day-to-day basis with '2nd' password, where our 'rarely-used' secure private notes will not be visible at all, and only in special days, we will enter the main vault, where we store more important info. This feature request, is not just a fun, instead it is very important for bunch of people, but you are not looking at this seriously.@ben about your reply - sorry, but it just can't stand any serious argument.
1) Firstly, thetwitter account
(which you gave as example) is just nonsense. I dont mean hiding twitter or whatever. We have other things to hide that no-one knows and don't even attacker can know. that is not hard to guess, but your answers (as always) have been just endless trial to justify the existing functionality and reject an realistic desires that users have. How hell the attacker knows that target has 25 bank accounts, or 4 accounts? maybe victim wants to hide the other 21 bank accounts he have? but no - you as in other cases, you are not open to understand the storyline behind the feature-requests, ,instead give some shallow-examples which doesn't apply in scenarios.
2) why you decide in behalf of users, what are best for them? doesnt a person know better at all (When attack happens) he should give them what they want, or dont give them? if victim thinks that hiding of something will harm him, then he will release, but if he knows the situation , maybe he doesn't even share 1pass account, even if attacker sees that in his pc 1P is installed? so, it just doesn't stand any argument - it's user who decides what to do in that case - share or not-share, or even share-partially (oh, cmon "the attacker becomes angry and kills victim? " fun, if attacker thinks that user hides something, he will do same as he was doing before, and will still try to ask the victim to share the correct pass.) but it's still victim who knows what to do in what case, and it's absurd that you decided what is correct in that case.
3) lastly, there is not always same case, like someone pointing gun at your face - there are MANY other scenarios, where this would be important to hide specific accounts, and still, the 'forcing' party wont be able to find out that you are hiding something. like above - i.e. if i have 100 personal notes, but want to hide 20 notes, which no one knows about their existence.and lastly, yeah, I've mentioned that in my first comment - i didn't have a hope that you will implemenet that, as you have never implemented anything necessary suggested by user like me (even bugs, which were reported by me in previous topics). Yes,I know that devs always have to do something and they are not just 'free', but tbh, I am not sure on what things your devs are working at all for so long, if you cant address the basic necessary things and important functionalities.
0 -
I am not sure on what things your devs are working at all for so long
https://future.1password.com/ may shed some light on that point.
Ben
0 -
yeah ben, your answer (as in most previous replies i've got from you) doesn't actually relate the problem at all.
0 -
I apologize. I'm afraid I don't have the answer that you'd like to have.
Ben
0