Protection of my data against coercion

Fcm1975
Fcm1975
Community Member
in iOS

Hi
I live in Brazil, and I am an avid user of 1Password.
Here we live under the risk of been kidnapped and kept hostage while the criminals make banking transfers that can that some days to conclude due to transferring limitations imposed by the banks. Most of the people are removing financial apps from their smartphones.
Since all my passwords are stored in 1Password, I am afraid, in a situation like this, being forced to unlock 1Password, giving up my Master Password to the thieves, and they have access to all my financial accounts and passwords (including cripto).
Several years ago, I used to pay for an encryption software called Drivecript. Under this situation this software provided a second emergency password that would unlock an alternative vault with fake data or a limited set of all your files.
I would like to know how I can do the same in 1Password, or any other alternative to protect my personal data under a situation like this.
Thanks
Flavio

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided

Comments

  • Dave_1P
    Dave_1P
    edited September 2023

    Hello @Fcm1975! 👋

    I'm sorry about your safety situation, that sounds like a very scary thing to have to look out for and consider.

    A long time ago, our security team posted some thoughts about the types of threats 1Password can and cannot protect you against. One of the threats that 1Password doesn't protect against is something that is euphemistically called Rubber-hose cryptanalysis: Rubber-hose cryptanalysis - Wikipedia

    It's important to understand that 1Password cannot protect you from a physical threat to your life. The strongest encryption in the world can't protect you when someone is willing to use violence or blackmail to get to your data. In that scenario your protection is reduced to your own ability and willingness to withstand the violence or blackmail before giving in and giving the attacker your account password.

    But what if you had a hidden vault filled with fake credentials that is unlocked in lieu of your real vault when you use a special fake account password? The trouble with this is that this sort of feature may be nothing more than "security theatre". If an attacker already knows that you have a bank account then you unlocking a fake vault that doesn't contain your bank account's credentials will immediately tell them that the vault that you've unlocked doesn't contain the data that they're looking for. And then they'll threaten you again.

    I know that some security software does include a hidden volume feature but even those services come with a long list of warnings explaining how such as feature isn't a guarantee that your data will stay hidden and they warn that the feature must be setup exactly correctly for it to work as intended and to avoid an attacker from learning that you have a hidden vault/volume.

    That all being said, I have passed along your request for such a feature to our product team. They'll consider if this is something that we can build, in a secure and effective way, in the future.

    -Dave

    ref: 35651937

  • Fcm1975
    Fcm1975
    Community Member

    Thanks very much for you detalied reply @Dave_1P. Really appreciated.

  • Dave_1P
    Dave_1P

    I'm happy to help. 🙂

    -Dave

This discussion has been closed.