To protect your privacy: email us with billing or account questions instead of posting here.

Could that happen to us in 1Password8?

Options
verylongtimeuser
verylongtimeuser
Community Member
edited February 27 in Memberships

The other morning one of my friends who uses Bitwarden got a notice like this:
"We detected several failed attempts to log into your Bitwarden account. Future login attempts for your account will be protected by a captcha."
Could that happen to us in 1Password8?
Are our 1Password8 passwords now kept somewhere other than on our own computers - whatever that might mean?
If so, how are you protecting them against attempts by bad guys attempting to log in?
And how the heck can a secret account be protected merely by a "captcha" which only distinguishes robots from humans, if at all?

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided

Comments

  • GreyM1P
    GreyM1P
    Options

    Hi there @verylongtimeuser

    This is certainly an interesting approach. I suspect that when Bitwarden say "Future login attempts for your account will be protected by a captcha" that realistically what that means is that the captcha will prevent multiple automated attempts. By limiting the scale on which someone could make login attempts, that reduces the likelihood of anyone gaining access who shouldn't have it. Captchas are almost always used as a human check – to reduce bot activity, rather than to add additional security per se.

    Are our 1Password8 passwords now kept somewhere other than on our own computers - whatever that might mean?

    No. The only place that your 1Password data is ever unencrypted is on your devices. 1Password.com only stores an encrypted blob of your data and doesn't hold any of the multiple keys necessary to decrypt it.

    If so, how are you protecting them against attempts by bad guys attempting to log in?

    The short answer here is "mathematics". The combination of your Secret Key and account password make it infeasible for an attacker to try and sign in to 1Password and decrypt your data. There's an article on our blog which goes into more detail about how your 1Password account is protected:

    Not in a Million Years – 1Password Blog

    Additionally, our active defences are always on the lookout for multiple login attempts coming from the same place, and would be rate-limited or blocked completely.

    I hope that answers your question fully, but please do let me know if I can be of any further help. :)

    — Grey

  • verylongtimeuser
    verylongtimeuser
    Community Member
    Options

    Thanks very much for your detailed reply and explanation. That's very reassuring.

  • ag_tommy
    ag_tommy
    Options

    On behalf of Grey, you're welcome.