Could that happen to us in 1Password8?
The other morning one of my friends who uses Bitwarden got a notice like this:
"We detected several failed attempts to log into your Bitwarden account. Future login attempts for your account will be protected by a captcha."
Could that happen to us in 1Password8?
Are our 1Password8 passwords now kept somewhere other than on our own computers - whatever that might mean?
If so, how are you protecting them against attempts by bad guys attempting to log in?
And how the heck can a secret account be protected merely by a "captcha" which only distinguishes robots from humans, if at all?
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided
Comments
-
Hi there @verylongtimeuser
This is certainly an interesting approach. I suspect that when Bitwarden say "Future login attempts for your account will be protected by a captcha" that realistically what that means is that the captcha will prevent multiple automated attempts. By limiting the scale on which someone could make login attempts, that reduces the likelihood of anyone gaining access who shouldn't have it. Captchas are almost always used as a human check – to reduce bot activity, rather than to add additional security per se.
Are our 1Password8 passwords now kept somewhere other than on our own computers - whatever that might mean?
No. The only place that your 1Password data is ever unencrypted is on your devices. 1Password.com only stores an encrypted blob of your data and doesn't hold any of the multiple keys necessary to decrypt it.
If so, how are you protecting them against attempts by bad guys attempting to log in?
The short answer here is "mathematics". The combination of your Secret Key and account password make it infeasible for an attacker to try and sign in to 1Password and decrypt your data. There's an article on our blog which goes into more detail about how your 1Password account is protected:
☞ Not in a Million Years – 1Password Blog
Additionally, our active defences are always on the lookout for multiple login attempts coming from the same place, and would be rate-limited or blocked completely.
I hope that answers your question fully, but please do let me know if I can be of any further help. :)
— Grey
0 -
Thanks very much for your detailed reply and explanation. That's very reassuring.
0 -
On behalf of Grey, you're welcome.
0