To protect your privacy: email us with billing or account questions instead of posting here.

Coercion and Express Kidnapping / Plausible Deniability

mradamw
mradamw
Community Member

Hi all, I'm a trial customer trying to work out how best to use 1Password for providing me with a level of plausible deniability under the $5 wrench attack. Specifically the threat I'm trying to protect against involves express kidnapping while I'm out and about with my phone, as I've been travelling the developed world for quite some time now and am becoming increasingly aware that I may present a good target.

In contrast with official border checks, where travel mode is probably enough, I don't think the current implementation of 1Password lends itself directly to an express kidnapping scenario, but I don't see any of the other password managers out there doing this out of the box either (it's a shame, because I suspect a vendor could simply make the account's master password open the correct vault, or collection of vaults, without the user specifying which vault they are opening!), so it's going to be a case of trying to make the tool fit. I'm well aware of rubber hose cryptanalysis, which is why I'm putting some thought into this.

As best as I can see, the 'collections' feature won't help and the 'travel mode' feature stops protecting me the moment that I'm forced to provide the master password and they decide to login using the website (and thereby notice my travel vaults - although it is better than nothing). The use of multiple subscriptions _might _help me, but I was wondering how best to set things up to reduce risk as far as possible without unnecessary costs or it becoming so complicated that it introduces a bunch of additional risks. Here's are the options I'm considering:
1. 2 completely separate individual subscriptions, tied to entirely different email addresses, with no link between them. The day to day account / vault, is tied to a normal everyday email address logged in on my device as usual, that the kidnapper would no doubt force me to let them into. The 2nd subscription (using an alternative email account that isn't ever left signed in on my devices) exists to be logged into when I want to access the secret password vault.
I see risks if this account is accidentally left logged in, and I see a choice of either inconvenience or risk, regarding the presence (saving) of the username on my devices (if a kidnapper was able to see it). There is of course, the question of where to store the secret key for the 2nd account, as if it's at all obvious to a kidnapper that a 2nd account has been used on the device, you can bet they'll be expecting me to log them into it. There's also the thought of where to store the username and password for the alternative email account...
Furthermore, I will of course need to ensure that all of the apps installed on my phone, has genuine logins stored in the everyday vault that I will hand over only under coercion, so as not to tip the attacker off that I'm withholding another password database from them. This everyday vault would need to include banking apps for the credit/debit cards I carry with me, as I doubt anyone would believe I don't have any banking apps in this day and age.

  1. A family subscription, with the 'primary' account holder being the alternative email account I don't leave signed in on my devices. The 'primary' account holds the secret vault, and the 'secondary' account is actually my normal day to day vault, using my normal day to day email address. I assume it would need to be this way around as I would expect to be able to make the 'primary' account less visible, and it is likely only possible to 'hide' it from the secondary account (?)
    This could be a cheaper solution which will result in having access to the greater feature set of the Family accounts, but I see additional risks in terms of what the 'secondary' account can see when logged in, particularly via web, including that it is a Family account, and even moreso if it can see the existence of the 'primary' account. I was wondering if this idea was a workable solution, or whether it was similar to the 'travel mode' feature in which once they have the master password and the web login to either account, the game is up?

  2. Use an entirely alternative solution for the 'secure' password vault as kidnappers wouldn't expect that but then that does leave risks relating to them noticing the presence of another password manager, and the likely added complexity and inconvenience of having to either set up a believable dummy vault with that and work out a way of storing accessible credentials to another secure vault in a way that doesn't immediately tip kidnappers off that said secure vault exists.

I'd appreciate thoughts on any aspects of the above, but in the case of TLDR:
What's the best way to use 1Password (including with other products) to provide some protection against express kidnapping, especially on Android mobile?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided

Comments

This discussion has been closed.