iOS Brute Force question
I have 1Password 4.1.2 running on my Mac. I have version 4.3.2 running on my iPhone. Up until yesterday, I had dropbox syncing setup and running between my devices. It is very handy having all of my strong passwords with me on my phone.
That got me thinking as to what would happen if someone got a hold of my phone, or, they got into my dropbox account. Would they be able to get a hold of all of my passwords?
I turned off dropbox syncing on my iPhone. I then proceeded to force close the app, then re-open it. I deliberately keyed in the wrong password. I continued this several more times until the app told me what my password hint was. I continued keying in the wrong password time after time for several minutes. I am guessing I keyed in the wrong password around 40 times.
I was very surprised that the app kept letting me do this, time after time, after time. It gave me no cooling off period, or, warning that it would lock out my account.
Apple introduced a feature with IOS7, that if the wrong passcode is entered 10 times, that it will automatically delete the contents of the phone. I find that entirely useful and very nice. I set that up immediately.
I am wondering why a company like Agile Bits that is a pioneer in password management doesn't have this type of security built into their app? I mean, someone who was very determined could try brute forcing passwords forever and the app will continue to run.
I would ask the leadership team consider adding a feature (opt-in of course), that would at minimum lock out the app for some time, or, better yet, lock the account and/or delete the data files for some time to prevent a brute force attack. I would much rather loose access to all of my passwords, then, deal some a situation where someone has all of my passwords.
I have since disabled syncing of my passwords to my phone and dropbox, since it is possible, though highly highly unlikely for someone to brute force attack my password.
Thanks,
Dave
Comments
-
Hi Dave ( @NexusUser ),
Thanks so much for taking the time to write such a detailed post about your experience with 1Password. I'd like to draw your attention to Khad's post here: Does 1P LOCKDOWN after a series of wrong master passwords?. He explains things in much better detail than I could. :)
The tl;dr version is that "a lockout is not possible since an attacker would attack the data file directly and completely bypass any lockout built in to the app."
I do hope that this helps to explain the situation, but we'd be happy to help if you have any further questions here!
0