Security Question/Suggestion

xcellentmac
xcellentmac
Community Member

I'm an Mac IT professional. I've had a few clients have their gmail accounts hacked (they didn't have 2 step verify enabled). A few others had their iCloud accounts hacked, but I think they gave out their password to a phishing scheme. In either case, if they had had 1password syncing using either goggle or iCloud, their 1password database could also be obtained. Of course, their 1password password encrypts that data. But, if a industrious hacker wanted to, and I have seen industrious hackers get into my client's online accounts, they could simply write a program/script to repeatedly try to gain entry into 1password. I suggest some type of lock-out of the program after x number of incorrect password attempts. Which isn't a guarantee either. Because by placing ALL your passwords into ONE basket, so to speak, it makes that basket very valuable to hackers.

Comments

  • randy_va
    randy_va
    Community Member

    xcellentmac -- regarding your comment,_ "... if they had had 1password syncing using either goggle or iCloud ..."_

    How do you sync using Google? I thought that 1Password sync was through iCloud, Dropbox or wi-fi.

    I'm not trying to detract from your excellent suggestion, just wondering ... :)

  • hawkmoth
    hawkmoth
    Community Member

    AgileBits folks have said in the past that limiting the number of entry attempts isn't nearly as good as ensuring that you have a strong master password. It's a conscious design decision not to make such limits. If you do have a sufficiently strong password, there isn't a practical way for a bad actor to break in.

    Here is a blog post discussing some of this.

  • Hi guys,

    @xcellentmac, hawkmoth's post is good way to start, the blog link include several articles that explains why we designed it like this.

    A lockout isn't going to help at all, all you need to do is copy the encrypted data over and bypass the software that'd lock you out. Same thing with many security apps, if the data is stored separately from the apps, you just have to copy the data and write your own app on top of it. The lockout might be good if there is only one way into your data, which means the entire system has to be protected from the ground up. In this case, you'd need to avoid using the cloud service to protect your data if you need this kind of protection.

    We designed our data format to fight against brute-forcing and with the idea that someone could have a copy of your data file. We use password-strengthening protocols to ensure the cracking time is extended by several factors.

    Please let us know if you have any questions, we love this type of discussion and will answer everything you have for us.

  • xcellentmac
    xcellentmac
    Community Member
    edited October 2014

    Thanks everyone for commenting on this issue. First, sorry about the Google reference, I mean Dropbox. But, in general, I am concerned about any cloud syncing mechanism. If I didn't use the cloud, I suppose someone could steal my machine and obtain the 1password database, but most hackers don't steal machines. They break into them remotely. But the cloud sync feature is one of the main selling points of 1password, so I will encourage my clients to use a more robust password, as I do. In the past, they have been hesitant to use long passwords for the iPhone or iPad. Agile's published estimates of password length to time-to-crack is helpful, and I will use that when explaining the necessity of a longer password.

    There must be a away to slow the brute force cracking method. I see that 1password uses PBKDF2 to encrypt the data. I am not familiar with that method, but I am familiar with PGP public/private key encryption, which even the FBI has been unable to hack when used to encrypt disk data--granted, probably with a good password. I've read the Agile blog about PBKDF2, and it seems a hacker can see if a password guess works with one AES operation of the final block. If you use an encryption method so that you don't know a guess is successful until you process the entire encrypted database one or more times, that would slow each guessing attempt. I know Agile is actively at work refining and researching your next encryption algorithm to stay ahead of increasing processor capabilities.

    Thank you for your fine program.

  • Megan
    Megan
    1Password Alumni

    Hi @xcellentmac‌

    I'm glad to hear you've found this discussion helpful! Cloud syncing is certainly a good example of the balance between security and convenience that security software is constantly dealing with. We try to do our best with 1Password to provide options to both keep your data secure and ensure that you have convenient access on all your devices.

    I can certainly understand your clients' hesitancy to use a longer password on iOS devices, but I've found that Diceware passwords (as described in Towards Better Master Passwords) are both easy to remember, and fairly simple to type - even on the smaller iOS screens. Combined with the option to use Touch ID in iOS 8, it's easier than ever to stay secure while keeping your data conveniently accessible.

    As far as your question about slowing the brute-force cracking method, I'll ask our security guru, @jpgoldberg‌ to pop in here and offer his thoughts. He'll be able to discuss this in a lot more detail than I am. :)

This discussion has been closed.