Computer hacked; need to change master password?

rick3465

I let a phone hacker into my computer with what appeared to be a sharing collaboration tool, then finally realized it was a scam and stopped before any othe programs were downloaded, at least visibly. (ran scans afterward for malwarem etc. They had access to my computer for 5 - 10 minutes. It is possible, though unlikely that they copied my 1 password file and could crack the password. I read It would be of little use to just change the master password because the underlying encryption would still be the same. I am not concerned about transfering the passwords, I don't mind starting from scratch. But if I want a brand new file, erase all data on 1 password, start from scratch with new underlying encrytion, so that my old master password would be useless, how would I proceed. Basically want to just start from scratch with 1 password and secure erase anything from the past.
I will reenter the passwords from scratch, as well as opposed to the copy to text options mentioned in one of the threads.

DBrown

AgileBits doesn't store your data or your master password anywhere except on your PC's local drive. If the hacker has copied the .agilekeychain folder to another location, he has it—there's no way to erase his copy—but it's strongly encrypted: unless he also knows your master password, or you've used a simple master password that's easy to guess, your data is safe.

That said, there's no harm in taking the following steps:

1. For each Login item in your 1Password vault, change the password at the corresponding site.

2. If you believe the hacker also knows your master password, or if you believe your master password could be guessed easily, change it.

Again, these are safety precautions to protect your online accounts in the even the hacker is able to unlock his copy of your 1Password vault. The likelihood of that depends almost entirely on the strength of the master password you were using at the time he made a copy of the vault.

RichardPayne

The likelihood of that depends almost entirely on the strength of the master password you were using at the time he made a copy of the vault.

Almost being the key word. If 1Password was unlocked at the time and if the attacker had enough access then a memory dump and analysis might reveal the encryption keys. Due to the way 1Password works, those keys are not changed when you change your master password. The attacker would still be able to access your current logins if they could gain access to your current vault (enable Dropbox 2 factor auth to help prevent that: https://www.dropbox.com/en/help/363).

The only way to be completely sure is to Export all of your logins (from the file menu) then create a new vault (which generates new encryption keys) and re-import all of your logins to the new vault. Remember to securely erase the csv or 1pif files you exported once the import is complete and you're happy that all of the data is in the new vault correctly.

rick3465

thanks, I would like to create the new vault suggested, but don't see the word "vault" anywhere in the software interface. Can you provide instructions for crating a new vault. ?

rick3465

Also, when you say " if the attacker had enough access then a memory dump and analysis might reveal the encryption keys" , I am not sure of your meaning. Do you mean that this memory dump is not the agilekeychain folder. Along these lines, I notice that when i unlock the 1password extension in Chrome and close out of Chrome without locking the 1password extension, and then reenter Chrome, often the 1 password extension is still unlocked. I am not sure if this is time sensitive and it relocks itself after a certain period (would be good to know), but, regardless, it is indeed possible that the 1 password extension was unlocked during the Hack and that I used chrome during the hack (following hackers instructions to look something up as he was trying to convince me of his legitimacy). So the memory dump you mention is something other then the keychain, having to do with 1 password being unlocked?

rick3465

To DBrown - You did not respond to the question about underlying encryption, and how a new master password may not give protection to the same vault if someone obtained the master key. As a "team member" are you working directly for agile bits and can you please go into this further. Another team member mentioned this in another post and Mr Payne was nice enough to share his knowledge about it. I would simply like to start from scratch with 1password in such a way that my old master key and keychain would be worthless to a hacker. I don't need to copy over data. Do I simply start a new "vault" with its own master? Can you tell me how to do that. Will this be completely independent of the old keychain and underlying encyption?

• By the way is their any existing telephone support numbers for 1password? Thanks

DBrown

I would like to create the new vault suggested, but don't see the word "vault" anywhere in the software interface. Can you provide instructions for crating a new vault. ?

On the File menu, you'll find a New 1Password Vault command. You can read all about it in the Creating a new vault article in the 1Password 4 for Windows user's guide.

In 1Password for Windows, each vault is independent and must be unlocked with its own master password.

I notice that when i unlock the 1password extension in Chrome and close out of Chrome without locking the 1password extension, and then reenter Chrome, often the 1 password extension is still unlocked. I am not sure if this is time sensitive and it relocks itself after a certain period (would be good to know)...

You can read all about auto-lock settings in the Security tab article in the user's guide. Note that certain settings on the General and Browsers tabs also affect lock/unlock behavior. This short article in the 1Password 4 for Windows knowledgebase contains related information, as well.

You did not respond to the question about underlying encryption, and how a new master password may not give protection to the same vault if someone obtained the master key.

Sorry, @rick3465‌—I saw that you mentioned that point ("I read It would be of little use to just change the master password because the underlying encryption would still be the same.") but had no idea that it was a question. @RichardPayne‌ has confirmed what you read in his helpful reply, above.

...is their any existing telephone support numbers for 1password?

We do not routinely offer telephone support. If private support is required, for some reason, please send e-mail to support+windows@agilebits.com. If it's related to this discussion, please include the URL of this forum thread in your message. Thanks!

RichardPayne

Do you mean that this memory dump is not the agilekeychain folder.

No. When you unlock 1Password it uses your master password to generate an encryption key. This key is used to decrypted another key called the master key. This master key is the thing that encrypts everything else in the vault. While your vault is unlocked, the master key is decrypted in memory. If the attacker managed to dump your RAM contents then they could have your master key. Not having your master password is irrelevant if they have the master key.

rick3465

To DBrown, thanks for your answer. I am running verison 1.0.9.342, Under file menu there is no new 1 password vault command, There IS a new 1 password data folder command. Is a vault and data folder the same, is new 1 password data folder the way to start from scratch. (Why use the word vault, was that an older version command).

Please forgive my desire for absolute clarity as password hacking is, as you know, a serious matter. Mr Brown you mention that Mr Payne confirmed what I read, and I greatly appreciate Mr Payne's generous help. However, since you are an actual employee of Agilebits I would like to get confirmation of some points from you.

1. You have the word Teammember next to your name. Does team member mean, indeed, that you are an employee of Agile Bits. Just want to know I have a qualified technical person answering/

2. Is it true that if someone obtains your master password, then changing your master password in the same 'data folder" is not completely secure since the underlying encryption doesn't change in that data folder

3. If I simply start a new data folder (is that the same as a vault), with a new master password, is the underlying encryption different from the old folder, and therefore completely secure from any hacker who may have stolen the old key chain and cracked the old master password.

Don't mean to be a pain here, Mr Brown, just seeking some clarity on some points.

Thanks for your time.

DBrown

Thanks for mentioning that you're using the old version of 1Password for Windows, @rick3465‌. If you purchased your 1Password for Windows license in 2014 or even 2013, the upgrade to the current version is FREE! (If you purchased the license in 2012 or earlier, your existing license key will get you a nice discount in our online store.) Please consider the benefits of upgrading to the current, supported version of 1Password!

1. The AgileBits Team Member icon in a forum reply means that the person writing the reply is speaking on behalf of AgileBits. The specific nature of our relationship is irrelevant, as well as personal, as I hope you understand.

2. If someone has a copy of your vault (the .agilekeychain folder), any change you make to your own copy has no effect. This is exactly the same as if a hacker put a copy of a Notepad file or an entire folder from your computer onto a removable drive. You could change your copy on your computer as much as you like, and he'll still have a copy of what it contained when he made the copy.

   That would be different if his copy was still being synced to Dropbox, or if he had access to your Dropbox account, or if he had access to your computer. In that case, any changes either of you made would be synced to your private dropbox.com web site and replicated in every copy associated with the same Dropbox account.

3. I believe creation of a new vault (a new .agilekeychain folder) would generate a new set of encryption keys.

I hope that helps, @rick3465‌. Please let me know if you need me to seek additional information on any of these or other points.

Thanks!

rick3465

thanks for the heads up about the upgrade, I will do that. In response

1. The situation I am trying to clarify is that if a) someone obtained my agilekeychain folder, b) cracked the master password, or c)as Mr Payne mentioned, was able to extract the underlying encryption by accessing memory while 1password was open on my computer (which is was probably during the hack as I usually leave the Chrome 1password open when I close chrome), THEN, I change my master password on that same vault/folder. IF the hacker then somehow got access back to my computer or dropbox, since that particular vault/folder has the same underlying encryption regardless of whether I changed the master password or not, is the vault/folder therefore vulnerable to that hacker despite the fact that I changed the master password.
2. You state that you believe that creation of a new vault would generate a new set of encryption keys. that sounds like the way to go to insure the hacker cracking the old vault/folder will not be able to get into the new vault. If you are not sure of that, does agile offer any support option to connect with a technical person who is sure.
   Thanks

RichardPayne

@rick3465

1. Correct.

2. Although I am not representing Agilebits, I am sure that this is the case. The keychain design document does not state this explicitly but it does hint at it. The master encryption keys are generated when the vault is created and are then encrypted using a key derived from your master password using the PBKDF2 hashing function. The encrypted master key is then stored in the encryptionKeys.js file in the agilekeychain folder. This design is what allows you to easily change the master password since all it needs to do is encrypt the master key using the new password and write it out to the file. If the items in the vault were encrypted directly using the master password derived key then changing the master password would involve decrypting every single item in the vault and re-encrypting using the new derived key. This would be a slow and risky process.
   Perhaps @svondutch can confirm.

[Deleted User]

EDIT: Found this post about encryption keys and agilekeychain, I think that answers your concerns about creating a new vault vs just changing your master password:

https://discussions.agilebits.com/discussion/comment/135402/#Comment_135402

Note that if you decide to create a new vault instead of changing your master password, you have to manually import or enter your logins in the new vault.

Also, keep in mind that not everything is encrypted with the agilekeychain format. Titles and URLs of your logins are written in clear text, so if someone gets a copy of your 1Password.agilekeychain folder they will have that info, even if they don't have your master password or encryption keys. The most sensitive information, like your logins' passwords, are of course encrypted. In 1Password 4 (you have 1Password 1) you can switch to the more secure format opvault which encrypts pretty much everything. As a bonus, they cleaned up the terminology in the newer version. So instead of "data folder" you will se "vault", for example. Now, I'm not from AgileBits either (as you can see) but it's easy to agree with @DBrown when he recommends that you use the latest possible version of 1Password. The program is used to protect sensitive data and it's simply not a good idea to use an unsupported version.

DBrown

Also, if you export to 1PIF for importing into a new vault, remember that 1PIF is not encrypted—your data is stored in plain text—so you don't want to transmit it electronically, and you do want to delete it securely when you're through with it.

jpgoldberg

I'm so sorry to hear about what happened to you, @rick3465.

You (almost) entirely correct in your description of the situation with keys and Master Password changes. (They ways in which you are not entirely correct are small pedantic issues that do not matter for what you ought to do.) As others have noted, the easiest way to create a new vault with all of your old data is to export to unencrypted 1PIF, create a new vault, and import from that 1PIF.

A couple of notes.

• Make good backups

  We try to make the export and reimport as reliable as we can, but that doesn't mean that it is perfect.

• Multiple vaults, multiple exports

  Depending on platform, setup and lots of stuff that I'm not sure I can reliably state at this time, you may need to do an export per vault if you use multiple vaults.

• Treat 1PIFs carefully

  As @DBrown pointed out, the 1PIF files are not encrypted. So you should take care that they get removed securely and do not make it into backups of your computer.

Please let me know if I can be of any more help.

svondutch

Perhaps @svondutch can confirm.

@RichardPayne Confirmed.