Feature Request: defeating advanced keylogger threats

securelee

You need to offer an optional/advanced feature that can break attacks by advanced threats, particularly keylogger malware that can capture your master password. It could be a simple additional verification as suggested below, but ones that use the mouse rather than the keyboard.

Suggestion: add an option to use the mouse to click on a graphic with letters/numbers etc to enter an access code. This could be in addition to the master password or in place of it.

Suggestion: To defeat malware that also captures mouse movements (rare), add an option to use random placement by 1Password of the letters, numbers etc. on the screen. Because this would be different every time by 1Password, this defeats using the mouse movement to know what sequence was selected. To defeat this, screen capture would also be necessary.

The core concept: An advanced threat can defeat any security system, so raise the bar of difficulty so they go elsewhere.

---

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:request a feature

littlebobbytables

Hi @securelee,

1Password for Mac currently makes use of the SecureEventInput field, the same type used by OS X when you're authenticating yourself with the operating system and it disables processes that want to listen to the keyboard events. What this means is if you've reached the stage where this kind of security is being circumvented then your entire computer is hosed.

Does the use of this SecureEventInput field ease your concerns at all?

securelee

That's exactly the situation that I think needs to be addressed: When a low level compromise occurs, can you still protect your data file?

I think it's possible or at least made more difficult.

Users are putting deep reliance on 1Password with ALL of our passwords, why not give them the option to stand up to the most extreme attacks? Would be quite a marketing advantage!

AGAlumB

When a low level compromise occurs, can you still protect your data file?

@securelee: Yes. Your 1Password data is encrypted using your Master Password, which should be long, strong, and unique. Without that, it will take more time than all of us have collectively to guess it and decrypt your data.

But as lil bobby mentioned, once your computer is compromised, it is no longer yours and all bets are off. An attacker won't be able to decrypt your data, but they can simply wait for you to do that for them and collect it then, as they can access anything you can. In this case, you accessing your own data will make it accessible to them as well.

Each of us is the weakest link in our own security. Without a failure on our part, the data stays encrypted — and the computer doesn't get compromised in the first place.

littlebobbytables

Greetings @securelee,

All software has to be able to trust the operating system it runs on. We rely on the OS for the frameworks we use, for managing the processes, managing memory and the list goes on. We can take certain preventative measures for specific attacks such as your bog standard key loggers which we do but still, if you can't trust the OS then the only option is not to launch as we're talking about the code that can do anything, see anything and has total control.