Can 1Password prevent these or other hacking methods?

TakenItEasy
TakenItEasy
Community Member
in iOS

Persistent hackers may overwrite a PW file by sharing a different PW file with the same name from another app making access by the user impossible. They continue to do this until a user tries a method that they can exploit.

How do you protect the PW DB from being overwritten? From what I can see, I doubt that syncing with the iCloud could manage to prevent this since it's copied to the cloud and not the other way. So corrupting the local copy corrupts the cloud copy as well with just a single device.

How do you protect the main PW hash file from being captured for brute force attacks?

Does it support 2nd factor security so that the entire password wouldn't be stored in a single hash file?

Is it a true 2nd factor such as an RSA token or yubi Key, or a pseudo 2nd factor such as SMS texting that's almost always going to be on the same device using a text app in the clear.

I noticed that the main password is stored in the Apple Keychain. Can the user block this?

If not, you should consider distancing yourself from the keychain. It seems like Apple is inviting a large class action suit with a huge flaw in their Apple account security which is also used for their devices.

Thanks and regards,
TakenItEasy

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:Hackers can def PWM by deleting or overwriting by app sharing a file. Can 1P prevent this?

Comments

  • ag_kevin
    ag_kevin
    edited November 2015

    Hi @TakenItEasy ,

    Those are all excellent questions, and I will do my best to answer them and alleviate any concerns you may have. If you require further explanation, do not hesitate to reply. Since this is the iOS forum, my answers will be concerning the iOS version of 1Password.

    Sandboxing in iOS prevents the overwriting of our database by other apps. So it's not actually possible for another app to attempt to save a file overwriting our database. Now, if you "jailbreak" your device, all bets are off. We do not recommend jailbreaking for that reason - it gives apps more capabilities to interact with other apps and their data.

    Even with syncing, we use intermediary files to sync on an item by item basis. It does not simply overwrite the local copy with whatever was in iCloud or on Dropbox. It opens it separately attempts to unlock each item to sync individually, and is all done locally on your device. So, if an attacker gained access to Dropbox or iCloud, they would still need to know your master password to place encrypted items in the keychain file. If they just inserted data encrypted with another master password, it would simply corrupt the file, as your device would not be able to decrypt it with your Master Password when your device next tried to sync.

    Master Password hash: The beauty of 1Password design is that no password hash needs to be stored. Remember that AgileBits does not store your data. Your data is entirely within your control. Your Master Password only lives in memory . So when you enter it to unlock your vault, it only is used to unlock they keys to decrypt the vault. It is never sent over a network, and is never stored on disk, except certain cases when it is stored locally in your device's keychain (more below). I recommend reading this page for more information: https://support.1password.com/private-by-design/

    2 Factor Authentication: remember that your 1Password file is an encrypted file on your device, not a web service. Your password is used to decrypt your database on your device, not to prove your identity to a service. So your password is never sent over the network to any server, so SMS texting and other methods are not applicable here. There's no one to send your SMS, but that's ok, as there's no server to which you need to prove your identity.

    Services such as RSA tokens or Yubikey could be used to strengthen your master password, by essentially using your master password, combined with the token to store a more complex password. Issues can arise if the Yubikey gets lost, damaged, etc. and since there's no online service to help you restore (remember AgileBits does not have your data), you could lose your database. The benefits of this are minimal compared to the added complexity and risk, and compared to choosing a strong Master Password. Those, like other 2FA methods, really shine to protect online services where your password would be sent to an online service. Here is more information on choosing a password: https://blog.agilebits.com/2011/06/21/toward-better-master-passwords/

    There is also more information on how we keep the database file secure: https://support.1password.com/secure-by-design/

    The iOS Keychain. When you activate TouchID or PIN codes (for devices without touch id), your device needs to know your Master Password. It uses the keychain to securely store a hashed version of your Master Password. If you do not want iOS to ever store this data, you can turn off TouchID and/or PIN unlocking.

    I hope I've answered your questions satisfactorily. If you need more information, please let us know and we'll do our best to accommodate you.

    Cheers,
    Kevin

This discussion has been closed.