If someone know my Master Password, can they steal my Account Key from my computer and gain access?
Let say someone has gained access to my mac and installed a key logger on my machine and where able to get my Master Password. Would they be able to steal the encrypted Account Key from my computer and use it on their own machine to get to my 1Password account?
If this was to also happen with the Android app, would it be possible for them to download the encrypted Account Key to their phone and gain access to my 1Password account?
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:can Account Key be stolen
Comments
-
Hi @downunder2016 ,
To access your account, an attacker needs three things:
1. The email address used to sign up for the account.
2. Your Master Password for the account.
3. The account key.If you have a Families or Teams account, they'd also need the domain of your account. (e.g. downunder2016family.1password.com).
OS X does have some protection against key loggers - Secure Input - which prevents rogue apps and utilities from reading password fields. But if an attacker actually gains root access to your machine, the attacker can install a key logger that bypasses Secure Input, and also access your 1Password files, including the account key. The account key does need to be stored on device. If it wasn't, you'd have to enter it each time, and a key logger could grab it there, making it a huge inconvenience and no safer than storing it on device.
More information on the risks and what to do about them is written in a blog post here. It was written before we offered accounts, but it is still relevant: https://blog.agilebits.com/2014/08/21/watch-what-you-type-1passwords-defenses-against-keystroke-loggers/ - there are some good tips at the bottom of that article to keep your machine safe from such attackers.
Android, Windows, OS X, iOS, should all be considered in the same fashion - if an attacker can gain enough access to install a working key logger, they can access everything on the machine, including the account key. There is no way around that.
Now, if you believe a machine of yours has been compromised, the best thing to do is to remove your 1Password account by signing out in the Preferences, go to another machine that is secure, and change your Master Password there. However, if the attacker has already copied files from it (and they may have if they had opportunity to install a key logger), they may have already gained access to your 1Password data.
I know all of this sounds a bit scary, but if you keep your computer and phone updated with the latest security fixes, don't install software from untrusted sources, and don't open unknown attachments, the chances of your devices being compromised is very very low.
I hope this helps. Please reply if you have any further questions or concerns.
Cheers,
Kevin0 -
Thanks Kevin that really clarifies my understanding. I really enjoyed reading the link you provided. Makes a lot of sense.
I would have loved to use the 1Password for family but I can't trust my wife computer ;)0 -
On behalf of Kevin you're very welcome! I'm sorry you don't feel convinced about the security aspects of 1Password accounts, but we totally understand the feeling and that's why local vaults are still an option. I'd be curious to know why you feel like you can't trust her computer though. Does she have an habit of clicking yes to everything that pops up?
If there's anything else that you'd like to know just let us know, we're always here for you! :chuffed:
0
