cant log in to my account -

nancytoelle

I have been unable to access the forgotten username or password feature as none of my email addresses was recognized. I just created a new account to be able to send this to you. HELP please.

---

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:cant log in to my account -

nancytoelle

I am unable to access my 1password account as neither the email nor password I have is working. Please help me get this straightened out as I need to access that account.

Drew_AG

Hi @nancytoelle,

I'm sorry to hear you're running into some trouble with 1Password! We'll do our best to help figure out what's going on here.

It sounds like there might be some confusion about the difference between a 1Password account, a 1Password license, and an account for our support forum. So just to be sure we're on the same page, I wanted to clear that up first:

There are currently two different ways to purchase and use 1Password: Standalone licenses and 1Password accounts. A 1Password account is a new subscription service we started this year. Do you remember signing up for an account on 1Password.com, downloading an Emergency Kit, or receiving an Account Key?

If you didn't sign up for a 1Password subscription/account, then you may have purchased a standalone license from the AgileBits Store or the Mac App Store. That allows you to activate the app on your computers, but it doesn't include an account on 1Password.com.

You said you tried "the forgotten username or password feature", which sounds like you're referring to your account for our support forum. A forum account is completely separate from and unrelated to a 1Password subscription/account. If you clicked the "Forgot your password?" link on the forum sign-in page but never previously signed up for a forum account, that would explain why it didn't recognize your email address. I see that you created your forum account earlier today, and that allows you to post messages here, but that doesn't necessarily mean you also signed up for an account on 1Password.com.

With all that in mind, can you please let us know exactly what you're having trouble with? For example, are you opening the 1Password app on your Mac but can't unlock it with your master password? Or are you trying to sign into an account on 1Password.com? Or something else? The more details you can tell us about what you're trying to do and the steps you're taking to do it, the better. Then we'll have a much better idea of what's going wrong and how we can help. Thanks in advance! :)

nancytoelle

I think I must have just a standalone download on my computer. The reason I was wanting to sign in, is I thought I had to do that to speak to someone in the customer service department. If that's you, I'll ask you my question: yesterday I received an automated notice from my credit union business account that an attempt had been made to login to that account with a valid username and password at 2:40. in the morning. Since I had not made that attempt, I called the credit union who started an investigation. My question for you is, since I've not given that info out to anyone and the password is one of those crazy long computer generated ones that shouldn't be guessable, could it have come from 1Password? Do you have a mechanism to see if anyone else is accessing my account? I appreciate your help. Nancy Toelle

Megan

Hi Nancy ( @nancytoelle ),

My question for you is, since I've not given that info out to anyone and the password is one of those crazy long computer generated ones that shouldn't be guessable, could it have come from 1Password?

I’m so sorry to hear that you’ve been having trouble with one of your accounts. I don’t blame you for being concerned.

Does anyone else have access to your computer? Are you currently syncing your 1Password data to any other computers or devices?

We designed 1Password so that we would have as little knowledge about your data as possible. With standalone vaults, your data will never leave your computer until you decide to sync it. Even with the new 1Password accounts, we’ve designed the architecture carefully so that our knowledge about your data and the activity in your account is at a minimum. For privacy conscious people, this is a very good thing, but it does mean that we have no way to monitor if anyone else is accessing your data.

I’m asking one of our security gurus to join in this conversation, as they’ll be able to provide some better insight here than I can. :)

AGKyle

Hi @nancytoelle

Megan wanted one of us on the security team to chime in and offer some assistance as well.

She's asking the right questions for sure:

1. Does anyone else have access to one of your computers that has the login information available?
2. Have you ever logged in, or recently logged in, from a public location like a coffee shop or other place that uses public wifi?
3. Have you recently attempted to login but found it didn't take your username and password and required you try again?

You have said that you're using a very long password that you appear to have generated in 1Password. Is this password used for any other sites? If so, that's definitely a potential cause of this.

In most cases the cause of this type of thing is something else. 1Password is typically the most secure aspect of your security system and if someone gains access to a site it's for other reasons... like password reuse, phishing, and similar types of issues.

Hopefully we can learn more with the answers to the above questions.

nancytoelle

Kyle, thanks for the response. responding to your questions above: to 1 & 3 the answer is no, I work in a home office and no one has access to my laptop. to #2, the answer is yes, I was at a conference in Florida last month and may have accessed my credit union account during my stay there. When I asked the credit union security people about that possibility, however, they maintained that the username and password are encrypted when they are entered in the sign in to protect against possible theft during login.

Regarding the password, it was unique to that account, not used in any others. I have reached out to 1Password and have not heard back from them, but since the IP address of the attempted login was Finicity, I would like to know how and by whom that login attempt was initiated on 8/24/16 at 2:40am. Could you help me with that?

If you want to chat with me, my redacted. If you want to contact the security person from my credit union, I can give you her contact information. I appreciate your taking this seriously, as it is a source of great concern for me and for my credit union. Thanks, Nancy Toelle

AGKyle

Hi @nancytoelle

FYI: Megan and I are both employees that work at AgileBits, makers of 1Password. You've reached out, we're responding. :)

Your Credit Union is correct, assuming nothing nefarious is happening at the public wifi level. Sites are encrypted with a certificate, that certificate is what you see when you click the "lock" icon in your browser. However, it's possible to replace those in line. So, the router has its own certificate, which it passes on to you, then when you connect to the bank it re-encrypts with the certificate the bank needs. In doing so they could theoretically view what you're sending to your bank and what your bank is sending to you.

This is called a Man in the Middle attack.

You <-->Malicious Network <-->Internet <--> Bank

You just gave an incredibly insightful bit of details there. Finicity is actually a banking solution for developers. For instance, if I were to write a banking app and I wanted you to be able to pull your bank data directly into my app, I could use Finicity to do that. They're a 3rd party service that helps get transaction and banking data out of your account and into a format developers can use...

Do you by chance use any 3rd party banking services? I believe YouNeedABudget actually uses Finicity, and indeed can confirm it in their security docs. So that's one potential possibility. But if you use any apps that help you budget or monitor your banking information, it's possible they are using Finicity.

In that case, these types of logins are expected and were approved by you. Assuming you setup your credit union account with that app/service :)

Does that help by chance?

nancytoelle

Oh my Kyle, I'm so sorry I confused you with Finicity and for getting ahold of the wrong end of the stick! Your info was very helpful and conjures up two, maybe three possibilities. The first is that I am setting up an online store, using, so far, ECWID and Square, so I wonder if either or both are affiliated with Finicity. Square is configured to make deposits to my business account, but that has happened before without a login attempt. The second is that I do online book keeping with Quick Books, but I must manually import info from my credit union accounts, as they are not linked.

Regarding the malicious man in the middle scenario, would that entail me going to a bogus website, such as for my credit union site, and entering my username and password? How would I know if that's happening and how would I guard against it? I'm really alert to phishing attempts and just do not open attachments unless I know and trust the sender. I use Sophos for protection, do you think I could have downloaded malware? I'm highly motivated to figure out exactly what happened. I will recontact Finicity to see if I can get them going to help solve the mystery.

I do love my 1Password .... it would be hopeless to keep all my passwords without it. So thanks for that and for your help. Nancy

AGKyle

@nancytoelle

Yea, if you need information that only Finicity can get you, I'm afraid you've got the wrong team :) It's all okay though.

Square may use Finicity. You would need to ask each of those services to verify. I'd start with that.

If you then need more information from Finicity you can probably get ahold of them here.

The Man in the Middle attack i described would be directly to your bank, but a malicious person could intercept your data. What you're mentioning is a phishing attempt, a site that looks like your bank but isn't.

Your best bet for Man in the Middle type of attacks is to view the certificate. Here's a screenshot from my Safari window while on our forums after clicking the "padlock" icon in the browser bar.

Note that the domain in the URL bar is the same as that which is in the SSL certificate?

In a man in the middle attack this could be different, and more importantly you'd probably notice that the issuer of the certificate is different.

I'm guessing this isn't the case for you though. I believe you'll get your answer by contacting those other services and seeing if they use Finicity :)

The best question to ask yourself is: "Did I enter my bank information into any other applications recently?" where that application is Square or the other services you used. If so, that's probably it and they are likely using Finicity.