General question about MASTER password and password-cracking programs
Besides deterring any person(s) from having access to my 1P vault, exactly WHAT CIRCUMSTANCES of usage expose my MASTER password to password-cracking programs? Is it certain sites? Is it malware?
Been curious about this for a while.
1Password Version: 6.7.1
Extension Version: Not Provided
OS Version:_10.12.5
_Sync Type: Not Provided
Referrer: forum-search:master password
Comments
-
Besides deterring any person(s) from having access to my 1P vault, exactly WHAT CIRCUMSTANCES of usage expose my MASTER password to password-cracking programs? Is it certain sites? Is it malware? Been curious about this for a while.
@tramera: Unfortunately that's not really a question we can answer with specifics. Certainly you should treat any compromise of your system as being hostile. Historically lot of malware was designed as a nuisance or as a way to generate ad revenue, but in recent years hackers have become bolder, more malicious, and increasingly motivated by both money and power. Case in point, malware targeting BitCoin and banks, or corporate and government interests. So while it's unlikely that you and I are high value targets, we have to remember that we can also be vulnerable to attacks meant for others.
So first and foremost, practice good security hygiene by not visiting shady websites, or downloading things from unknown/untrusted sources. Your best bet is to avoid getting infected in the first place.
If you do make a mistake (we all do), there are great free tools out there for offline scanning and removal of malware. These are not perfect, as any security software can only protect you against known threats. But in many situations these will be sufficient.
But when in doubt of the security of a machine, do not access sensitive information on it. I mean not only 1Password, but bank accounts, personal/business information, etc. And this applies not only to a machine you own which may be infected (at that point you no longer own it in the sense that someone else may have control), but also machines where you simply don't know their security status — public computers, or even those of friend and family, may be infected; not everyone is tech savvy and security conscious, and even those who are can make mistakes.
Getting back to the Master Password, the only surefire way to not have it captured is to not enter it. This applies most to a compromised machine. If you do not enter your Master Password to decrypt the data, it is safe, even if an attacker gets it, because they do not have the means to decrypt it. 1Password is secure by design, not by chance; and we've designed it based on the principle that even if the encrypted data falls into the wrong hands it is useless to them without the Master Password, provided it is long, strong, and unique.
And in the case of your machine not being fully compromised, there are measures in place to prevent other apps or websites from capturing your Master Password as you enter it into 1Password. Just always be sure that you only enter your Master Password into 1Password itself, downloaded directly from either the AgileBits website, or Google and Apple's stores.
And as far as "cracking" your Master Password, we slow down attempts to do this mathematically so that an attacker who does get your data will not be able to guess your Master Password within our lifetimes, provided you're using a good one. I hope this helps. Be sure to let me know if you have any other questions! :)
0 -
Wow brenty, how'd you know I'd love such a detailed response? Thank you! My system isn't compromised (as far as I know), but I've really been curious about this question for a while. I happen to love geeking out to make the most of my 1P software...and this pretty much completes my pursuit of understanding. So, thanks again :)
0 -
@tramera: Ah, I was certainly not sure you'd want to read all that, but I prefer to be thorough, especially with such a sensitive and important topic. I had originally planned to write a paragraph or so and see if you had additional questions after that...but I do get a little carried away sometimes. Anyway, I'm delighted that it turned out to be exactly what you were looking for! You're totally welcome, and if you didn't before, I'm sure you know now that we're more than happy to answer any other questions you might have. Cheers! :lol:
0 -
Likewise, thanks for your support! :chuffed: :+1:
0