What is the weakest link?

scottwoz
scottwoz
Community Member
in Mac

Hi, I'm new to 1PW and so far I'm very impressed. As a natural skeptic, my main concern was putting all my eggs in one basket, though operating on a desktop and after everything I've read thus far gives me hope. I just want to clarify that I'm not 'missing the point' somewhere. Apologies if this has been asked before, but surely, in order to sync between Mac OS and IOS devices, isn't entering your master password on the 1PW website taking a huge risk? Just how secure is the site? My other question is with iPhone and iPad: in order to be more practically accessible, opting to use the numeric code rather than the master password each time its needed, does that not compromise security also?

Thanks in advance for any advice or information.

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • Ben
    Ben

    Hi @scottwoz,

    Thanks for taking the time to write in.

    Even when logging into 1Password.com your Master Password and Secret Key are not transmitted to us. You can read more about the security design of 1Password here:

    About the 1Password security model

    We also have a fairly detailed technical white paper available here:

    1Password Security Design White Paper

    My other question is with iPhone and iPad: in order to be more practically accessible, opting to use the numeric code rather than the master password each time its needed, does that not compromise security also?

    Yes, of course. :) Security and convenience are always at odds. You have to decide how you want to balance these. Certainly requiring yourself to type your Master Password every time you launch 1Password is the most secure option, but unless you choose a weak Master Password... not a very convenient one. And of course if you choose a weak Master Password, you're defeating much of the point. :smile:

    Ben

  • scottwoz
    scottwoz
    Community Member

    Thanks for your prompt reply Ben, I'll take a look at those links now. I had no idea entering the MP on the website wasn't transmitted, thanks for clearing that up. I believe I have a strong MP though I'm no expert. Point taken regarding convenience vs security, can't argue with that at all. A very good point!

  • rudy
    rudy

    @scottwoz,

    Let us know if you have any follow-up questions!

    Rudy

  • danco
    danco
    Volunteer Moderator

    As regards 1Phone and iPad, it does depend on what versions you have.

    First of all, if you have sufficiently new ones you can use TouchID rather than any kind of code.

    Second, you can use an alphanumeric code rather than just the four-digit numeric one, adding some security.

    Yes, some details are kept in the iOS keychain, and in theory there might be a way of extracting these details.

    AsBen says, there is always a trade-off between security and convenience. I am just providing a different option for users to make the trade-off.

  • Ben
    Ben
    edited August 2017

    Indeed, on Touch ID enabled devices we would generally recommend taking advantage of Touch ID. For most the trade-off is well worth while. The minimal risk is greatly outweighed by the benefit.

    About Touch ID security in 1Password for iOS - 1Password Support

    Ben

  • scottwoz
    scottwoz
    Community Member

    Appreciate the comments. Unfortunately, I don't have the finger ID though I take the point about security over convenience and will continue entering the MP - no problems there. I do have one more, possibly stupid question: if entering the MP on the 1PW website is never seen or received by the 1PW team, is there any risk of an external threat reading the keys pressed on the keyboard as the password is entered?

  • AGAlumB
    AGAlumB
    1Password Alumni

    @scottwoz: If your machine is under someone else's control, then yes, there's a risk of them capturing your keystrokes. There's just no way around that. Definitely practice good security hygiene by not visiting shady sites or installing software from untrusted/unknown sources. If your machine is compromised, whether you use 1Password or not, you'll need to address that before using it to access or enter any sensitive information.

  • scottwoz
    scottwoz
    Community Member

    Sure, understand. My machine is only ever used by myself and I never visit shady sites or download anything that I'm unsure of. Of course I'd never logon using another machine in an internet cafe or something. If for example I ever travelled to visit my parents for example and had to use their machine for whatever reason, I'd like to think having my 1PW data backed up onto a USB drive for example would be the way to go. I guess I'm possibly being paranoid somewhat that there is always that external risk factor. Thanks.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @scottwoz: I hear you. That wasn't meant as an indictment of your computing habits. I think we all make mistakes from time to time. As far as travel, that's what I've got my phone for. While personally I'd be somewhat comfortable using my parents computer in a pinch to access my 1Password.com account, I think we need to evaluate these things on a case-by-case basis. Regardless of what I think of my folks, I'd poke around a bit to get a sense for if anything seems off. And, for example, if I see a bunch of adware toolbars in their browser you can bet I won't bother navigating to 1Password.com. ;)

  • scottwoz
    scottwoz
    Community Member

    Indeed. Exactly the same here. What they must install and agree to in their innocence doesn't bear thinking about.

    While I think about it, is it easy to change passwords using the 1PW password generator without having to go through the whole email reset and confirmation debacle? Furthermore, is there a way that 1PW can change passwords automatically on a regular basis? I appreciate that that may be site specific, but are there any known sites that facilitate this?

    Thanks again!

  • AGAlumB
    AGAlumB
    1Password Alumni

    Indeed. Exactly the same here. What they must install and agree to in their innocence doesn't bear thinking about.

    @scottwoz: Well said. :blush:

    While I think about it, is it easy to change passwords using the 1PW password generator without having to go through the whole email reset and confirmation debacle?

    Changing passwords within 1Password is incredibly easy, as the password generator is right there in the item details when editing. The hard part is navigating websites which often make it pretty difficult to find and/or comprehend their password change forms... :unamused:

    Furthermore, is there a way that 1PW can change passwords automatically on a regular basis? I appreciate that that may be site specific, but are there any known sites that facilitate this? Thanks again!

    No, it isn't possible to have 1Password automatically change passwords on websites; and changing passwords frequently is something we and many security experts advise against. Generally this is because most people will use weak passwords to compensate for the hassle, but with regard to 1Password specifically that doesn't necessarily apply. However, there are only a few cases where a password should be changed:

    1. It is weak or reused
    2. It (or the account) has been compromised

    If you're using 1Password to use strong, unique passwords for each site, #1 is irrelevant, and #2 is, fortunately not common and won't affect any other accounts when it happens to one in this case. So regularly changing passwords amounts to busywork for 1Password users, and encourages folks who do not use a password manager to use weaker passwords due to the burden. The great thing about 1Password is that if you're already using an awesome, randomly generated password for a site, changing it to another equally awesome, randomly generate password for the sake of changing it is unnecessary because it will not increase your security. So it's only something you need to trouble yourself with if it is compromised. Cheers! :)

  • scottwoz
    scottwoz
    Community Member

    Perfect. That makes complete sense. This is the first time in about twenty years that I'm finally willing to let go of relying on my memory, which I have done successfully in all that time. These days though, with the extra work I'm taking on in different fields, combined with the added need for modern security measures, I just can't do it anymore (getting old basically!)

    Thanks for all your help Brenty, very much appreciated.

  • AGAlumB
    AGAlumB
    1Password Alumni

    Perfect. That makes complete sense. This is the first time in about twenty years that I'm finally willing to let go of relying on my memory, which I have done successfully in all that time.

    @scottwoz: Oh, totally! Honestly, that was the hardest part for me with 1Password, giving up my old habits. haha

    These days though, with the extra work I'm taking on in different fields, combined with the added need for modern security measures, I just can't do it anymore (getting old basically!)

    Indeed, we're not getting any younger. But either way, no matter how sharp we are, there's something to be said for relieving the cognitive load of "managing" all of this stuff in our brains. I'm sure we've got other stuff to occupy our time and mental cycles. hehe

    Thanks for all your help Brenty, very much appreciated.

    You're welcome! It's a pleasure! :chuffed:

  • scottwoz
    scottwoz
    Community Member

    8-)

  • AGAlumB
    AGAlumB
    1Password Alumni

    :sunglasses: :+1:

This discussion has been closed.