How many attempts does 1password permit
How many attempts does 1password permit before it locks you out of trying to sign in to my account?
I haven't seen any reference to this question in the Knowledgebase.
If the answer is it doesn't lock you out, why isn't it set up to do that?
If it locked you out after say 5 attempts to enter my master password, then wouldn’t that limit any password cracking programs or hacking systems from having much chance to guess my password?
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
Great question. The answer is that we don't do this. Instead we use other technologies (such as PBKDF2) to slow down attempts, and also use two-secret key derivation (2SKD) in the form of the Secret Key to protect your data from such attacks:
About your Secret Key - 1Password Support
I hope that helps. Should you have any other questions or concerns, please feel free to ask.
Ben
0 -
I appreciate that the use of other technologies such as PBKDF2 will slow down attempts to crack passwords, but I still don't understand why you (1Password) wouldn't add, locking out after repeated attempts, as yet an additional measure to limit attempts to hack into accounts. All the financial institutions use locking out in their security procedure. Any thoughts on this question would be of great interest.
0 -
What sort of attack vector do you envision where such a lock out would be beneficial to 1Password? What does locking out do that isn't already accomplished by something else we already do?
Ben
0 -
Hi @lookingforentropy. That is a good question, but the answer is more subtle.
Lockout of the sort you are asking about and have seen are appropriate for some typical authentication-based systems. Those are systems in which you send a password to a server. But 1Password doesn't work that way and so its threats and defenses are different. Quite frankly we aren't worried about attacks in which someone manually tries guessing a Master Password and typing it in. We are worried about more sophisticated attacks and so have build our defenses around those.
Sophisticated attacks will be automated to try to make as many guesses as possible very quickly. An attacker without your Secret Key has no chance of guessing, so as @Ben pointed out, we don't need to worry about that case. So let's consider the case where an attacker has your Secret Key, but does not have other "local" data to guess against.
Each Master Password guess will require hundreds of thousands of computations on the attacker's client before it can even construct something to send to the server. But if an attacker has a specially built computer to perform those computations very quickly, we do have some rate limiting parameters set server side. We adjust the details and I don't want to state the precise settings, but a certain number of auth attempts per second will result in some automated blocking.
Given the nature of our client-side key derivation process along with the actual authentication system we use, the kind of limiting you are asking for would serve no meaningful gain in security while it would put users at risk of being locked out of their data by malicious (or accidental) repeated login attempts.
0 -
Put another way, if someone has access to your 1Password database, they don't need to go through the 1Password app user interface to try to get in (which is where throttling attempts would be useful); rather, they can just perform automated brute force attacks on the data itself, which is why we use PBKDF2 to slow down attempts computationally. It's sort of like having a lock on your front door that freezes up after a few lock picking attempts; a burglar will just go in through the garage...so we want reinforced doors and locks there as well. Cheers! :)
0