Keylogger a risk?
I have been using a standalone license for 1Password and am now trying out the family version. My concern is, without two factor authentication, if a key logger is on my computer, all of my passwords are at risk, correct? I'm uncomfortable with all of my passwords no longer being local, and having a web browser to log in. I ask because recently, I tried to visit Netflix.com and I must have missed a letter, taking me to some other site that installed something in Chrome even though I hit decline. I couldn't figure out what it was but it unsettled me. Not too long after that, I was hit by the Find My iPhone ransom attack. I wonder if it installed a key logger? Maybe I'm way off base but my question is still the same. On the web, without some kind of two factor, anyone with your password can get access to all of your data? I acknowledge I am missing something, right? Just looking for some help and assurance using the subscription model is safe.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: OS X High Sierra
Sync Type: Not Provided
Comments
-
@skyfranks: While a keylogger is never a good thing, your risk truly doesn't increase with a 1Password account vs. a standalone vault. In both cases, an attacker would need to go after your machine and steal your encrypted data directly from you (or use your machine remotely) in order to unlock your data.
Lets assume you have a keylogger (and nothing more) for the sake of argument. With a standalone vault, they have your Master Password. This is, indeed, the key to the city, but they don't have your data and they don't have control of your computer. Theoretically, they could install 1Password themselves and sync up with your data assuming they've also captured the password for your sync service, but given both Dropbox and iCloud offer 2FA, they're probably only going to alert you to their subterfuge leading you to take corrective action.
Now, let's assume you have a 1Password account instead. Again, they have your Master Password, but they don't have your Secret Key. You don't need to type your Secret Key and this is needed to sign in to your 1Password account, whether you're using one of the apps or 1Password.com (which is itself a web app rather than a mere website). Your apps have your Secret Key saved and you may have chosen to allow your browser to cache your Secret Key, but our hypothetical bad guy only knows what you type and since you're an awesome security-conscious 1Password customer, you signed into your apps using your Setup Code and let your browser cache your Secret Key at sign-up, so you've never typed that 128-bit monstrosity and they're out of luck.
Now, a caveat in both of these cases is that, whether you use a standalone vault or a 1Password account, your Master Password is the primary thing protecting your local database. It takes more than a keylogger alone to capture what's needed to unlock that data, but if a truly dedicated attacker decides to come after you specifically and lifts your Master Password and your encrypted local database, that's a good chunk of the battle. Of course, this generally isn't how "hackers" work. Your computer is worth little to them and folks like us or Dropbox are a much more attractive target. That's why we didn't want to introduce a hosted service until we could implement two-secret key derivation in order to protect your data. This ensures that even if the worst happens and your encrypted blob of data is stolen from our servers, you and only you have the keys to the kingdom (and, again, it requires more than just a keylogger to steal those keys).
Additionally, it's worth taking a moment to talk about ransomware specifically. Ransomware has been in the news a lot as it's an easy way for bad actors to make a buck without targeting specific people. The bad guys release their malware into the wild and rely on humans, often the weakest link in any security net, to trap ourselves in their net. This is an example of a specific case where your 1Password account protects you from better than a standalone vault, in my opinion. Ransomware has been known to lock Dropbox files and may be able to lock iCloud as well, but it cannot lock your data on 1Password.com. So if you do fall victim to a ransomware attack and you happen to have a 1Password account, well, that's one less thing you need to worry about. If you refuse to pay, your 1Password data will be waiting for you when you set up your apps again after wiping your device.
So, yes, a keylogger is a risk and 2FA does provide some additional protection from attacks of this sort, but your Secret Key does an equally good job in most cases and you're at no greater risk from such attacks because of 1Password.com. In fact, the distinct separation between your data on our servers and your computer can even be a benefit in the case of a ransomware attack. You should, of course, always do all you can to keep your computer safe, but should the worst happen 1Password has your back. :chuffed:
0 -
I am unsure if my strange encounter with Chrome that day installed a key logger or not but it made me question making this jump. It's just as likely someone gained my data from a shared password on another site. I am trying to make all my passwords unique as I go now, but is a slow process. Thanks for this explanation.
0 -
@skyfranks: It's no problem at all and I fully support your paranoia. We have so much of our lives saved on our computers, any little hiccup can be unsettling for sure. A word of advice for the future: give Go & Fill a try when signing into Netflix (or anything else). Select the Login item in mini on your menubar and 1Password will open the proper site and sign you in. This way, you can avoid those sneaky lookalikes and ensure you get to the right place. :chuffed:
0
