Discussion: Do you keep your email password in 1P? Do you keep your TOTP in 1P?

hydraSlav
hydraSlav
Community Member

I've been struggling with this for a while, so maybe others can share their thoughts.

Do you keep your email password in a password manager?

  • If I was to forget my Master Password and would need to delete an account and start over, 1P would verify my identity by sending me an email.... which I cannot access without remembering my Master Password (assume phone with sync lost/stolen, logged-in PC burned down or something... or maybe I don't keep email logged-in on PC either).

  • Similarly, if I was to forget my Master Password (with no recovery possible), I would then need to contact individual services (facebook, aws, dropbox, etc) to reset my (randomly generated) password. That process would usually go through the email... which I cannot access without remembering my Master Password.

This is like making a copy of your safe key... and then keeping it in the safe... if you lost your main safe key, you are not getting back into the safe, so why even keep a copy there?

Do you keep your TOTP codes in a password manager?

The 2FA TOTP codes are my last line of defense against an attacker. If an attacker was to gain access to my passwords stored in 1P, either through:

  • guessing a weak Master Password and glancing over my shoulder while I copied secret key in plain text from the phone into a new browser,
  • or gaining short access to my computer while 1P is logged in, and then copying and sending/storing my individual passwords,
  • or getting a quantum computer from the future and actually breaking the encryption,
  • or snatching the phone out of my hand, running off, and then fooling the fingerprint sensor with my fingerprints left all over the device.

In any of the above, the attacker now gains access to my individual service passwords (facebook, amazon, etc). When they try to login, they will be faced with a 2FA challenge. That is the whole point of 2FA. This is my last line of defense. In 3/4 cases, the attacker does not have my phone, therefore cannot access 2FA seeds/codes that are on my phone. In the remaining case, even if phone is stolen and fingerprint is lifted off the case, my 2FA app has a separate pin (oh how I hate that they don't allow fingerprint auth... but obviously this is quite on purpose to combat situations like this).

[Considering only single-point-of-failure scenarios here. If someone attacks my vault personally (a wide attack on 1P servers to gain encrypted vaults is pointless without a from-the-future quantum computer, and unlikely) and attacks the 2FA app's servers in a coordinated attack and also breaks their encryption, then they probably need those passwords more than I do (or it's so above my paygrade i'd rather give them passwords and keep my life).]

By keeping my 2FA separate from 1P, it serves it's purpose and the attacker still cannot gain access to my individual services despite having the passwords. The next step for the attacker would be to suspend 2FA, or disable 2FA, or request alternative 2FA. In most cases, this again would be performed through the email.

However if I stored my 2FA in 1P, that already defeats the purpose. Similarly, if I stored my email password in 1P, the attacker would be able to disable 2FA through email links.

So it seem problematic to store email password in a password manager. It's also outright wrong to be storing 2FA in a password manager. At the very least, if one was to store 2FA in a password manager, it should be a different password manager than the one containing the passwords.

Thoughts please? I am sure I am not alone who is struggling with this


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • Henry
    Henry
    1Password Alumni

    Hey there! Let me dive right into your questions, with email up first.

    My advice is to always remember your email password—in case you misplace your Secret Key/Master Password and can't access your 1Password account, it's nice to be able to reset your passwords and easily start anew :). That said—be sure to keep your email account login in your 1Password account and strong in its own right! A three- or four-word password from 1Password's Password Generator + 2 Factor Authentication would be perfect.

    Now, for 2FA codes. I'd say it's best to keep your 2FA codes right in 1Password: not only is it more convenient than having a second authenticator app (and one that may not sync between your devices), it's also more secure (protected by your Master Password and not in the hands of a third-party app developer). No way of storing this info is totally foolproof or 100% secure, but 1Password is pretty close (more info on our security right here).

    Also: now's a great time to print out your Emergency Kit and store it in a safe place so you'll never forget your 1Password sign-in info!

  • hydraSlav
    hydraSlav
    Community Member

    @HenryCS

    I agree you should always know your email password (a strong passphrase). But keeping it in 1P or any other password manager gives an attacker a way to bypass the last line of defense, which is your 2FA (which should not be stored along with passwords... the whole purpose of 2FA is to be separate).

    There are a number of ways a dedicated attacker could personally target myself and gain access to my vault, including scenarios in my OP and key-loggers (I cannot figure out how to edit my post to add this in). After my vault is compromised, the 2FA of individual sites/services becomes the last line of defense.

    If the 2FA is stored in vault, that last line of defense is already non-existent (which is why 2FA should never be stored along with passwords, at least not in the same password manager as the accounts' passwords). If my 2FA is separate, but email password is in the compromised vault, the attacker can disable the 2FA through use of email (most services allow to disable 2FA by confirming account ownership through email... 1P also relies on email to confirm account ownership, as you yourself noted).

    I haven't personally seen services that force the use of 2FA (yet). If you choose 2FA, you want that extra layer of security. If your 2FA is in the same place as your password, you might as well not have 2FA to begin with.

    I agree it's convenient to have 1P fill in your password and 2FA all with 1 click, but explain to me what extra security (over just a strong random-generated password that you don't even know yourself) does 2FA provide if it's stored along with the password and filled in with 1 click? It just doesn't.

    I know, I know, you provide a tool with options, and it's my choice how I use this tool. If I don't like it, I can simply choose not to use 1P for 2FAs. I get all that. I am not asking you to change it. I just wanted others' opinion on this matter. Maybe I am missing something. Maybe 2FA does provide extra security even when stored along with passwords (I am yet to see this however). This is a discussion.

  • Moving this to the Lounge as you’re more likely to get comments from other customers there. :)

    Ben

  • Henry
    Henry
    1Password Alumni

    Totally understood @hydraSlav :). We've made it really safe to store all your private data (including both passwords and OTPs) in 1Password—I'd say to set a strong Master Password and trust it!—but it's totally up to you.

    Related discussion worth a read right here: https://discussions.agilebits.com/discussion/74493/best-practice-for-otp

  • XIII
    XIII
    Community Member
    edited November 2017

    I agree it's convenient to have 1P fill in your password and 2FA all with 1 click, but explain to me what extra security (over just a strong random-generated password that you don't even know yourself) does 2FA provide if it's stored along with the password and filled in with 1 click?

    Key loggers?

  • hydraSlav
    hydraSlav
    Community Member

    [quote]Key loggers?[/quote]

    @XIII please explain.

    2FA OTPs are not subject to keylogging or other interception, cause they are time-based one-time codes. I can easily show you my current OTPs, and the next minute's ones... and there is nothing you can do with it unless you are trying to login at this exact minute. That's why OTP fields are not password masked: cause they are not secret. The seed is secret, not the code.

    And if there is a keylogger on my machine (or public machine I am using), then my master password is now compromised, and attacker has access to my vault and all passwords and OTP seeds in it.

    If you keep your 2FA OTP seeds on your phone separate from 1P synchronized vault, and the computer is compromised with a keylogger, then even after gaining master password, and further the passwords to individual sites, the attacker cannot login cause they are missing the 2FA OTPs.

    The paragraph you quoted addresses this exact scenario: Passwords and 2FA OTPs in different places protects you from keyloggers; passwords and 2FA OTPs in same place simply doesn't do anything, so why even bother enabling 2FA on a service in the first place?

  • XIII
    XIII
    Community Member

    Yup, I guess only additional safety if you have a 1Password.com account and you entered your Secret Key before the key logger infected your system.

    (if the hackers don't know how to get that Secret Key)

  • AGAlumB
    AGAlumB
    1Password Alumni

    2FA OTPs are not subject to keylogging or other interception, cause they are time-based one-time codes.

    @hydraSlav I wouldn't be comfortable taking that bet. If a "keylogger" is installed, there's nothing stopping it from being a much more capable pice of malware which simply captures your login credentials — including TOTP code — as you try to use them. All they have to do is stop you from submitting them and use them themselves. Certainly more complex than a "dumb" keylogger, but underestimating the intelligence of an attacker is unwise. Better safe than sorry.

    I can easily show you my current OTPs, and the next minute's ones... and there is nothing you can do with it unless you are trying to login at this exact minute. That's why OTP fields are not password masked: cause they are not secret. The seed is secret, not the code.

    They are indeed meant to be secret, they just expire. But if an attacker uses them before you, they're home free.

    And if there is a keylogger on my machine (or public machine I am using), then my master password is now compromised, and attacker has access to my vault and all passwords and OTP seeds in it.

    Agreed. We don't recommend ever entering any sensitive information on an untrusted or potentially compromised machine.

    If you keep your 2FA OTP seeds on your phone separate from 1P synchronized vault, and the computer is compromised with a keylogger, then even after gaining master password, and further the passwords to individual sites, the attacker cannot login cause they are missing the 2FA OTPs.

    If you're entering them on the same machine that you are your username and password (no real way around this usually), why can't the attack capture all of them if they've already compromised it?

    The paragraph you quoted addresses this exact scenario: Passwords and 2FA OTPs in different places protects you from keyloggers; passwords and 2FA OTPs in same place simply doesn't do anything, so why even bother enabling 2FA on a service in the first place?

    Multifactor authentication is difficult to talk about since there are so many different implementations. Some of them are good. Some are not. But in general terms I think we can agree that multifactor is at least as good as none, and in many cases it can really help defend against specific kinds of attacks.

    For example, 1Password Teams has beta support for Duo authentication. Apart from being pretty slick, what I like about it is that instead of giving me a code to enter which could also be captured, I have to confirm the login attempt from an authorized device — using the app on one of my phones. So there's no risk of an attacker capturing my TOTP code. Even if my computer is compromised, while that would allow them to do a lot of damage, they could not reset or disable Duo on my 1Password Teams account to gain permanent access to the account, because the device needed to authenticate is still separate and fully under my control.

    That makes TOTP sound like it is useless, and that's just not the case. But it's protecting against a different kind of threat: if my account credentials are compromised because of a website breach (for example if Yahoo had used TOTP /cough), an attacker would still not be able to access my account, even though they have the username and password.

    The Secret Key is another great example: it's purpose is to protect 1Password.com users' data in the case of a server breach. With other similar services (since, as far as I know, we're the only ones doing this), if someone is able to steal the database, they can perform brute force attacks against users' Master Passwords. In the case of 1Password.com, since both the Master Password and the Secret Key are used to encrypt the data and we never have either of those, it is not possible for someone to target users' Master Passwords (which may be weak in many cases, and certainly much weaker than the 128-bit, randomly generated Secret Key) to brute force their way into the data.

    Just because a particular security measure is not strong against all possible attacks does not make it useless or irrelevant; rather, no single security measure is a panacea, so it's how we use them in conjunction with one another — password managers, TOTP, unique passwords, etc. — that can make all the difference. :sunglasses:

This discussion has been closed.