Membership Synching Question vs 3rd Party Synching

nosferatuwho

For the membership as I recall it automatically synchs as oppose to using 3rd parties like Dropbox, iCloud, etc. But say my device broke and so I have to get on a new device, where to would I get my emergency kit to restore my info? As I was aware, if you had your emergency kit backed up with Dropbox, iCloud, you can sign into those and then restore. But for memberships, where would I go? If in order for me to access my emergency kit, an option would be to log into the web platform but assuming that I'm using a new computer to get my info, that would require my secret key in which I wouldn't have.

---

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

AGAlumB

@nosferatuwho: Keep in mind that your Secret Key will be accessible in a browser/app you've authorized already. You'll just need to enter your Master Password to unlock first.

But we recommend storing your Emergency Kit in a secure secure location like a safe deposit box. That way, if you really lose access to all of your devices at once, you'll have that as a fallback so you can sign into your 1Password.com account on a new device to access your data.

nosferatuwho

@brenty would you recommend that I encrypt my E.Kit and store it into the cloud? That way if all external things break/fail, I can access it through the cloud

Ben

Our recommendation is to keep a printed copy in a physically secured location, however I do know a number of folks who store their Emergency Kit sans-Master Password in the cloud.

Thanks.

Ben

nosferatuwho

Sans?

sjk

Hi @nosferatuwho,

Sans?

It means without.

So Ben was mentioning folks who do store their Emergency Kit in the cloud without including their Master Password on it – sorry for the confusion. :)

AlwaysSortaCurious

@nosferatuwho I have both models, in an encrypted RAR5 file on my PC in an encrypted cloud folder (lol) if traveling and I need access sans the master password.... and also in a shoebox for my wife with the master password written on it.

rickfillion

That sounds like a good plan, @AlwaysSortaCurious.

Rick

nosferatuwho

I also have some other questions I'm hoping you can answer for me.

1) Is the masterpassword the only thing that can’t get keylogged? What about the web platform? What about when I autofill my info into my online accounts (Facebook, Twitter, Etc).

2) - What draws me to 1password is the OTP. The fact that if all my belonging were gone, I could just access another computer, go to my iCloud, access my Emergency Kit and I'm back into action. But my concern with using a 1password for my OTP is that If someone were able to watch my screen, then they would be able to get my masterpass and/or secret key. Does 1pass have a way to prevent this? If my system was compromised and they had access to my 1pass then all my info would be gone wheres if I were to use 2FA with Authy/Google Auth. even if they keylogged and got my info, they would still need my phone physically.

AGAlumB

@nosferatuwho: We go to a lot of trouble to prevent your Master Password and other sensitive information from being captured, using OS features like Secure Input, but once the system is compromised all bets are off. At that point, the attacker is essentially the owner of your machine, acting as you, and could probably modify OS behaviour in such a way to get anything they want. Even an amateur can simply sit back and wait for you to access data to take screenshots, video, etc. Two-factor authentication can defend against reply attacks (i.e. the attacker has captured your account credentials to use later), but not real-time attacks. Why can't the attacker controlling your machine just hijack your session by capturing the one-time password you enter, displaying an error to you while they use it themselves? 1Password can definitely protect your data while it's encrypted on disk, so long as you haven't provided the attacker with the "keys" to decrypt it; but if you access it, the data needs to be decrypted for you to view and/or use it. 1Password will not be useful to you if it displays and/or fills gibberish, so accessing your data on a compromised system will always be a risk.

nosferatuwho

@brenty what's the difference between reply attacks vs real time attack? With 2FA, "if" my system" was compromised they still wouldn't be able to get int simply because they would need my phone and "If" they did wait to get get into one of my accounts I would know right away and would stop entering my 2fa into any of my other accounts whereas if my system was compromised all my stuff would be gone because they could access my OTP and info

AGAlumB

@nosferatuwho: "Replay" generally means using static credentials or tokens to compromise an account. Doesn't really work with any but the worst multifactor (for example, if the one-time password doesn't actually expire, or has a very long life). By "real time attack" I mean that someone who owns your system can take the login credentials and one-time password as you enter them, send you to a fake login failed page (or submit dummy credentials to get a real one), and then use what you just entered themselves to access your account. At that point, you generating the code on your phone doesn't help you: you've just "forwarded" it to them. I'm not sure how you would know right away that this is happening, and all they need is one successful login to go in grab whatever they want. With control over your system, it would be trivial of them to just make it look like your internet isn't working to buy them a little time — or actually disable your network interfaces, if they have administrative access.

nosferatuwho

By finding out I mean that if they were to hack one of my accounts given that I have already enter in the token and noticing that that one of my accounts has been hacked as oppose to if they hacked my 1pass they would have info to all my passwords. If I were to use a 2FA like Authy or Google Auth you could wait til the last 5 seconds before it expires out

AGAlumB

@nosferatuwho: You're not wrong in an ideal scenario, but the real world is rarely that ideal. Having a system clock off isn't uncommon (comes up all the time, causing problems with TOTP generation and SSL/TLS), so I wouldn't want to rely on that. :)

nosferatuwho

@brenty Why is rarely ideal? Isn't a password manager a single point failure if your system is compromised? Doesn't that happen a lot within the world? I'm really curious and would like to have a discussion on this topic. If I'm wrong I'd also like to know because I want to know how far off am I

AGAlumB

@nosferatuwho: Indeed, I'm saying that depending on a 5 second window to protect yourself from an attacker capturing your credentials on a compromised system is a bit optimistic. Indeed, your 1Password.com account becomes a single point of failure if you fail to protect it. That sounds like a bad thing, but it's actually a good thing: you can focus on protecting it rather than spreading yourself thin trying to protect many individual threat vectors:

• Use a long, strong, unique Master Password
• Don't access your data on an untrustworthy or compromised machine

My point is that while multifactor authentication can protect you against some attacks, it still can't protect you if you're not doing these things, practicing good security hygiene, and simply hand over your account and/or data to them.

What I'm not saying is that you're not doing these things already. You probably are. I'm also not saying that multifactor is not useful against some attacks, just not the ones we're talking about here. Always happy to talk about this stuff; I just think it's important to be realistic. Better safe than sorry! :sunglasses:

XIII

I'm also not saying that multifactor is not useful against some attacks, just not the ones we're talking about here. Always happy to talk about this stuff.

Then it might be worthwhile to mention when 2FA is actually useful?

(And why currently only 1Password Teams subscribers can get it?)

Ben

Those points have been discussed in a number of other threads, including this one:

Why not use 2 factor authentication to secure my 1Password Vault? — AgileBits Support Forum

The short answer is that that two-step verification is useful at preventing some replay attacks, but not nearly to the degree many folks think it does. If the computer you’re using is compromised 2SV doesn’t protect you, for example. This article from The Verge (3rd party; no affiliation) expands on some of the difficulties:

Two-factor authentication is a mess - The Verge

One of the biggest concerns is that we want to avoid giving people a false sense of security. Thoughts some might have such as “I have two-step verification enabled so I can use a less complex Master Password” are problematic.

Currently only 1Password Teams Pro subscribers have access to Duo (what we’re currently using for 2SV) because it is a beta feature and only 1Password Teams Pro subscribers have access to beta features.

Ben