How to handle airgapped transfer of certain files for 1Password on Windows

sach_nyc
sach_nyc
Community Member
edited September 2018 in 1Password 7 for Windows

I recently signed up for 1password trial. I like the product so far but have few questions.

  1. Do I need to keep safe both secret key and master password to login to my account? What if I lose one of them? How can I recover them?
  2. How would you suggest to keep them safe?
  3. Your support site says secret is not known to you but you show me secret in online account after I log in...how is that possible? why you won't need full secret key to login online too if you don't have it?
  4. What if I lose both or one of secret keys and/or master password? how will I restore account?
  5. If I use chrome extension, why can't some bad plugin extract all passwords and send it somewhere?

Thanks
Sal


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

«1345

Comments

  • MikeT
    edited July 2018

    Hi @sach_nyc,

    Thanks for writing in.

    Do I need to keep safe both secret key and master password to login to my account? What if I lose one of them? How can I recover them?

    Yes, you must keep both secrets to log into your 1Password account on new devices, do not lose them as we cannot recover or reset your 1Password account.

    Be sure to print out the Emergency Kit that we advise you to print when you created the 1Password account at https://my.1Password.com.

    For more details on why this is important: https://support.1password.com/secret-key-security/

    How would you suggest to keep them safe?

    Print out the Emergency Kit file and keep it in a secure place, some people store it in a safe at home or at a bank's deposit box if they were already using one. Here's our support article on how to get it and to learn more about it: https://support.1password.com/emergency-kit/

    Your support site says secret is not known to you but you show me secret in online account after I log in...how is that possible? why you won't need full secret key to login online too if you don't have it?

    The information is stored within the local browser's database for the site, if you reset the history for the site, you will not be able to get back in without the secret key.

    What if I lose both or one of secret keys and/or master password? how will I restore account?

    You cannot get back in. Your 1Password data is encrypted locally with both piece of information, both information is not transmitted as is to us, only the encrypted state of your data is hosted with us. What 1Password.com web app does is download the encrypted data into the browser's database (encrypted only) and decrypts locally with your secrets. A special unique key scrambled out of your secrets using Secure Remote Password (SRP) protocol is sent to us to prove that you own the account but we can't use it to decrypt the data on our side.

    If you forget either piece of information, it cannot be reset by anyone. (Unless you're on Families/Team plan and setup a recovery option , learn more here: https://support.1password.com/recovery/)

    If I use chrome extension, why can't some bad plugin extract all passwords and send it somewhere?

    The regular 1Password browser extension doesn't have any data or UI at all, it can't be attacked directly. Extensions are also sandboxed from each other.

    1Password extension connects to the running 1Password program on your computer and ask for very specific data when filling for the site you're on or if you're saving a new Login, it'll send it back to the 1Password program. In other words, the malware needs to escape the browser's sandbox security to attack 1Password directly, which is extremely hard to do.

    In addition, majority of the browsers prompt you to allow extensions access your data but if you do this, then yes, they can simply just wait for you to enter your details for the website and steal it that way, this is a general security issue that doesn't require anything like 1Password extension. You must be careful with what extension you install in any browser, any one of them can potentially be used against you. Be sure to review your list of extensions and do not give them permissions if you're not sure.

  • sach_nyc
    sach_nyc
    Community Member
    edited July 2018

    thanks for detailed reply. I like this software and security it provides. Likely I won't use the chrome extension as all extensions seem unsafe....nothing specific about this one.

    from your writings, it seems like if I lose secret key and password on same device which I used earlier, then my account can recovered...is it so?

    safebox idea of keeping secret is good..any other way? and what about safety of master password? I could forget it too!! I plan to keep encryption keys of data backups in this vault too...so if they are lost, entire disks can become useless

  • Hi @sach_nyc,

    Likely I won't use the chrome extension as all extensions seem unsafe....nothing specific about this one.

    It depends on what your concerns are, there's a balance to everything and you have to decide if which tradeoff is worth for you. Everyone has different needs and they have to handle it differently.

    For me, I have no problem using 1Password extensions because copying/pasting is worse as whatever's in the clipboard is visible to all running programs including malware on your computer. 1Password extension does not use your clipboard, it simply inserts the data into the website's forms.

    it seems like if I lose secret key and password on same device which I used earlier, then my account can recovered...is it so?

    If by and, you mean both secrets, no you can't recover anywhere. Your master password is not stored anywhere in any form.

    1Password has its own local encryption key that is encrypted by your master password, it can only decrypt this key when you enter your master password and it then uses this local key to decrypt the database and your master password is wiped off the system instantly.

    safebox idea of keeping secret is good..any other way? and what about safety of master password? I could forget it too!! I plan to keep encryption keys of data backups in this vault too...so if they are lost, entire disks can become useless

    Your master password has to be in your head only, any attempt to store it anywhere could expose that data to any attackers that goes into your computer; either in person or malware that infects your hard drive.

    Now, you could store your password in your encrypted vault that you back up securely, just make sure you do it in a way that doesn't leave behind any traces. Saving it on desktop and then moving to the encrypted vault means it's not secure anymore and even worse if you're using a hard drive and not SSD as the data can be recovered with specific disk tools.

    If your room is relatively secure, you can just store it in your desk as long as it is not on your computer since it may be easier to break into your computer than your home. If you're using 1Password at remote cafe, then yea, you shouldn't have the paper nearby.

    One more thing that often trips people, you don't have to use a random string of characters, use a passphrase that you can always remember. Here's our suggestion on how to choose a good master password: https://support.1password.com/strong-master-password/

  • sach_nyc
    sach_nyc
    Community Member

    thanks for detailed reply. If my computer is hacked, can hacker export all passwords from vault and take off with it? or does it have only option to get passwords one by one from vault which will take time?

    one problem I saw in other password managers is that once I log in to desktop, chrome extension for password manager is always accessible and does not ask re-authentication even after loggin in back again after locking computer. This means if someone gets physical access to computer and can log in after resetting password using some tool (there are many), they can extract all passwords...isn't it?

  • Hi @sach_nyc,

    If my computer is hacked, can hacker export all passwords from vault and take off with it?

    Not without knowing your master password, your data is encrypted on disk. They can see the encrypted file but they can't get in without entering the right master password. However, if they have total compromise of your system and wait for you to enter your master password, they could figure it out in time. Once your system is totally compromised, nothing can protect you.

    one problem I saw in other password managers is that once I log in to desktop, chrome extension for password manager is always accessible and does not ask re-authentication even after loggin in back again after locking computer.

    Not the case here; you must always unlock 1Password when you sign in to your computer. In addition and by default, 1Password auto-locks in 10 minutes after you stop using your keyboard/mouse. You can adjust this to be sooner or never lock via 1Password's security settings here:

    1Password cannot open on its own without your master password.

    This means if someone gets physical access to computer and can log in after resetting password using some tool (there are many), they can extract all passwords...isn't it?

    1Password uses encryption for your data, which means that there's no way to reset your password. Resetting is only possible if you know the original password, websites tend to have a copy of your password in clear view or a hashed version, so they can reset it for you no problem but if they were using encryption, it would not be possible at all.

    The only way attackers can get in is by guessing your password with a brute-force attack. When you first install 1Password, we generate the strongest possible local unique encryption key and protect it with the master password (after scrambling it 100K times with PBKDF2 to make it stronger). This means that to test each password, they have to do the same thing with 100K scrambles per single password and that takes time to find the right password.

    In fact, we have a money competition for someone to guess a password to a vault we've created and in two months, no one has: https://blog.agilebits.com/2018/04/26/how-strong-should-your-master-password-be-for-world-password-day-wed-like-to-know/

  • sach_nyc
    sach_nyc
    Community Member
    edited July 2018

    Not without knowing your master password, your data is encrypted on disk. They can see the encrypted file but they can't get in without entering the right master password. However, if they have total compromise of your system and wait for you to enter your master password, they could figure it out in time. Once your system is totally compromised, nothing can protect you

    so, when system is fully compromised, do you have any prevention to do export of all info? like 2-factor authentication or something? I think it should be one by one access in all situations unless you want to export all with additional security validation

    Not the case here; you must always unlock 1Password when you sign in to your computer. In addition and by default, 1Password auto-locks in 10 minutes after you stop using your keyboard/mouse. You can adjust this to be sooner or never lock via 1Password's security settings here:

    anyway it can lock itself in 5 mins even if I am using system?

  • MikeT
    edited July 2018

    Hi @sach_nyc,

    so, when system is fully compromised, do you have any prevention to do export of all info? like 2-factor authentication or something? I think it should be one by one access in all situations unless you want to export all with additional security validation

    No, there is nothing you or anyone can do to protect that data in this situation. All you can do is disconnect from the internet, clean up and change passwords as fast as you can.

    Once compromised, it's too late. They have a copy of your encrypted data and can just unlock with your secrets you've just given them. Preventing the export doesn't do anything since they already have the data.

    1Password is not a comprehensive security system designed to protect you against compromised system, that's not what it does nor its task. You can use 1Password as one of the security tools as part of the whole ecosystem that you still have to maintain; you still have to keep your system up to date, you still have to use an anti-malware solution, you still have to not visit any sites you don't know about and do not download or open files you didn't ask for.

    anyway it can lock itself in 5 mins even if I am using system?

    No, you can manually lock 1Password yourself if you wish, we have a keyboard shortcut you can use to lock it (Win Key + Shift + L).

  • sach_nyc
    sach_nyc
    Community Member

    Ok..Ok..1password looks good. thanks for all replies. I'll buy it soon. I like your have additional security key with master password. thanks :)

  • sach_nyc
    sach_nyc
    Community Member

    one more question - what would you suggest for things which could not be changed or replaced once vault is permanently locked..in case of loss of master password...like encryption keys for a disk?

  • Hi @sach_nyc,

    You're welcome.

    I like your have additional security key with master password. thanks :)

    We also support two-factor authentication with 1Password.com memberships, you can see more details about it here: https://support.1password.com/two-factor-authentication/

    what would you suggest for things which could not be changed or replaced once vault is permanently locked..in case of loss of master password...like encryption keys for a disk?

    Could you provide more context to that question, I'm not sure I understand.

  • sach_nyc
    sach_nyc
    Community Member

    Could you provide more context to that question, I'm not sure I understand.

    For example, I have bitlocker on two partitions on my laptop disk. I keep private keys/encryption keys for these in password manager. but if password manager gets locked permanently i.e loss of master password, these keys will be gone forever. this means, my disk cannot be unlocked. this case is different as password to sites, credit cards etc can be reset / re-entered but encryption keys cannot be re-created once gone. similarly, if someone is keeping private keys for bitcoin or any alt-coin, they will be gone forever too causing loss of money. I don't keep keys of any coin in my password manager though.

  • Ah, thank you for providing these details.

    Unfortunately, that's something you have to plan for. For many of us, we have mobile devices that we also keep 1Password on, so we can use it to unlock our PCs if we forget the computer account/bitdefender/firmware passwords and some of us use Apple Watch for that situation as well.

    There isn't a one fit for all solution here. The next best solution would be to keep a copy of the vital passwords in unencrypted form and put it on a USB drive to put in a safe that you can use, either at your place or a bank's deposit box.

  • sach_nyc
    sach_nyc
    Community Member

    thanks for helpful answers!! I am going to buy this asap 8-)

  • AGAlumB
    AGAlumB
    1Password Alumni

    Hey, thanks for taking the time to ask, and for checking out 1Password in the first place. We're here if you have any other questions! :)

  • sach_nyc
    sach_nyc
    Community Member

    one more question - 4 words, 5 or 6 words passphrase?

  • AGAlumB
    AGAlumB
    1Password Alumni

    @sach_nyc: Great question! Given that our World Password Day challenge (to crack a random three-word password) has still not been won, we're confident that four words is sufficient. But if you're comfortable using a five or six word random password, that's even better. :)

  • sach_nyc
    sach_nyc
    Community Member
    edited July 2018

    thanks. i think I can remember 5 words password 8-)

  • sach_nyc
    sach_nyc
    Community Member

    thanks. Is secret key kept as plain text in authorized devices?

  • AGAlumB
    AGAlumB
    1Password Alumni

    @sach_nyc: When you authorize a device, the Secret Key is obfuscated before being stored locally. Pretty much everything is using full disk encryption nowadays, which helps, but the Secret Key cannot be encrypted using your Master Password or that could be used to help guess your Master Password if the device is compromised. So it's best to authorize devices that are trusted. After all, accessing sensitive information on an untrusted device at all is risky. Anyway, great questions! Let us know if you have any others. :)

  • sach_nyc
    sach_nyc
    Community Member

    windows disks are not encrypted by default. I do not have encryption on c drive but have on others.
    another one - is it advisable to keep 1password master password in 1password?

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited July 2018

    windows disks are not encrypted by default. I do not have encryption on c drive but have on others.

    @sach_nyc: Good point. Many are encrypted by default, but you're right: like Android, this is not the case across the board; it depends on the device.

    another one - is it advisable to keep 1password master password in 1password?

    I'll put it this way: there's no downside for most people, and there are a lot of upsides. For example, if you forget your Master Password but you're using biometrics to unlock 1Password, you'd be able to access it in your vault. And since an attacker would need to know your Master Password to access your data to get your Master Password inside the vault, it's not really a security risk either. :)

  • sach_nyc
    sach_nyc
    Community Member

    awesome. Is two factor authentication code or it's key is used for encryption or is just used to pull 1password db to new computer from your server?

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited July 2018

    @sach_nyc: One-time passwords cannot be used for encryption, as the encryption would need to somehow change over time for that to work, since the code is different every 30 seconds. 1Password's data security model is built on encryption, not authentication, so that even once someone has already stolen your data (e.g. from your own device), they will need to decrypt it to access it. Authentication comes into play only when communicating with the server, so two-factor authentication (if applicable) applies in that case, and serves as an extra layer of account security. You can learn more about how all of this works here:

    Authentication and encryption in the 1Password security model

    Cheers! :)

  • sach_nyc
    sach_nyc
    Community Member

    thanks. I found a limitation of 1password. I have website (www.hdfcbank.com) which opens a popup for login. 1password does not work on that popup.

    also, watch tower shows me around 151 logins which are compromised. these are mostly websites I never use much. but how I automatically change password for these?

  • AGAlumB
    AGAlumB
    1Password Alumni

    thanks. I found a limitation of 1password. I have website (www.hdfcbank.com) which opens a popup for login. 1password does not work on that popup.

    @sach_nyc: Well...I'd argue that their website is the limitation (Internet Explorer 7 is recommended at the bottom!), but you can probably invoke 1Password using its keyboard shortcut, even if they're hiding the toolbar for some bizarre reason. ;)

    I was able to save and fill a login there with 1Password following these steps to save the login manually:

    1. Navigate to the login page
    2. Enter your login credentials (do this after the first, username-only step)
    3. Click the 'keyhole' icon to bring up the extension
    4. Click the 'gear' icon for Settings
    5. Click Save New Login
    6. Give it a name and Save
    7. Close the webpage
    8. Return to the main login page and press Ctrl \ to fill with 1Password

    Let me know how it goes. :)

  • sach_nyc
    sach_nyc
    Community Member

    thanks. i'll try it

  • Let us know how it goes!

  • sach_nyc
    sach_nyc
    Community Member

    yeah..it works. My 1password shows me very bad stats. 134 vulnerables, 453 reused, 109 weak...how do you recommend to fix this? it's like 2 weeks of work

  • MikeT
    edited July 2018

    Hi @sach_nyc,

    Watchtower already sorts it by risk level with vulnerable/compromised on top, reused below and so on. So, in your case, start working on the vulnerable items first. Take your time with that, just go to each item, log in with 1Password, change the password with 1Password and you'll be done. (We have a guide on this here: https://support.1password.com/change-website-password/)

    Note that there's a small bug in 1Password where if you update the password for a vulnerable item, it doesn't remove it off the list quickly enough. This has been fixed in the next update.

  • sach_nyc
    sach_nyc
    Community Member

    thanks. I am going to fix 20/day so that it does not take most of my time everyday.

This discussion has been closed.