Effect of Email Address Vulnerability
Hi,
For my general use I use a forwarding email address for a professional organization that I belong to. It's always worked fine and it's let me keep the same email address since 1995 even though I've gone through several ISPs and email providers over the years.
However I recently heard of a social engineering exploit with a different forwarding service where the forwarding account was hijacked, and unsurprisingly things went downhill from there. It seems that using a forwarding email address for critical accounts adds an additional unnecessary attack surface. Consequently I've changed the email address I use for critical accounts to my actual email provider.
My question is does this make sense for my 1Password account? I ask because it's not clear to me exactly how 1Password uses my email address so the implications of an email hijack are unclear.
Thanks,
Mike
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
Hi @MikeA01730,
Thanks for writing in.
You should enable 2FA protection on your email service if they offer it, it will help a bit against that kind of attack. However yes, it is not a great idea to insert third party services between your email account and other services, it does provide another point of failure, especially when you consider email is insecure by nature due to its aging protocols, it was never designed for today's world.
We operate on the basis that your email address is the weakest link for the 1Password accounts, having the email address alone could not get anyone anything. They must know the secret key in addition to your master password to sign in or to hi-jack the account. Neither the key or master password is ever transmitted anywhere.
However, for billing questions and other owner-related stuff, we do need you to verify that you own the account by emailing in from that original email address, so it is best to protect your email address as much as you can.
0
