A few questions about 1Password's security framework
I would like to use 2FA with my account, but I have found that 1Password does not support this, and from my research doesn't intend to. With the use of the master key as well as the master password, I don't think this is much of an issue - I would be annoyed needing to use 2FA all the time anyway with how much I use 1Password. I use a very long password, so I am not very worried about my hash being cracked if captured, however I am cautious about keyloggers getting my master password.
For reference, here is the page that mentions "secure input fields" https://support.1password.com/1password-security/
A user cannot access your account from a new device without entering your master key, correct?
What is the logic behind "secure input fields"?
Does this feature belong to all cross-platform versions of 1Password 7? (ie Android and Windows)
How is your "fingerprint data" stored when using 1Password with a fingerprint scanner on a smartphone?
What hashing algorithm are passwords/master keys hashed with on your servers?
Aaaaaaand I forget my last question... >.<
With each password that I add to 1Password, I get a little bit more worried about putting all of my eggs in one basket. Please help me to maintain my peace of mind!
I understand this is a lot to ask, and I am not on any time crunch - I will continue to happily use 1Password to simplify my life.
Thank you!
Steve
1Password Version: 7
Extension Version: Not Provided
OS Version: Windows 10, Android 8.1
Sync Type: Not Provided
Comments
-
Hey, Steve. I can help you with some of these questions.
First, 1Password does have 2FA available, you can check all about it here:
https://support.1password.com/two-factor-authentication/
Regarding, new devices, indeed you need to enter you Master Password along with your Secret Key. You can even set up to require email confirmation every time you add a new device.
Finally, all 1Password data is kept safe by the industry-standard 256-bit AES encryption algorithm, which is one of the top methods available right now.
I'll look into your other questions and get back to you. Meanwhile, if have any further questions, I'll be more than happy to help you.
0 -
@betweentheburyd1: Indeed, to be clear, you should always be concerned about keyloggers or any malware. But even with two-factor authentication, it's not terribly difficult for malware on your machine to simply capture data as you access it, without it even needing your password or authentication code. So you should only use a safe, trusted device to access sensitive information, in 1Password or otherwise. To answer your questions:
A user cannot access your account from a new device without entering your master key, correct?
All account credentials are needed, including the chosen Master Password and the randomly-generated Secret Key.
What is the logic behind "secure input fields"?
They prevent another app from reading the information entered into the field. However, malware could potentially install a compromised input driver to capture input before it's in the field. There are many security measures that can be put in place, from Secure Input to two-factor authentication, but none alone are sufficient to protect against all classes of attacks. That's why good security hygiene is so important. Ultimately each of us is the weakest link in our security, since we could install something malicious if we're not vigilant, negating other protections that are in place.
Does this feature belong to all cross-platform versions of 1Password 7? (ie Android and Windows)
Different OSes implement protections like this in different ways.
How is your "fingerprint data" stored when using 1Password with a fingerprint scanner on a smartphone?
It's not stored in 1Password. All of that is handled by the OS:
About Fingerprint Unlock security in 1Password for Android
About Touch ID security in 1Password for iOS
What hashing algorithm are passwords/master keys hashed with on your servers?
We don't store any of those things on our servers: not hashed passwords, not Master Passwords, and not Secret Keys. It's absolutely critical that we never have the keys to anyone's data.
Aaaaaaand I forget my last question... >.<
Story of my life. If you think of it, let us know! ;)
With each password that I add to 1Password, I get a little bit more worried about putting all of my eggs in one basket. Please help me to maintain my peace of mind! I understand this is a lot to ask, and I am not on any time crunch - I will continue to happily use 1Password to simplify my life.
Absolutely. We don't want to have to worry about the stuff we put in 1Password either! That's why the Master Password is something each of us chooses for ourselves, which no one else knows; the 128-bit Secret Key is generated randomly on our local device when we create our own account; and neither are ever transmitted to the server. That way even if the server is broken into, none of us have to worry about an attacker accessing our data so long as we do not give them our "keys" to decrypt it, which no one else has.
You can learn more about how 1Password works in the security whitepaper. And if you have any other questions, be sure to ask! :)
0 -
You guys are awesome, thank you so much! Very good information. I happen to be at the PenTest HackFest event in Bethesda, MD right now typing this from my hotel room - if you guys just so happen to be at this event, I'd love to buy the first round!
Either way, thanks again guys for the great answers! Not to mention - all good stuff, just what I want to hear. Security first.
-Steve
0 -
@betweentheburyd1: Likewise, thanks for the kind words, Steve, and for being as passionate about security as we are! I could be mistaken since I'm quite a distance away currently, but I don't believe we have any folks there this time around. I'll double check though when others start to wake up and log in -- and take you up on that drink if and when we meet elsewhere. :sunglasses:
0 -
:)
0 -
Hope you're enjoying the conference! :)
0
