Does Teams have this same problem?

Apparently there Was some security issue found with Lastpass - see this link.

http://motherboard.vice.com/read/lastpass-phishing-attack-lets-hackers-get-all-your-passwords

I understand the local version of 1 Password would be OK, but does Teams have protection in place?

Thanks


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni

    @bdillahu: It's important to keep in mind that if you give up the 'keys' to your data, there is nothing to stop someone malicious from using them just as you would to access it. So it's crucial to only enter your Master Password and Account Key into either the 1Password app itself or the 1Password for Teams website — nowhere else. No one can protect you if you give your secrets away (and 1Password cannot stop you from doing so), so guard them jealously!

    That said, there are also a number of safeguards in place with 1Password for Teams that can mitigate a phishing attack:

    • Using the 1Password app signed by AgileBits, after you set it up on a device for the first time you won't have to re-enter the Account Key. It is stored securely, and then you'll only need to enter the Master Password into a secure field to unlock the app periodically.
    • Using the 1Password for Teams website, the Account Key is only needed the first time you set it up in that browser, stored securely, with the Master Password required to login similar to the app.
    • In both cases, it's impossible to login (and decrypt the data) without both the Master Password and Account Key, and not having to enter the Account Key after the initial setup reduces the opportunity for it to be captured.
    • And most importantly, your Master Password and Account Key are never transmitted. They are only used locally on your device, so there isn't a way for someone to intercept them, even with a man-in-the-middle attack. Finally, your data can only be decrypted with both, so even if someone malicious were to compromise the server, they have access only to encrypted data, not the means to decrypt it.

    An important rule of thumb to remember that applies to everything (not just 1Password) is if you're getting popups to enter passwords (especially from a browser), Don't until you're absolutely certain that you're doing so in a secure field for the app or service you expect (or in the case of 1Password for Teams, directly at https://yourteamname.1password.com). 1Password also doesn't annoy you with popups of this kind, so if you're seeing one claiming to be "1Password", it almost certainly isn't. The 1Password for Teams website will simply take you back to the login screen, and the 1Password app will take you to the lock screen.

    I hope this helps. Be sure to let us know if you have any other questions! :)

  • If I understand correctly, the LastPass phishing attack is based on the prompt that is often shown as an iframe that could be embedded in any webpage. Here is the example from the original blog post:

    The users are trained to click on the button and it makes phishing much easier.

    1Password browser extension does not use iframes. It also does not add any additional visual HTML page elements.

This discussion has been closed.