1Password

Abhijit
Abhijit
Community Member

Just a thought. Please review.

The name of say our iOS app is 1Password which is great. This is very obvious that this contains my top secret passwords.

This carries risk anybody having my phone can touch my finger or face id can open the app and view any passwords. Should we disguise the name? Not necessarily everybody knows based on logo probably that it is password app. Why make it so obvious? And isn't it good that if we disguise it, if that is even going to help 1% cases. I totally understand the goodwill, brand value attached to the name 1Password.

Why I thought this is my child reading the app name on my phone asked me 'Dad, does this contains all your passwords?'

Thanks,
Abhijit


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • gazu
    gazu
    Community Member

    This carries risk anybody having my phone can touch my finger or face id can open the app and view any passwords.

    @Abhijit Yes, you're right.

    It's frequently suggested on here and other forums that you should disable TouchID / FaceID to open your password manager.

    Many people suggest using a PIN instead (in the Advanced section of the app) which requires the user to type in a four-digit PIN each time. One wrong entry and it'll lock 1Password necessitating entry of the master password.

    Some may suggest that a PIN is less secure but it isn't providing that your phone itself is protected by TouchID / FaceID. A rogue individual would have to bypass two factors to get into 1Password (your fingerprint on the lock screen and your PIN for 1Password). It makes it more secure.

    Should we disguise the name?

    That's not possible. Doing so would see 1Password banned from the Google Play Store and Apple App store for a deceptive product. The rules forbid it.

    And isn't it good that if we disguise it, if that is even going to help 1% cases.

    If somebody has access past the lock screen then you've got bigger problems. Assuming you don't go down the route of using a PIN to unlock 1Password then a rogue individual would still need to use your biometrics to unlock 1Password.

  • Abhijit
    Abhijit
    Community Member

    Thanks for lightening response! We definitely do not want 1Password banned :-)

    Thanks,
    Abhijit

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited April 2019

    Security through obscurity isn't something we want to practice. And, ultimately, even if we changed the name of our app, with millions of users, it would hardly be secret. Someone malicious would just look for whatever the new name is, if that's what they're after. We need to give the bad guys a little more credit than that. :)

    Ultimately it's up to each of us individually what we do. But there are a few things that are universally true, regardless of personal preferences:

    • A "PIN" -- short, numerical-only password -- is weak. There are only thousands of possible combinations. It's trivial to run through all of them in an automated fashion. 1Password can prevent this to an extent, but if someone has your device they're really in a better position to break into it this way than if a strong Master Password or biometrics are required.
    • If someone has both your device and you, it doesn't matter if you're using a PIN, biometrics, or a Master Password to unlock 1Password; they can get any one of those things from you if they really want to. So there isn't really going to be a magical solution if you're in a situation where you're the target.

    As someone who travels internationally fairly frequently, rather than relying on a single security measure, I personally use a combination of them, since they each have different pros and cons:

    1. Biometrics (Touch ID, Face ID, Windows Hello, Nexus Imprint)
      Pro: convenient and secure, can be disabled fairly easily*;
      Con: can potentially be used to unlock my device if I'm held against my will, and I didn't plan ahead, without me having to divulge anything (my body is not a secret)
    2. Master Password
      Pro: secure, stored only in my brain;
      Con: inconvenient
    3. Travel Mode
      Pro: secure;
      Con: inconvenient, needs to be setup in advance, and a way to disable it needs to be arranged

    *It varies by device, but for example on iOS, pushing the side button 5 times disables biometrics until the passcode is entered. This is really easy to do before going through airport security.

    I haven't had issues and don't expect that I will, but it's important for me to plan for these things to ensure that I can't be used to gain access to any systems involving our customers. Others' situations may be very different.

    Honestly, good for the kid who's asking about passwords! It's an opportunity not only for you to think about these things (Do they have a fingerprint registered on the device where you use 1Password? If so, not using Touch ID there is a good idea!) but also ease them into the world of online security -- which, frankly, is just the world we live in now. Show them how hard it is for someone other than you to get to your passwords!

    ...

    But maybe don't enable the "Erase Data" feature that wipes the device after 10 attempts, if your kids are going to be trying to "hack" you. That may be less of a security feature for you than a huge nuisance. ;)

  • Abhijit
    Abhijit
    Community Member

    Thanks for the great response! I am sure you are taking the idea's/thoughts I am putting forward positively. I request you too. I understand it might not be adding value many a times but thanks for reviewing and responding.

    Thanks,
    Abhijit

  • :+1: :)

    Ben

This discussion has been closed.