if someone gains access to one of my devices and they get the PW is all lost?

Henry_Barnett
Henry_Barnett
Community Member
edited January 2023 in Mac

My wife has just started using 1Password. She asked me if it is really secure. If someone cracks my device password and sees the 1Password icon, how difficult is it then to crack the code for 1Password and access my vault? The secret key is not needed in this instance!

Pessimistically yours!

Henry

iMac...


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided
Referrer: forum-search:if someone gains access to one of my devices and they get the PW is all lost?

Comments

  • Hi there @Henry_Barnett

    how difficult is it then to crack the code for 1Password and access my vault?

    If you'll forgive me being a little jovial for a moment, then the (extremely) short answer is very.
    The slightly longer answer is "even if they [the attackers] put every computer on Earth to work on the cracking and ran them for zillions of times the age of the universe."

    That answer came from Jeff Goldberg, our Principal Security Architect, in his recent blog post: Not in a million years. Although he was talking about attackers breaking the combination of both your Secret Key and your account password, a strong account password will be similarly infeasible to crack.

    The secret key is not needed in this instance!

    Exactly! Your Secret Key protects your data while it's not on your device. When you've signed in to 1Password on your Mac, it's your account password that's on duty to protect your data. Make sure you choose something that's:

    • random
    • memorable
    • easy to enter

    In fact, have a look through How to choose a good 1Password account password for some excellent advice about this.

    It's good to see customers actively engaging with this so if you do have any questions, do let me know. :)

    — Grey

  • Henry_Barnett
    Henry_Barnett
    Community Member

    Hi Grey,

    Definitely the white answer. Excuse the lisp.

    Certainly, with the secret key, it's nigh impossible. But as you say, once the Mac is open then so is 1Password and the 1P vault. Now I must persuade my wife to change her Mac login! Wish me luck,

    Henry

  • @Henry_Barnett

    Just to clarify a couple of things here.

    But as you say, once the Mac is open then so is 1Password and the 1P vault.

    1Password unlocks independently from the user account in macOS. Just because a user is logged in to their Mac, it doesn't mean 1Password is unlocked too. I'd strongly recommend allowing Touch ID or an Apple Watch to unlock 1Password:

    *Supported Mac models only – please see the list.

    Similarly, I'd suggest making sure that your auto-lock settings are as secure as can be tolerated, so that 1Password locks automatically:

    Now I must persuade my wife to change her Mac login!

    Your wife's Mac login password will only give access to the Mac itself, its settings, and so on. It's not the same as her 1Password account password which would unlock 1Password (and nor should it be!).

    As such, if the Mac login password is weaker, it doesn't pose a threat to what's stored in 1Password.

    Hope that helps. If I've misunderstood what you meant, I'm sorry for the confusion. I'll be happy to help if you need anything.

  • Henry_Barnett
    Henry_Barnett
    Community Member

    No you are quite correct. The 1Password for that is reasonable!

  • Henry_Barnett
    Henry_Barnett
    Community Member

    Just a follow up. Can I use only TouchID and no password once in the Mac to access the vault?

  • GreyM1P
    edited January 2023

    @Henry_Barnett

    Yes, but there are still times that you might have to enter your account password, such as:

    • if the amount of time in Settings > Security > “Require password” has elapsed (but you can set this to Never – just make sure to remember your account password!)
    • if Touch ID isn’t available, like when the built-in display is closed on your Mac
    • if you add or delete a fingerprint from your device

    Otherwise, you'll be able to unlock 1Password using Touch ID. :)

This discussion has been closed.