Does 1Password have a limit on login attempts before requiring 2FA or the Secret Key on trusted devi
I was wondering: if an attacker gains access to a trusted device and tries to brute force 1Password without an internet connection, is there a mechanism that Reactivate the Secret Key after a certain number of failed attempts?
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided
Comments
-
Can you clarify what you mean by "Reactivate the Secret Key after a certain number of failed attempts?"
0 -
For instance, when a device is set as trusted on 1Password, it doesn't prompt for the Secret Key or 2FA. If there are multiple failed login attempts on this trusted device, will 1Password re-enable these security measures? Note, assumed the device is offline and unable to access Internet.
0 -
There are no limits on the number of attempts you can make to enter the account password. This is because the "search space" for your account password is so monumentally huge, that brute-forcing it isn't an option.
If you consider all possible 12-character passwords, there are something around 2^72 possibilities. It would take many millions of years to try them all. Indeed, it would take much longer.
— from Not in a Million Years, on the 1Password Blog
For context, trying one account password every second would take (roughly) 149,745,258,842,898 years (over 10,000 times the age of the universe so far).
Essentially, someone could try unlocking 1Password by repeatedly guessing your account password, but they're not going to achieve that any time soon. :)
0
