New ways of unlocking with the master password
I have 1P on Mac, Windows and iOS.
I have really secure password for logins, 14-16 random characters, BUT I find that I have to have a easy master password for 1P, otherwise it's too cumbersome to unlock the app (and 16 character PW are hard to remember if you're on a Mac/PC or not).
So are you looking into other ways of unlocking the app, swipes, gestures - I hear the new Windows Phone have a security feature where you unlock it by taps or gestures on a picture - this sounds kind of neat...
Comments
-
Hi @lerxst,
It's not a secure as you think it would be on its own, it's great as a secondary system like the Quick Unlock Code feature we have in Settings > Security in 1Password for iOS. It'll allow you to unlock the app with 4-digits as soon as you enter your master password first and you can configure it to not lock with the master password until it is terminated in the background.
There's very strong weakness for using gestures and/or taps with static graphics and that's if somebody was able to look at the screen after the person unlocks it with their hands. Because of the natural dirt and oil from your hands, there would be a leftover outline of what your taps/gestures look like. Try it yourself after a few hours of using your iOS and draw a big Z on your screen, you'll see that you can see the Z from it afterward.
It may work better if the taps are randomized each time, so you have to draw a shape but in different ways, this will eliminate the weakness.
Please understand that if you resort to using an easy password and somebody steal your device, that'll make it easy for them to break as well.
What you should consider is using a nonsense/weird pass phrase instead of using a long string of random characters. We're working on an article to explain how this work but you can read the first article we had on this for the OS X app.
At the moment, we have no plans of adding more secondary systems but it's not a no. It can happen if we can find a better one than the gestures, one requirement is that it has to be different each time we show the lock screen.
Flag 0 -
I'm finding the Quick Unlock in vers. 4 not to work as expected. In settings I have "Request After" set to "Never", the quick unlock set to "on" and request code after 15 minutes. Still, I seem to be asked to enter the master password fairly frequently. Maybe it is because I'm terminating it from the switcher. But I could swear it was doing that even when I hadn't. I'll probably need to test that some more later.
Beyond that, if it did work as I expected, I'd like options to "Request After" (master password) in hours or days, not minutes.
Flag 0 -
I would say the reason is you are indeed killing the app from the switcher. If I kill the app on my phone it does indeed perform as you indicate.
As to hours and days the team will need to comment on that one.
Flag 0 -
Hi @Woodenbrain,
The issue is with the termination, as soon as you terminate the app, it'll automatically kill off timers and revert to the master password. For you to gain access to the encrypted data in the app, you need to supply a master password to decrypt the encryption key, so the app can use it to decrypt the data.
The way the Quick Unlock Code works is that it protects the decrypted encryption key to the data with this code but once the app is terminated, the encryption key is gone and its reverted back to its encrypted state, thus you're required to type in the master password again.
You can learn more in this Security Settings FAQs, it should answer your other questions about this.
As for hours/days options, the iOS will terminate the iOS app before the timer will lock the app, so if you want it to last a long time, you should set the option to Never as the iOS app will likely terminate it within days.
We're investigating other ways to protect your data while not having to lock the entire app but it might be a while since we have to validate the entire security system to ensure it doesn't leave any holes and that's going to take some time.
Hope this helps.
Flag 0 -
I should also point out that there is a lot of misinformation that has been spread around about removing apps from the task switcher. Apps in that list are not taking up memory. There is no need to manually manage that list by removing apps from it. People who tell you you need to do that do not understand how iOS memory management works.
Please be sure to read John Gruber's "You Do Not Need to Manually Manage iOS Multitasking" and the linked article by Fraser Spiers, "Misconceptions About iOS Multitasking" for a more technical overview.
I'm not saying you fall into that camp, but I do want to make sure to mention it since most folks I know who manually remove apps from the task switcher think that it is somehow "speeding up" or otherwise improving something on their device. This is simply not true.
Go forth and let iOS manage your memory as it was designed to do.
Flag 0 -
Thanks for the info about termination. I'll look into it, though I intuitively have a hard time believing that writing a saved state doesn't take up space on the device.
However, I just tested this hours later (overnight), leaving 1Password open. It asked for the master password on open. (again, even though it is set to "never"; and even though I confirmed it was still running in the switcher before launching it -- in fact I opened it from the switcher).
Flag 0 -
…I intuitively have a hard time believing that writing a saved state doesn't take up space on the device.
Writing state to disk would obviously take up space, but the amount of space used would be in the neighborhood of 0.0000000596046448% of the space on a 16 GB device. It would be like one grain of sand on the beach being black when the rest is white. It's not really perceptible and won't really affect you.
However, I just tested this hours later (overnight), leaving 1Password open. It asked for the master password on open. (again, even though it is set to "never"; and even though I confirmed it was still running in the switcher before launching it -- in fact I opened it from the switcher).
Please be sure to read those links I posted above. When you double-press the Home button, the list of apps there is not an indication of what state an app is in (i.e, not running, inactive, active, background, or suspended). It is simply a list of the most recently used apps. There is not a way to tell from that list if an app is not running, inactive, active, background, or suspended.
Only an app's absence from the list of recent apps indicates anything: the app is not running at all.
iOS must have terminated 1Password in the background overnight (but it still stays in the list of "recent apps" since it was running "recently"). Again, please be sure to read the links I posted above to understand a bit more about how iOS manages memory as well as the relevant section in the User Guide which explains how this affects 1Password:
FAQs on the Security System in 1Password
What specific device do you have?
Flag 0