This is a staging forum for AgileBits, not an official support forum. Visit http://discussions.agilebits.com instead.

Suggestion Corrective action based on failed logins.

jackspayed
jackspayed Junior Member
edited December 1969 in Mac
I use dropbox to sync my keychain between computers - but also to to have access to the keychain via the web. I put the keychain in the dropbox "Pubic" folder and use a custom URL to access it when I'm not on a device I own.



If it were possible to configure logging of failed access attempts (as simple as an incremental counter) to the keychain 1Password.html, it'd be really helpful in mitigating compromise to web accessible keychains.



For example, I could easily write a script on my "always on" local machine (or as a cgi for just about any hosted keychain) that would see "X failed login attempts" in the keychain log file and then move the keychain to a non public folder while creating a sym link to the quarantine location... Thus breaking the public availability while preserving the synchronizing between computers. Since dropbox doesnt let you sym link from PUBLIC to PRIVATE folders - all the authorized machines would continue to function as if nothing happened, but you wouldnt have to worry about some one online bullying your keychain.



Granted, it does lend itself to some pretty obvious DoS conditions - but, once the user is capable of detecting the attack... at least they're aware that someone out there is pretty interested in THEIR stuff specifically. Besides, how hard is it to get a new URL these days?



Not sure what your daemon / agent / service is capable of doing - but it doesnt seem like doing this kind of stuff is outside of the realm of a fully integrated feature in the future.



Just a thought.... or i could be completely missing some functionality that has already been implemented for this...

Comments

  • MartyS
    MartyS AgileBits Customer Care (retired)
    edited December 1969
    That's an interesting idea, but it breaks down quickly when you consider that many customers (yourself included it sounds like) will access their 1Password data file via a web page, Dropbox account, from a write-locked USB stick, etc. None of those methods would allow a consistent means to write that counter anywhere that all the platforms could see.