Destroy data file after x attempts

lamalice

<div class="IPBDescription">How to?</div>Hi everyone,



Is there a way to tell 1password to destroy the data file after a fixed number of login attempts?

Though my master password is strong I'm hesitating to put some very touchy info in there....



Thanks

P

khad

At this time, there is no self-destruct feature in 1Password. If we added this, we would have to somehow disconnect from Dropbox before wiping it locally or your data would be gone on all your computers and devices when Dropbox synced it around... <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_sadsmile.png' class='bbc_emoticon' alt=':-(' />



I will pass this along to the developers as a feature request, though. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_smile.png' class='bbc_emoticon' alt=':-)' />

lamalice

Thanks <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/smile.gif' class='bbc_emoticon' alt=':)' />



Anyway we all now that a backup is mandatory for critical data. Maybe the feature could just consist in giving the number of tentatives (in the preferences) before data destruction, and warning the user that the activation of this feature requires regular backup.



Pascal

jpgoldberg

[quote name='lamalice' timestamp='1291882083' post='17227']

Anyway we all now that a backup is mandatory for critical data. Maybe the feature could just consist in giving the number of tentatives (in the preferences) before data destruction, and warning the user that the activation of this feature requires regular backup.[/quote]



Hi Pascal. Suggestions like this come up occasionally, and I certainly see why people might find it an attractive idea. But when we analyze these from a security perspective, we find that such a feature might provide the user with an impression of additional security without actually increasing genuine security.



The need to having good backups in a case like this is obviously important. Accidental or malicious destruction of someone's data with such a mechanism is possible. Part of data security is providing "data availability." We know how important your 1Password data are to you and we want to make sure that you always have access to it. At the same time, the existence of the backups mean that the "self destruct" mechanism is only getting at one of several copies anyway.



Self-destruct mechanisms are also easily defeated unless running on a very tightly controlled operating system. (So these would be possible on iOS, but not on the Mac or Windows). The easiest way to defeat such a mechanism is to write a separate program that doesn't use 1Password at all but still tries to break into your 1Password data.



You also shouldn't underestimate the strength of the encryption of your data. If your master password is reasonably okay, the time it would take to automatically guess and test enough master passwords to come close to getting yours is literally astronomical. That is, we are talking about measuring the time in terms of the age of the universe.



You might be interested to learn that Apple's own Remote Wipe feature in iOS 4 actually just destroys the unique hardware encryption key that is built into every iOS device. It does not physically remove the data, it just removes any chance of ever decrypting it.



It's great that you are thinking about this issues and what would make your data more secure. I love talking about these kind of things. In this particular case what seems initially appealing doesn't hold up under under closer examination, but that shouldn't discourage you from thinking about these things and posing suggestions.



Cheers,



-j

lamalice

Ok. I see the point.

I was just hesitating in putting some really critical information (like credit card number and pin, banking account access passwords,...). I'm using the dropbox synchro feature and was wondering what could someone expert do with the data file if it manage to break the dropbox account (or site) and steal my data file.



My 1Password master password is "Excellent" so I'm probably a little bit paranoiac.



Thank you very much for your answer.



1Password is a software I couldn't live without <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/tongue.gif' class='bbc_emoticon' alt=':P' />



Pascal

jpgoldberg

[quote name='lamalice' timestamp='1292146198' post='17406']

I was just hesitating in putting some really critical information (like credit card number and pin, banking account access passwords,...). I'm using the dropbox synchro feature and was wondering what could someone expert do with the data file if it manage to break the dropbox account (or site) and steal my data file.

[/quote]



I understand your concern, Pascal Please take a look at



http://help.agile.ws/1Password3/cloud_storage_security.html



Here how that document begins.

[quote]

Your secrets in your 1Password data are safe wherever they are stored. Although we don’t recommend making your 1Password database publicly available to the world, we have designed it so that your username and password data (along with other secret data stored within it) is protected no matter whose hands they fall into. For this and other reasons we are very confident when we recommend cloud syncing of 1Password data with Dropbox. The remainder of this document goes into increasing detail about the security measures in place and issues surrounding them.



Here are some key points you may read about below



[list=1]

[*]Your master password is never transmitted from your computer or device.

[*]All 1Password decryption and encryption is performed on your computer or device.

[*]The 1Password data format was designed to withstand sophisticated attacks if it fell into the wrong hands.

[*]Dropbox provides an additional layer of encryption.

[/list]

[/quote]



In particular, it is the third point that people often under-estimate. This is why we enthusiastically recommend Dropbox syncing.



[quote]

My 1Password master password is "Excellent" so I'm probably a little bit paranoiac.

[/quote]



Then you should be in great shape.



[quote]

1Password is a software I couldn't live without <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/tongue.gif' class='bbc_emoticon' alt=':P' />

[/quote]



Thank you so much, Pascal. For a long time the first thing I would install on a new Mac was 1Password. But I realized yesterday that it is now the second thing I install. The first is Dropbox. That way when I do install and launch 1Password, my 1Password data is there waiting for me.



Cheers,



-j

m w

Hi - I understand jpgoldberg's reasoning in arguing against such a feature, but what if you want to destroy your data deliberately? As cars became more and more difficult to break in what crime increased? Car-jacking. And as houses became more secure, the chances of you being robbed on the street increased. So I think it's probably safe to assume that a direct attack to break into your 1Passwortd on your iPod/iPhone after its being lost or stolen 's less likely as it's too difficult. I would therefore argue that this increases the risk of being mugged and then forced to unlock you device and 1Password. In this scenario it would be useful to have a self-destruct feature or a panic button that would destroy all your data. Even better would be a dummy mode which would present a dummy set of data if you entered a specific dummy password.



Cheers

Michael

khad

This is an interesting idea, Michael. Do you know of any recorded case of someone being mugged and forced to unlock their iPhone (and 1Password app in addition to that)? That does sound pretty horrible. Please let me know if you have a link to the article!

m w

Hi khad - I have no evidence of such an incident and no idea how likely this could be but it wouldn't be specific to 1Password. Obviously, any information stored on a smart device could be at risk regardless how the information is stored. Only the level of risk may be different for different methods.



Cheers

Michael

khad

On iOS devices, there is a "self-destruct" mechanism built into the OS when entering an incorrect passcode. You can enable "Erase data" in Settings.app > General > Passcode Lock.

brenty

[quote name='khad' timestamp='1292948691' post='17939']

On iOS devices, there is a "self-destruct" mechanism built into the OS [b]when entering an correct passcode[/b]. You can enable "Erase data" in Settings.app > General > Passcode Lock.

[/quote]



Did you mean "an [i]in[/i]correct passcode?"



[quote name='jpgoldberg' timestamp='1292121397' post='17393']

You might be interested to learn that Apple's own Remote Wipe feature in iOS 4 actually just destroys the unique hardware encryption key that is built into every iOS device. It does not physically remove the data, it just removes any chance of ever decrypting it.

[/quote]



I had no idea that this was how it worked. That's pretty ingenious!



[quote]

Self-destruct mechanisms are also easily defeated unless running on a very tightly controlled operating system. (So these would be possible on iOS, but not on the Mac or Windows). [b]The easiest way to defeat such a mechanism is to write a separate program that doesn't use 1Password at all but still tries to break into your 1Password data.[/b]

[/quote]



That's an excellent point! I hope it wasn't lost on anyone, because I had to think about that for a minute myself.



The 1Password keychain itself is a merely an encrypted data file, and adding a mechanism to the 1Password app to destroy it after X number of failed attempts would be fairly superficial, and "easy" to circumvent (with a lot of processing power to brute force the encryption, that is...) Maybe someday all of us can have a similar feature built into consumer operating systems on the filesystem level.

thightower

[quote name='jpgoldberg' timestamp='1292121397' post='17393']

Apple's own Remote Wipe feature in iOS 4 actually just destroys the unique hardware encryption key that is built into every iOS device. It does not physically remove the data, it just removes any chance of ever decrypting it.



[/quote]



Very interesting I also didn't realize this was the way it worked

Carl

[quote name='m w' timestamp='1292867333' post='17900']

Hi - I understand jpgoldberg's reasoning in arguing against such a feature, but what if you want to destroy your data deliberately? As cars became more and more difficult to break in what crime increased? Car-jacking. And as houses became more secure, the chances of you being robbed on the street increased. So I think it's probably safe to assume that a direct attack to break into your 1Passwortd on your iPod/iPhone after its being lost or stolen 's less likely as it's too difficult. I would therefore argue that this increases the risk of being mugged and then forced to unlock you device and 1Password. In this scenario it would be useful to have a self-destruct feature or a panic button that would destroy all your data. Even better would be a dummy mode which would present a dummy set of data if you entered a specific dummy password.



Cheers

Michael

[/quote]



You are giving lowlifes way too much credit (and smarts). They would be a ton more likely to simply factory reset and sell the phone to someone for $50 as opposed to digging for information.



Here is a real life scenario that happened to a buddy of mine a couple of years ago:



Had is laptop in his briefcase at the bar at Applebees

Went to the bathroom for "just a minute" and did not take it with him

It was swiped

Thief went through the briefcase and found his cell phone number

Thief called and extorted $200 from my buddy in order to get his briefcase (and laptop) back

My buddy went and met the thief in a Walgreens parking lot and paid $200 to someone who gave him the briefcase (with contents) back



This is the way these people work - they want a quick buck with little chance of getting caught



With that said, I think a kill feature for the mobile version is a good idea (because of the 4 digit pin) but not needed for the desktop.

m w

[quote name='Carl' timestamp='1293018743' post='17970']

You are giving lowlifes way too much credit (and smarts). They would be a ton more likely to simply factory reset and sell the phone to someone for $50 as opposed to digging for information.

[/quote]

Hi Carl - you're probably right but then again it depends who the thief sells it to, likely another "lowlife" but maybe with other intentions who is more interested in the data than the device.



[quote name='Carl' timestamp='1293018743' post='17970']

With that said, I think a kill feature for the mobile version is a good idea (because of the 4 digit pin) but not needed for the desktop.

[/quote]

Totally agree. I always considered the kill feature to be only for the mobile version. No need for the desktop.



Cheers

Michael

RobYoder

[quote name='Carl' timestamp='1293018743' post='17970']

With that said, I think a kill feature for the mobile version is a good idea (because of the 4 digit pin) but not needed for the desktop.

[/quote]



Hey, Carl! I haven't seen you around for a while. Good to "see" you in the forums again.



Thanks for the feedback, guys!