Security: How secure is my data?

walker7366

I've done some reading on this, but a lot of it is simply over my head, so I wanted to ask a simple question: if my ipad were stolen, and someone wanted to access my 1password app, am I correct that all they would have to do is crack the 4 digit pass code for the 1pswd app? I could be paranoid, but I imagine a thief plugging the ipad into a computer program that runs through possible 4 digit combinations and snap! they're into my 1pswd data in a few minutes.



I understand that there is all sorts of encryption under the hood, but it seems to me that all that stands in the way of a thief getting into my 1pswd data is a 4 digit code. Am I missing something?

jpgoldberg

Hi Walker!



[quote name='walker7366' timestamp='1306532302' post='27903']

I've done some reading on this, but a lot of it is simply over my head, so I wanted to ask a simple question: if my ipad were stolen, and someone wanted to access my 1password app, am I correct that all they would have to do is crack the 4 digit pass code for the 1pswd app?

[/quote]

This is a very good question and I'm pleased to say that getting in isn't as easy as all that. But the answer is complicated. First of all, when you have some time, try entering in the wrong 4 digit unlock code in the 1Password for iPhone several (at least 5) times. What you will find is that 1Password will make you wait a minute before trying again. If you get it wrong a sixth time it will make you wait for two minutes and so on.



It also sounds like you have an unusual set-up, so let's take a look at some things. 1Password for iPad doesn't use a four digit code. Are you, perhaps, running 1Password for iPhone on your iPad? Even so, 1Password for iPhone has both a four digit code and a master password. If your items are set with "master password protection OFF" then they will only be protected by the four digit unlock code.



Within 1Password for iPhone go to (More ...) > Settings > Security and adjust the settings for the unlock code and for the master password. If haven't ever used your master password since first setting 1Password on your iPad than you probably will have forgotten what you set it as. Under the same Security page you can "Reset Master Password". Doing so will mean that you will no longer be able to get access to anything protected with the old master password, but it sounds like there isn't anything in that category. Once you have a master password that you remember in 1Password for iPhone on your iPad, select an item and view its details. If you scroll all the way to the bottom you can see that you can set "Master Password Protection" to "ON".



[quote]

I understand that there is all sorts of encryption under the hood, but it seems to me that all that stands in the way of a thief getting into my 1pswd data is a 4 digit code. Am I missing something?

[/quote]



There is a great deal of encryption under the hood, some of it is built into 1Password and some of it is built into iOS. To take advantage of the latter you should also set a passcode for your device. This you can do with the Settings on your iPad and under General turn Passcode lock "ON".



If you want even more details about how your data are protected on the iPhone, iPod Touch or iPad, take a look at a blog posting here:



http://blog.agile.ws/2011/02/lost-iphone-safe-passwords/



I hope that this helps, and please continue to ask these sorts of questions. Also if I can be of more help in getting things configured properly for you on your iPad, let me know.



Cheers,



-j

walker7366

Thanks for the reply! Actually, I don't have 1pswd on my ipad yet, I've just been looking at it. So, there's an option whereby you have to enter your master password to access the app? That certainly would be more secure than a 4 digit code (which is what Dropbox uses....).



So, since you can't integrate with Safari, the idea of this app is that you have to cut and paste between the 1pswd app and Safari to enter in passwords. Is that right?

danco

[quote name='walker7366' timestamp='1306595138' post='27952']

So, since you can't integrate with Safari, the idea of this app is that you have to cut and paste between the 1pswd app and Safari to enter in passwords. Is that right?

[/quote]





Not entirely. 1Password has its own built-in browser, which may be all you need. But sometimes you might want to use Safari, in which case you will have to cut and paste.

walker7366

Thanks for the replies. I decided to go ahead and buy the ipad app, which I really like, even with the lack of Safari integration (which I know is not 1Pswd's fault). <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/smile.gif' class='bbc_emoticon' alt=':)' />

jpgoldberg

[quote name='walker7366' timestamp='1306680224' post='28032']

Thanks for the replies. I decided to go ahead and buy the ipad app, which I really like, even with the lack of Safari integration (which I know is not 1Pswd's fault). <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/smile.gif' class='bbc_emoticon' alt=':)' />

[/quote]



Thanks! I'm sure you will love it.



For security and stability reasons, iOS doesn't generally allow data to be shared among apps. So even if Mobile Safari were to allow extensions, we would need a separate copy of all of your 1Password data just for Safari (and then to keep that in sync as well).



Be sure to also try the 30-day free trial of 1Password for Windows or 1Password for Mac in conjunction with 1Password for iPad. You can get those from [url="http://agilebits.com/downloads"]our downloads page[/url].



Cheers,



-j

Bonno Bloksma

I would like to add one more question to this thread as I have to manage several iPads and iPhones for our company.

When a user looses the device I will agree that it may take a looong time for someone to guess the correct 4 digit code and near infinity to guess the master password, but... someone might get lucky.



As far as I know the iPad and iPhone do not (yet) have the feature a Blackberry has that the device can be wiped remotely when it is lost, so we have to assume the "finder" of our iPad / iPhone / etc. device will have a while to try things.



Is there a mechanism in 1Password where I can tell it to delete the entire database after a large number of wrong passwords? I could live with something like 25. That way, when there really is a hack attempt to get into the system, there is also an end to it. Or.... am I missing something?

khad

Welcome to the forums, Bonno!



[quote]As far as I know the iPad and iPhone do not (yet) have the feature a Blackberry has that the device can be wiped remotely when it is lost, so we have to assume the "finder" of our iPad / iPhone / etc. device will have a while to try things.[/quote]

In addition to Apple's [url="http://www.apple.com/iphone/business/integration/"]enterprise support for remote wipe[/url], "normal users" can take advantage of this as well. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_smile.png' class='bbc_emoticon' alt=':-)' />



[url="http://help.agile.ws/1Password_touch/remote_wipe.html"]From the 1Password User Guide[/url]:



[indent]While we cannot yet build a remote wipe feature into 1Password touch, you do have an option for remotely wiping your entire iPhone with Apple’s Find my iPhone feature which is now available to both paid MobileMe users and to anyone who has an Apple ID.[/indent]

I hope that helps. Please check out the rest of that section of the User Guide, and let us know if you have any additional questions.



We are always here to help! <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_smile.png' class='bbc_emoticon' alt=':-)' />