iOS can be hacked! Is my 1Password information safe?

The very short answer is that your 1Password data, including information that 1Password stores in your iOS keychain, remain safe despite recent press reports that might suggest otherwise.

When reading press reports such as the one in PC World about work done by researchers at Fraunhofer Institute for Secure Information Technology it is easy to get the impression that _all_ information stored in the iOS keychains can be acquired by an attacker. But that isn’t true. Only keychain information that is stored in the weakest of “protection classes” is exposed. 1Password uses the strongest protection class, and so your credentials used to automatically sync your data with Dropbox remains secure. This includes your master password on your device, your Dropbox login information, and your master password for your data on Dropbox.

I will write about this in more detail in a follow-up blog post, but I wanted to get the word out that in our security design, we anticipated that phones can be jail broken and various protection schemes can be subverted. We are pleased to say that our caution in how we store things in the iOS keychain has paid off for our users.

If you’re interested, the [original research][sit_PDF] that led to the recent spate of articles is an enlightening read.

[sit_PDF]: http://www.sit.fraunhofer.de/en/Images/sc_iPhone%20Passwords_tcm502-80443.pdf

7 replies
  1. Daniel Druff
    Daniel Druff says:

    Could you elaborate some more on what these « protection classes » mean in the context of the iOS Keychain, since it appears they have no Mac OS X equivalent?

  2. Rich Cosner
    Rich Cosner says:

    I downloaded the trial version and have been using it. It now won’t save passwords because I need to pay for it but there is no obvious place to pay. I can go buy a new one but I don’t want to start over. Thoughts?

  3. Lawrence Ingram
    Lawrence Ingram says:

    Not sure if my comment was published, so this may be in twice. . .

    My main concern is someone getting into my Dropbox, downloading the 1Password files and hacking it with time on a desktop. I suppose this is the same concern as that of the iPhone? I really just want a bottom line of “how hackable is the 1Password file?”;

    Thanks,

    Lawrence

  4. Eric
    Eric says:

    What if someone puts software on a Mac that reads keystrokes. They would have the ability to “see” one’s master passwords and could get full access to 1Password. I have been a very happy user on Mac, iPhone and iPad but a friend got hacked in the Delta airport lounge in SFO and was told by someone who is helping to get identity protected that there is a virus or worm or something that will show the hacker their keystrokes whenever they are online. Is this true? Thanks

Comments are closed.