Forgot Master Password 1password

by



July 16, 2013 · 1passwordaes128aes256encryptionHMACkeepasslastpasspasswordspbkdf2securityssl

Since there is no option to recover your master password, you need to reset Enpass. On your mobile devices, you need to uninstall Enpass, which will delete all your data from the device permanently. Then you can install Enpass again from the respective store and start as a new user. 1Password appears to offer two Chrome extensions and 1 native desktop app on Mac. The chrome extension 1PasswordX asks me for my 1Password master password on every single page I browse to. It's awful because my password is around 20 characters and a mix of letters numbers and symbols as suggested by 1Password. A password manager, digital vault, form filler and secure digital wallet. 1Password remembers all your passwords for you to help keep account information safe. I havve forgotten my master password - so I need to reset or unlock the app I have forgotten my master password to unlock 1password, how can I unlock it? - iPhone, iPad, iPod Forums at iMore.com iPad Air deal at Amazon: Grab the 256GB model at $69 off. Simply sign in to 1Password using a 'master' password - which you can choose & change at any time. This is the only password you'll ever need to remember. To sign in, click the 1Password key in your browser.

Have you ever struggled to remember a username or password? Join the club.

Wouldn't it be great if you could log in to every site using the same password, without compromising your security? Now you can!

Introducing AgileBits 1Password, the gold standard in decentralized identity & password management for Windows, Mac, iPhone, iPad, Android and unofficially, Linux.

So, what's it do?

In short, it removes all the hassle from any sign in/sign up process.

Next time you're scratching your head trying to think of a sufficiently-secure but memorable password, fire up 1Password. The password generator allows quick and easy access to lengthy, cryptographically strong passwords...

g473/733>{8*:#&T23.F3G]%),2/6.${u9z&7=646L>76XA8,Y

...and I'm supposed to remember that?

Of course not! 1Password takes care of it for you. Simply sign in to 1Password using a 'master' password - which you can choose & change at any time. This is the only password you'll ever need to remember.

To sign in, click the 1Password key in your browser. (shown here in Google's Chrome)

After you've signed in to 1Password, simply click the appropriate site from the list to be signed in automatically.

Seems like a lot of hassle... isn't there a shortcut?

Yep. Next time you reach a login screen, just press CTRL + and you'll be logged in automatically.

I'm happy with my current passwords, but I hate entering them!

1Password can help there too.

Next time you sign in anywhere, you'll see this at the top...

Just hit 'Save'. Next time, use the shortcut CTRL + and you'll be signed in automatically. You're probably much better off using the password generator though!

But wait, there's more!

1Password also stores credit cards, bank accounts & membership information... it even has a secure notes area; ideal for info which doesn't fall into any other category.

What if I forget my master password?

1passwordThink... and think hard! You ain't recovering the data any time soon! :)

You could try to crack it, but if you're successful, your master password couldn't be all that secure to begin with.

Does it store my passwords securely?

1Password uses sophisticated 128 bit AES encryption (some applications have already been upgraded to AES256) to ensure your identity & password data remains safe.
Techie Bits:10,000 iterations through PBKDF2->HMAC->AES128 - but AgileBits are upgrading to AES256 shortly.

So if AES128 is secure enough, why upgrade to AES256?

I hate the term 'secure', despite my proclivity for using it in various posts here. 'Secure' implies there's a point at which it's absolutely safe, which sadly isn't possible.

Instead, think of it in terms of its resilience against attack.

In an ideal world, we'd all be using the strongest encryption possible - with limitless iterations through key stretching to further bolster security. Trouble is, from a computational standpoint, encryption (and subsequent decryption) is expensive.

AgileBits' decision to use AES128 was a smart one. It affords immensely strong security to even the slowest of devices without impacting on the usability of either the device, or the software itself. It's sufficient to thwart even the toughest of attacks; taking millions of years to pull off with consumer-grade hardware.

Thanks to the never ending passage of time and Moore's law (no relation ;) ), our equipment is more powerful than ever before... with some smart phones / tablets packing PC-rivaling power and memory.

As such, they're capable of running AES256 just as easily as older devices run AES128.

So to cut to the quick, there's no longer a reason not to use AES256.

Corporate user or paranoid about being watched by NSA / GCHQ?

I am of course, referring to the massively over-hyped PRISM project.

Rather than rant on for hours (and honestly, I could!) , I'll give you the short version.

If you've nothing to hide, you're safe. You may not like the thought of being watched, but it has been possible long before PRISM; and will continue to be so long after.

If you've something to hide, you're kidding yourself if you think a $49 application affords you the protection necessary to avoid government involvement in your activities.

Master

But...

Assuming there are no known flaws in 1Password's implementation of AES, HMAC, PBKDF2 or the mechanisms themselves, it will make life very difficult.

Why the emphasis on 'decentralized'?

Even the most 'secure' encryption can be broken, given enough time and resources. It may take consumer-grade hardware millions of years to break even the simplest of passwords, but who knows what's round the corner. In years to come, super/quantum computers may well be able to reduce that time to a matter of days instead of years... or a weakness may be found in any chosen algorithm. At which point, your only security (rather obscurity in this context) is the hacker needs access to your encrypted files in order to pull off an attack.

As 1Password is entirely decentralized, there's no requirement to share your encrypted data with anyone... it will work quite happily on just your PC.

The competition...

Let's take a brief look at 1Password's competition.

KeePass (keepass.info)
I like to spend at least a couple of weeks with a product before reviewing/purchasing it... but the decision to avoid KeePass was made in less than a minute. Why?

  1. The installer is sent over HTTP - which cannot be trusted. How do I know I'm downloading the real 'KeePass' application and not an insecure & malware-ridden fake?

  2. The 'integrity' hash sums, PGP signatures and .NET public keys are also sent over HTTP - which cannot be trusted. What's the point of releasing hashes to confirm the integrity of a download, when the hashes themselves are sent over an insecure protocol? Crazy!

RoboForm (roboform.com)
Although the RoboForm installer is sent over HTTP, it's digitally signed meaning we can check it hasn't been altered before installation.

However, anyone actively using the term 'military grade encryption' really should be shot at dawn. Their use of PBKDF2 which, to the best of my knowledge is just 1000 iterations, is simply not enough either.

LastPass (lastpass.com)
LastPass is interesting. It uses similar encryption to 1Password (fewer iterations through PBKDF2 though - at just 5000, so quicker but less secure) with one main difference... your data is stored online.

Ignoring the botched carriage returns for the moment, it essentially means you can't use LastPass without storing your data at LastPass.com.

That worries me. Sure, it's encrypted using your 'secret password' and it's probably 'safe' - but it's unquestionably safer to keep your encrypted data off the internet in the first place.

What happens if LastPass.com are hacked?

The official line is as follows...
No one at LastPass can ever access your sensitive data... our best line of defense is simply not having access to data even if someone got in. If LastPass can't access it, hackers can't either.
My viewpoint is somewhat different.

1password Forgot My Master Password

The hacker might not be able to immediately view your passwords without breaking the encryption first, but they could insert malicious javascript to intercept your 'secret password', and that would take just a few seconds. To say nobody could ever access your data is incredibly naive and misleading. One disgruntled employee, one server breach and bang... it's all over.

Use multiple devices?

Although 1Password is decentralized, it also has native support for Dropbox; allowing your data to be seamlessly synchronized across your devices. Not a fan of Dropbox? Drop your 1Password files on Google Drive or even on a USB stick... you'll be able to access your details anywhere using the contained HTML file. You'll need a modern browser however... IE users are out of luck I'm afraid.

You said avoid storing encrypted data online - you've changed your tune!

It's important to weigh up the potential risk with the added benefits of synchronizing via the web.Forgot Master Password 1password

The encrypted data, on its own, is of little use to anyone. A password, on its own, is of little use to anyone.

The reason LastPass concerns me is because they handle both your data and the authentication process in one place. With 1Password, the authentication process is handled offline... so theoretically, your data can be stored anywhere with minimal risk.

Security: You need a strong foundation.

The ironic and nonsensical nature of delivering unsigned security products over HTTP never ceases to amaze me. HTTP data cannot be trusted, under any circumstances. Those hash/PGP keys are worthless too, for much the same reason.

KeePass/Roboform might be secure. They might be bulletproof... but unless you can be sure it's the genuine article, everything else pales into insignificance.

AgileBits know this, hence why they deliver both the product and subsequent updates over HTTPS.

But AgileBits aren't without flaws...

SSL

No PCI compliance (despite accepting credit card payments directly) and vulnerable to both BEAST and CRIME attacks. Hmm...

I contacted Jeff Goldberg at AgileBits to find out what's going on.

We’ve been aware for some time of the somewhat embarrassing fact that our secure web server hasn’t been up to standards in the algorithms it offers for encryption. We have ensured that our site certificate uses the hight standards for authentications; so people visiting the site and downloading from it can be confident that they are getting things from us and not an impostor. This is where our site security matters the most, and in that we provide excellent web site security.
It would be difficult for a hacker to position him/herself correctly in the network such that a BEAST attack would be possible. It's a risk, but a minimal one in my opinion. Allowing compression however (thus CRIME) is just plain lazy... but at least Jeff agrees.
With respect to CRIME, I’ve got no excuses. We should be able to disable compression with no adverse consequences.

Jeff is actively working to resolve the SSL issues.

KeyChain Tampering

Here's a little known exploit - but one which deserves more air time. 1Password uses a KeyChain to store your usernames/passwords. The contents of each field are obviously encrypted, but the locations at which they're used are not.

For example... here's my LastPass test data in 1Password. I've added carriage returns to make it easier to read.

{
'keyID':'C5459C772DD7484CA5BEDF289B3961A0'
'locationKey':'lastpass.com'
'encrypted':'U2FsdGVkX1/U0VB8/D2xFYME7IVN25XMzt5+7rNjEf/ciZ6g/NfkvKUmbhXhNKiLakAnywSJ1LRxiusQPi6DmRsVTk1d7tlvJhcvYUxsP5uZueQYXlsjcuNZ3yIdKlPTLBTnrDDfwFxZ2cxMpZHYMuh0fav5R0f/al3d6y9/lTl2atjIE7Ddjfi+cNl4mCwDIi7r1q/jsr201e98hxpKmzmGUyT8bIAQqbV44le/sfufgs9HK4lUBALkXWfTM3WabGy03iqNpYBevg1y+j1G2L4kgWfmLYp2JIDu/njLoRD0AVp3elfOUZJU3subydmTy3x8ZA0bd4N+xfa6RdmSPes+hmLOjW2Xriyhyq9AkRTjrZ+nuvyHU7xKMRjiJl2HijBtbEPHNZSBzGS3ri3u4B3BssqMLds5rrnUKdA032aIlHfXCAQTBBl46Q9s4KXbTqXyOHWeFyAQkogLz+HvEnbSrUaUNgidQqbql4ma2zZM5iZ805/HTRfrxKjdXRWU5eQrLYwbXgKR0qDE6uXukBQzRdFFtIHMTrNb4uoXcgI9dJMMBMPibhz99uFGX075Hn7IWis198=u0000'
'typeName':'webforms.WebForm'
'location':'https://lastpass.com/index.php?&ac=1&fromwebsite=1&newvault=1&nk=1'
'uuid':'E095FE4CF398373353407A0DC9296ACF'
'updatedAt':1373915388
'createdAt':1373892417
'title':'lastpass-fake.com'
,'contentsHash':'242900b6'
,'securityLevel':'SL5'
,'openContents':{'autosubmit':'default','usernameHash':'bd8f9f171e9d74041b69299aeef59f05c93d31a5d885b322227e02c458a5ef82','scope':'Regular'}
}

Have you spotted the obvious design flaw? You're able to change the 'location' parameter without knowing the encryption key. Furthermore, there's no MAC authentication on the field... so 1Password diligently imports the data with no obvious difference for the user. All you have to do is wait...

... and wait ...

... and next time the user clicks that record (which still appears as 'lastpass.com' (see title param), it loads a fake site and passes both your username & password in plain text. EEK! I'll email Jeff again to get his comments... and update the article if necessary.

Mitigating other risks...

You wouldn't dream of giving your bank account details/PIN number to a complete stranger, and yet we're expected to share our personal information online with absolutely no guarantee that it'll be safe. Privacy policies (regardless of eloquence) can only go so far - and they're usually written by legal teams with absolutely no understanding of how the technical architecture works. For many firms, it's more a box-ticking exercise than something they truly abide by.

1password Recovery

Unfortunately, cases of poor password management are commonplace... with many companies still storing them in plain text. Take Companies House for example - potentially storing in excess of 30 million passwords in plain text. Incredible.

2020-12-21 15:11:30 • Filed to: Reseller Products • Proven solutions

Let's see if this sequence of events sounds familiar: You use a password manager like LastPass - Forgot LastPass Master Password - Can't access any of your logins - Can't use Internet banking or mobile banking - Confused, upset, and frustrated. Does any of that ring a bell? It should - because if there's anything worse than getting locked out of one online account, it's getting locked out of all your online accounts. Fortunately, if you lost or forgot your LastPass master password, there's a way to recover it right now. And we're going to show you how it's done.

How to Recover a Forgotten LastPass Master Password
A Better and Safer LastPass Replacement - 1Password

4 Methods to Recover Forgotten LastPass Master Password

There are several ways to recover your master password if you ever forget it. Unfortunately, calling Customer Service isn't on that list. Your unified password is only available to you and can't be seen or even reset by anyone inside LogMeIn, the company behind LastPass. So you will need to try one of these methods shown below, depending on your exact situation. To make it easier, we've segregated them into situation-based categories:

Method 1: One Time Password for Recovery

Prerequisites: You have the LastPass browser extension enabled and you've used that to sign in at least once. Since there could be confusion around which device you used for your last login and which browser the extension was installed in. For that reason, you only receive an email with the Recovery One Time Password when the device-browser combination matches. Here are the steps involved:

  1. Go to the LastPass recovery page and input the email ID you use for the service.
  2. Assuming that the security email option is enabled, you will receive a recovery link to that email address.
  3. Open the email and follow the recovery link. You'll see instructions on how to reset your password. Just follow them to create a new password, and further authenticate it if you have MFA set up.
  4. When you get a confirmation message saying the password reset was successful, you can log out and log in again with the new password.

Note: It's always advisable to set a password hint when you set a fresh password. If you've already done that, then there's another way to get into your locked LastPass account.

Method 2: Password Hint

Not many people pay heed to the humble password hint because most of us don't think that we'll ever forget our passwords. Unfortunately, that's what got you into trouble in the first place, right? If you already have one, just follow these steps:

  1. Got to the page for ‘forgot LastPass Master Password.
  2. Put your email ID in the box provided and hit ‘Send Hint'.
  3. Check your email inbox, look at the password hint and, if it makes you remember the password, use that to log in.

Method 3: Mobile Account Recovery for LastPass Master Password

What if you didn't set a password hint or it doesn't help you remember the actual password. What then? Well, we hope you have your Android/iOS premium smartphone or tablet set up in a way that lets you use your biometric authentication for LastPass. If you have this option, there's nothing easier than authenticating yourself and changing your password as soon as you're in.

As you can see, this particular method will only help if the set up was done prior to you forgetting the master password. If you haven't enabled a recovery email or SMS and you haven't set a password hint, don't give up just yet. There's still one more option.

Method 4: Time-machine it Back to the Previous Master Password

1password Reset Password

You need a little luck here because the window to do this is only 30 days. However, if you've changed your password within that time, you can have it revert back to the previous one and use that to access LastPass.

  1. Go to the page for reverting your password.
  2. Enter your security email. Don't worry if you haven't set one up - you'll just get an email to the registered email account.
  3. Make sure that you click the email link within 2 hours or it will expire - for your own security, of course. Check the Spam folder, as indicated in the image above.
  4. In the browser tab that opens, you'll see a link. Click on it and then confirm again when prompted.

Your Master Password is now once again the one you had before you changed it, so you can securely login with that. Unfortunately, if all else fails, your only option is to trash that account and set up a new one. But that also means entering all your credentials from scratch, which nobody wants to do.

The Best LastPass Replacement - 1Password

LastPass is a popular password manager utility, there's no doubt about that. However, if you haven't set up any of the security prerequisites, then you're pretty much out of luck. The only option you're left with is to open a new account and recreate everything from the ground up. On the other hand, 1Password, which is an equally robust password manager with cross-platform functionality, allows you to recover your account in creative ways, such as by using a family member's login or even using the biometric login option on your iOS device.

1Password also offers a whole range of security conveniences, such as:

  • a. the easy management of your vaults,
  • b. the ability to leverage new authentication methods,
  • c. the freedom to migrate your credentials to practically any other device,
  • d. the ability to add the extension in your browser for a more intuitive experience, and
  • e. easier recovery methods for your lost master password.

Why is Password Better Than LastPass?

For the most part, both password managers work in pretty much the same way, by letting you use a single master password to access all your logins and credentials and save everything in highly protected data vaults. That's why both are market leaders in this space. However, 1Password does have the following advantages:

  1. Each platform has a ported version that can be used offline as a standalone password manager for your local vaults on that particular device.
  2. Using multiple accounts on the same site is easier with 1Password because one click on the extension icon and you'll see them listed in front of you. Just click on that one to auto-fill. With LastPass, it attempts to automatically auto-fill, which could lead you to access the wrong account.
  3. 1Password X acts as a standalone replacement for Chrome's or Firefox's own password managers and offers a great entry point for future users of the core 1Password product. The best part is that you don't need the desktop version in order to be able to use this.
  4. LastPass merely gives you a look at your security profile but 1Password takes it to a whole new level by categorizing risky logins and helping you take direct action to make them stronger.
  5. LastPass force-changes your old passwords periodically, but 1Password is more flexible because it gives you the option to change or retain the existing password.

If you're still not convinced, why not try 1Password for a spell and see how you like it. You're bound to be impressed by the UI design and generous feature list, and it comes at an affordable price of as little as $36 for a yearly commitment, which is just $3 a month.

Free Download or Buy PDFelement right now!

Free Download or Buy PDFelement right now!

Buy PDFelement right now!

Buy PDFelement right now!