When a password manager becomes a liability

This is a very unfortunate scenario, but I think it’s important to point out that hackers gained complete access to the affected machine through the malware that was downloaded. They had that access for months. It’s the worst case scenario from a security standpoint.

Which password manager (or other security software) the victim uses is moot once an attacker gains admin access to the device. At that point, there is no practical defense. Among other things, they could capture all keystrokes, which includes the user typing in the password to unlock a password manager, or the system password, which could then be used to disable biometrics or re-configure any other settings.

The purpose of any security software is to help prevent this level of access from being obtained in the first place. Having and using an anti-virus or other malware scanning tool may have detected the malware upon initial download (though they too aren’t foolproof), but a password manager doesn’t play a role in defending you against downloaded malware. It’s there to protect your credentials, and to help you avoid phishing and other social engineering attacks related to stealing those credentials.

In other words, password managers protect against a different kind of threat than the one implicated in this attack. A seat belt can’t protect you when the car is on fire, but that doesn’t mean it isn’t important.

I’ll share a relevant blog post we published some time ago that explains this in more detail:

So what can we learn from this?

Wayne is right. The issue was the malware compromising the whole computer, so avoiding situations where you might inadvertently download malicious software is the real lesson here. The take-away isn’t that password managers aren’t a good idea, it’s that they’re only part of what it takes to stay secure online.

I’ll add my usual disclaimer: I work at 1Password, but I’m not posting on the company’s behalf. This isn’t an attempt to blame the victim or defend 1Password, just a technical clarification about the underlying compromise that made this attack possible.

My mom had all her passwords written in a black book. All were variations on the same theme. I finally switched her over to Apple Passwords where we share the password group so I can help manage. This was a big lift as many of you’ve probably experienced. Now she’s not going to GitHub or other shady sites to download software, however…

…just today she got a text which thank goodness she didn’t click on but sent to me instead. It’s only a matter of time until we click on something that installs malware.

image494×598 52.6 KB

I thought that Apple Passwords requires biometric authentication with Stolen Device Protection if you’re not at home. It’s not 2FA, but at least it’s something the hackers don’t have. So presumably a key logger would still need your face?

EDIT: I get that it doesn’t protect against downloading malware, but it seemed like in that story the hacker was able to use the key logger to get into 1password and then wrought havoc. When I’ve tried to use a code to get into passwords when not at home, it didn’t work for me. (At least that’s how I remember it).

Kudos to your mum for being willing to adopt a new approach, and to you for facilitating it—I know how hard that is! The fact that she knew to check with you before interacting with a message like this is also a fantastic sign. That’s the kind of core security literacy that we’d ideally want all our loved ones to have.

I thought that Apple Passwords requires biometric authentication with Stolen Device Protection if you’re not at home.

That’s my understanding as well, yes. And I believe you can also configure it to require that authentication even in familiar locations.

But the reason this kind of malware compromise is so severe is that the attacker doesn’t actually need to unlock your password manager themselves. They can just wait for you to do it, through any method, and then siphon out whatever information they want once it’s unlocked and unencrypted. Or capture the screen to see what you see. Or any number of deeper forensic techniques.

Now, at least on the 1Password side, we’ve taken steps to minimize the amount of harm that can occur even in scenarios where an attacker has the same access privileges as the original user (as described in the blog post I linked to above). But in cases like this where the attacker has full administrative access, all bets are off.

I does:

But just about everywhere I go on a regular basis is a Significant Location:

Significant Locations is an option within Location Services: Settings > Privacy & Security > Location Services > System Services > Significant Locations.

Hmm… a FRIEND has their 2FAs in 1Password. Any favorite authenticator apps to switch that stuff to?

I used to use the Google Authenticator. Here’s info from the NYT:

Make sure you(r friend) run(s) the 2FA app (only) on another device.

So is the only way to get a keyboard logger to actually download and install something? Or can you just click on a wayward link (like that tollway one that’s going around) or going to some wayward website (eg, “See what these 80’s stars look like now!”, gambling, porn, pirated software, etc)?

I’ve always been a bit nervous about the ‘Starter Kit’ 1PW created when I first sign up with them. It has my email, password, account name, and secret key. Any one delete this entry that’s automatically created?

I also wonder if using 3rd party keyboards that rely on their own firmware (like Logitech) could also be a vulnerable point of entry for malicious key logging code.

It’s one of the more common ways, but who knows? New vulnerabilities are constantly being discovered.

All I can do is stay cautious and keep my devices patched.

I have to use both MS Authenticator and Google Authenticator for my jobs - how do folks think of this compared to say… Duo or Authy?

Once a computer has been compromised to the level of granting access to a wireless keyboard firmware, the attacker might as well install a regular key logger. So yes, it’s an attack surface too but not the main concern here.

Maybe not…

It is a misconception that infection only happens when visitors begin clicking on a malvertisement. "Examples of pre-click malware include being embedded in main scripts of the page or drive-by-downloads. Malware can also auto-run, as in the case of auto redirects, where the user is automatically taken to a different site (without user interaction, such as clicking on them), which could be malicious.

Most password managers require 2FA for initial login on an untrusted device but rely on a username and password for unlocking during daily use. Logging out (not locking) after each session would force 2FA upon every login, but most users won’t do that due to convenience.

Security is always a trade-off between convenience and protection. Understanding attack vectors and assessing your risk profile is key to making informed decisions.

It appears the victim used 1Password for password storage and 2FA (TOTP). This all eggs in one basket approach isn’t inherently bad. It adds a layer of protection and is very convenient. For example, if my credentials for a breached website were leaked, an attacker would still need my TOTP from 1Password, which they wouldn’t have. I do this on websites like MPU because I want 2FA for added protection, I like 1Password to autofill it for me vs getting another device out, and it’s low-impact/risk to me if my account was compromised.

I DO NOT do this for high-risk accounts (bank/email/identity providers). The attacker would not have gained access even having my entire 1Password vault (there’s a BUT here I’ll explain below) if the victim had used another authenticator app or hardware device like a Yubikey.

BUT, the attacker had 5 months of access to the machine. Even though I use a Yubikey for my email, if I trust my device, that’s now unknowingly compromised, when logging in or opening Apple Mail, they have access to my mail. Given the time to poke at things from the inside, more and more access could be opened up to the point they have complete control of the device and potentially things within your entire network.

I don’t recall seeing what OS the victim was on, but there are endpoint protection tools (virus/malware scanners) that look for signatures of known malware to mitigate issues like this. MacOS has some of that built-in, but you can always run additional tools if you’re concerned about this risk. In my day job, we have EDR (endpoint detection and response) tools that will go as far as removing machines from our domain and shutting them down if a bad actor is detected. Not 100%, but it’s another layer of protection.

Some of this can be avoided by not downloading and installing things from unknown sources. I know that’s hard with open source but look at the repository. Is it popular (stars/forks)? Are there numerous contributors, etc? Has it been around for a while? Is it spelled correctly? For example, attackers would clone a popular library like Requests, inject nefarious code, and name it Request. The library still functions like the original, but with some extra sauce that you didn’t want.

If you like playing with open source tools and are worried about risk, set up a sandboxed environment. It could be a simple user account with limited permissions. When Deepseek came out, I wanted to run it locally, but I didn’t trust it. I spun up a Docker container on an isolated network with a firewall rule blocking all outbound traffic and not allowing write access to anything.

Sadly, some of the largest banks in the US still use SMS for 2FA, and at least one credit union doesn’t use 2FA at all.

And those that do offer 2FA are likely to fall back to SMS if nothing else is working. I’ve often wondered if it is because Apple and Android don’t share a single encrypted protocol?

Right now I log into some accounts with username & password, or password and SMS. Passkeys, passkeys plus TOTP. Or prompts via a specific app or email client on my iPhone. (I think that’s everything).

And 20 minutes ago, my ISP’s app allowed me to “auto connect” via one of their hotspots. No need to log in.

I have to use Duo for work. It seems to do the job, but every time I log into a university (my employer) website on a separate device within a 24-hour period, I have to confirm with Duo. So if use a Mac at home, a Mac at work, grab an iPad, open something on my phone…I’m confirming with Duo again and again. But it does have an Apple Watch app, so frankly that’s usually just tapping my watch.

I also don’t like the SMS 2FA approach. I can never figure out if it’s going to work when I’m abroad, especially as I typically use eSIMs when traveling, rather than pay the expensive fees Verizon wants to charge me.

Neither do I. I now use apps to handle 95% of my financial transactions. I’ve only traveled to Canada and Mexico and not had any problems so far.

I know iPhones have been breached by hackers, but still think they are more secure than Macs and PCs.

Ugh, I know. Our local credit union only offers SMS for 2FA. I don’t mind SMS being an easy/convenient option as a baseline, but I want to choose more secure options. It is better than a password/username only, but SMS can be compromised through various means, and you’re also reliant on the cellular network, delays in delivery, and device theft.