Protect 1Password Database
Restrict 1Password database files to AgileBits-signed processes, blocking infostealers from enumerating or copying your stored credentials and vaults.
Idea
Keeping your passwords in a password manager like 1Password is a good move for security. 1Password encrypts your password database using your "account password," but we can go one step further and use a file access rule to stop other applications from reading the database at all. This not only offers further protection in case the encryption is broken or your account password is lost, it also stops apps from discovering which passwords are available, which is generally not encrypted.
The following rule protects the file path prefixes which need protection and specifies which processes need access. For simplicity we're allowing all processes signed by AgileBits' team ID but we also have to allow access to a few system processes for normal operation.
Solutions
- Path Prefixes
- •
- •
- •
- Options
- Allow Read Access:Audit Only:Rule Type:
- Processes
- •Signing ID:
- •Signing ID:
- •Signing ID:
- •
- Custom Message
Mitre Attack
Tags
Deployment Notes
This rule locks down 1Password's database files so only 1Password and required system processes can access them. This prevents infostealers from discovering which credentials you have stored, even if they can't decrypt them.
The rule allows processes signed by AgileBits' team ID (2BUA8C4S2C) and a few system processes required for iCloud sync.
False Positive Guidance
1Password and required system processes are the only legitimate accessors. If you use 1Password browser extensions or CLI tools, ensure they're signed with the correct team ID.