1password's security concern on window: Master password stored in readable plaintext on my local pc
According to this article:
https://www.techradar.com/news/major-security-issues-found-in-popular-password-managers
"Bearing that in mind, ISE evaluated 1Password, Dashlane, KeePass and LastPass on Windows 10, and found that in some cases, the master password for the app was kept in the system memory in a plaintext readable format."
Could someone from the team address this.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
Headed off to Dashlane immediately if this is not addressed. This is horrifying and the fact that Agilebits is aware of the problem and doing nothing is a major breach of trust and ethics.https://www.washingtonpost.com/technology/2019/02/19/password-managers-have-security-flaw-you-should-still-use-one/?fbclid=IwAR0mlMAqyF-qomqKh03ngjBf47V27xJFhOoLCTn838z-9Oeqoltvp9HpVLY&utm_term=.820af866a334
0 -
I'm very concerned about this as well. 1Password7 has some serious security flaws. My account renews in April 2019. Will these flaws be fixed before then?
Here's the source study...
https://www.securityevaluators.com/casestudies/password-manager-hacking/0 -
I also came here to look for information about this report. I'm very curious to see how 1Password responds to this.
I'd also like to know how memory management is handled on MacOS, and if this problem exists there.
https://www.securityevaluators.com/casestudies/password-manager-hacking/
0 -
Ditto, Interested to see how AgileBits responds.
0 -
There is already an existing thread about this, with an official response.
0 -
I edited my previous post and added the link.
0 -
I don't know, as the article only mentions Windows 10.
0 -
Hi guys,
Please read our replies here on this situation: https://discussions.agilebits.com/discussion/comment/493079/#Comment_493079
If you have more questions, please reply to that thread, this will allow us to answer everyone's related questions in the same place.
This is not a new security flaw but it explains the inherent issues with OS' memory isolation, once someone has compromised your system, they can read anything in your memory including 1Password's memory and other password managers that they tested. We've explained in more details as to what's going on in the above thread and yes, it generally applies to all platforms, a system compromise gives them access to all of the system's memory content.
We are working on something that will help but again, a system compromise will easily undo any protections we add. The best way to protect yourself against this is the same security practices as before; keep your OS up to date, anti-malware solutions updated, lock down your computer when you're not using it and don't install any programs you're not familiar with.
0 -
lock down your computer when you're not using it
Ah yes, so I just click the "lock" button in the 1Password app, and...
...darn.
I've read the other thread now, and really appreciate the detailed response, and I now understand a lot of the trade-offs that led to this situation, but I assume you can see the problem? I've been following exactly this advice, assuming I was protected from this sort of thing, not realizing I was making any sort of trade-off because the UI makes "lock" seem equally secure as "never opened in the first place".
I still love 1Password and plan to continue using it, but I'm feeling misled by the UI, and that stings a little. :(
0 -
I think that is perhaps a reasonable point. Do you have a suggestion as to how we could better convey this in the UI? As for the quote... Mike was actually referring to locking the computer itself, though, not (just) 1Password.
Ben
0 -
I'm not sure about a good UI for that. Random brainstorms:
- a semi-transparent overlay/blur over the vault entries instead of a completely opaque "vault door"
- leave a key inserted into the lock image
- a prominent "exit to fully lock" button
Or maybe even a "locking vault exits 1password" setting.
Actually, I find myself wondering if there's a way to just re-start the app process (thereby clearing the memory) rather than doing whatever the lock button currently does. But that seems way too obvious of a solution to actually work.
0 -
Hi @fritzophrenic,
Actually, I find myself wondering if there's a way to just re-start the app process (thereby clearing the memory) rather than doing whatever the lock button currently does. But that seems way too obvious of a solution to actually work.
Yes, this will help as well. The problem is that current 1Password app runs in the managed run-time and has to wait for its garbage collector to come in to clean the memory, even if you terminate the process. However, this will be much faster and cleaner when we finish our move to Rust in our codebase, we just need more time to finish the work.
0
