Study find, that 1P 7 holds Database, Master password and secret key in cache even after locking

Damnatus

Hi folks from 1password!

Today I read about a study, that has looked at Password Managers. For 1password they found, that after unlocking the RAM holds Master password, secret key and the database cached, even if the vault is locked again.

I know there is something about trusting programs, compromised PC and probably restricted access to RAM (last is not given by claims of the study).

Nevertheless, I thought that locking the vault clears RAM and also that 1Password only decrypts the Password in use and not the whole vault when used with the 1Password sync service.
It would be nice, if at least the cache is deleted when locking.

https://www.securityevaluators.com/casestudies/password-manager-hacking/

Damnatus

Ok, I found this: https://discussions.agilebits.com/discussion/comment/493044/#Comment_493044

bundtkate

Glad you found that link on your own, @Damnatus! Indeed, that's where the best info on this issue is. Both our engineering team and our chief of security have commented there. Because this is something that has generated a lot of discussion, I'm going to go ahead and close this thread, but please feel free post any questions you might have in the thread you linked there. The folks best equipped to answer you are monitoring there, so it's the best way to get good replies to your concerns. :+1: