How worried should I be about using 1Password on a work computer?

BesieDaiBesieDai
edited April 23 in Lounge

Say I'm using a company-owned computer terminal at work with no access to my own devices... phone and laptop not around, but I want to sign in to a couple websites. If there's a chance that the company is keylogging or screen recording (and asking them straight up or expecting transparency is a moot point; let's just assume that they are), how worried should I be about potentially exposing my 1Password login and secret key?

At first I thought I'd use the Windows on-screen keyboard, but if I don't know their capabilities for watching screens then that seems just as risky as using the keyboard. But let's say I ignore the risk of them capturing my one password, how vulnerable then is the rest of my 1password account with the copying-and-pasting of specific passwords or revealing them on-screen?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Windows 7
Sync Type: Not Provided

Comments

  • brentybrenty

    Team Member

    @BesieDai: It's a really good question. I won't be able to give you a satisfying answer because it really depends on you and on your workplace, but I'll try to give you some things to consider. :)

    First, it's important to note that any machine you use that someone else controls should be treated as "hostile". It sounds like you're already thinking that way, and that's good. I just want to say that upfront for anyone reading.

    You're right that the "owner" (whether someone who administrates the machine or someone who controls it, even illegitimately through the use of malware) could do a lot of things to collect information you access, using a key logger, screen capture, or accessing memory directly (1Password must decrypt data in order for you to use it, as, for example, an encrypted password will not be accepted by a website!) So while we can't recommend accessing any sensitive information at all in that situation, if you deem that it is necessary for you to do so, and you accept the risk, your goal should be to minimize exposure.

    The last thin you should do is sign into your 1Password account or setup the app with your vaults on an unknown/untrusted machine, as that could potentially lead to someone malicious capturing all of your 1Password data -- in fact, we should just assume that will happen, not because it necessarily will, but because that will help us be more careful. From best to worst protection, here's what you can do:

    1. Don't access anything sensitive on the machine -- that means you don't use it to even sign into a website, much less access your 1Password vault
    2. Only access certain sites on that machine, not 1Password -- use 1Password on a persona device, like a smart phone, to get the password to sign into specific sites, and then change those passwords later to prevent them from being used to login as you after the fact
    3. Have a separate account/vault that you use expressly for work -- the company could pay for this, perhaps as part of 1Password Business, or you could manage it yourself as a business expense; that way your personal stuff is always safe, and only stuff that's work-related anyway would be exposed on the work machine: some people use a guest account in 1Password Families to have a single vault/account that is separate from everything else which they can use exclusively for work
    4. Use your personal 1Password account/vault on the work computer, and change all of your passwords -- seriously, don't do this: not only is it a terrible idea security-wise, but it puts a tremendous burden on you to continually churn passwords in order to ensure that your accounts aren't exposed on an ongoing basis

    Especially on those last two points, if it's required of you to access systems for work in such a way that it puts your security at risk, I'd argue that it's incumbent on the company to help mitigate those risks. A separate work 1Password membership is probably not a big ask compared to "buy me my own computer for work that no one else controls". Something to consider.

    Anyway, I hope this helps. Be sure to let me know if you have any other questions! :)

  • @brenty Those are great suggestions, thanks! I wouldn't have thought of website passwords as something that could be used once at work and changed when I get home, before I got 1Password. It's practically effortless, and avoids ever using 1P on someone else's computer.

  • brentybrenty

    Team Member
    edited April 26

    Glad to be able to help! Indeed, if you treat them as "disposable", that helps mitigate some of the risk (though there is still going to be a window of opportunity before you change it), and 1Password (on a device you control) can help you manage that. Cheers! :)

  • This was exactly the question I had, and this response was SO helpful! Can I ask an additional question and get your thoughts on this?

    I have made the mistake of using 1Password on my university-owned MacBook Pro, which lives with me but is a managed computer. I'm going to change my ways on that, asap, thanks to your suggestions above. But another issue is that I do all of my work on Apple devices: I try to use my own Macbook Air for personal stuff and the work MacBook for work, but I use one Apple userid across these machines, because I sync Notes, Calendars, Keynote, and Safari in the cloud. (I also have 1Password syncing via iCloud, fwiw, so my employers could well have that, too.) I use my own VPN at home and DuckDuckGo for surfing, but those seem like minor protections, given these larger issues.

    What do you suggest for Apple users with an Apple userid, a 1Password account, a managed Mac, a personal Mac, a personal iPhone, and a personal iPad (which does get used for work, constantly)? Is there anything I can do??

  • BenBen AWS Team

    Team Member

    As far as 1Password goes... you could a 1Password membership to sync instead of iCloud:

    About 1Password membership

    I'm not sure we'd be in a position to make a recommendation more broadly. :)

    Ben

  • Oh, maybe I’m already doing that now. I just upgraded from 1Password 6 to 7, and I opted for the annual membership this time instead of a license. I’d forgotten or didn’t realize that meant I was syncing a different way. So that membership is web-based, right? And does that mean that machines where I need passwords from 1P don’t necessarily need to be running 1P7 or 1P-mini for me to access them? I can just log into my 1P account online? (I’ve been using that license and syncing via iCloud for so long I forgot upgrading might change things.)

  • Ok, I’ve read the linked page you linked to; thanks. One more question (and I’ll start a new thread if I have more than this): in the following text —

    “1Password X works on Linux, Chrome OS, Mac, and Windows. It’s available for Chrome and Firefox.”

    — does “Mac” imply Safari? Or does this just work on Chrome and Firefox browsers?

    Thanks.

  • BenBen AWS Team

    Team Member

    @jenniferbga

    I'd recommend checking if you still have a vault called "Primary" -- if you do then you may still have (some) data syncing with iCloud. If you do not, then you should be all set and entirely membership based at this point.

    So that membership is web-based, right?

    It does have a web interface component: https://my.1password.com/
    When signing up you should've printed an Emergency Kit which would contain all of the info needed to sign in:

    Get to know your Emergency Kit

    And does that mean that machines where I need passwords from 1P don’t necessarily need to be running 1P7 or 1P-mini for me to access them? I can just log into my 1P account online?

    It is true, you could. I would still strongly recommend against accessing any of your 1Password data or other accounts from any machines you can't trust (e.g. public computers). Just because you can doesn't mean you should. ;) But yes, if installing the app is a hassle or for some reason not possible the web interface can be a way to grab a password.

    (I’ve been using that license and syncing via iCloud for so long I forgot upgrading might change things.)

    Hopefully upgrading changed a few things for the better. :)

    Ben

  • OMG this whole conversation has been so helpful. I did upgrade and do the emergency kit, etc., but I was still running 1P7 on my iPad somehow with the Primary vault only, so now I’ve got that upgraded too. And yes, you’re right, of course I don’t want to log in online on my work Macs, duh! Momentary brain freeze. So I’ve deleted the app from my work Mac and changed my master password and I always have my phone w/ me so I won’t have to use 1P on the work machines at all. (And fwiw I disconnected my Apple ID from my work apps and personal devices because I lost sleep worrying about that.) I feel so much better. Thanks as always for the excellent advice, not to mention a stellar product.

  • BenBen AWS Team

    Team Member

    I'm glad to hear you've got things sorted out and have arrived at a place where you're more comfortable with your setup. Thanks for the kind words. :) If there is anything else we can do, please don't hesitate to contact us.

    Ben

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file