Why request the master password again to export?

4EverMaAT4EverMaAT Junior Member

Please explain the logic in this extra "security" step of asking the user for the master password to export vault items.

If someone has access to the vault already (in which the master password was already entered to unlock), they could already show/copy open vault items into plain text anyway. So why would the app require the user to enter the password again when trying to export vault items?


1Password Version: 7.3.684
Extension Version: n.a.
OS Version: win8.1x64
Sync Type: 1p.com

Comments

  • MrCMrC Community Moderator

    @4EverMaAT

    A few passwords might be compromised In the situation you mention.

    But consider that without the extra precaution, all of your passwords could be obtained in the same time, The user could send the export via email, or uploaded it to a server very quickly.

  • brentybrenty

    Team Member

    @4EverMaAT: 1Password does not decrypt all of your data at once just because you unlocked it. It decrypts some metadata in order to facilitate search, but the rest is only decrypted on demand, as you access it. You're right that if you've left 1Password unlocked that someone could go through and view whatever they want, but that's very different than dumping everything in an instant to exfiltrate, as in MrC's example.

  • GregGreg

    Team Member

    Hi @4EverMaAT,

    Do you see those details when you export your data in .CSV? Please let us know.

    Additionally, please note that there is currently a bug, when the exported data may not appear as clear as expected. We are aware of it and have plans to fix it in the future. Moreover, please be careful with your exported data, as it is not encrypted.

    ++
    Greg

  • brentybrenty

    Team Member
    edited May 15

    @4EverMaAT: And just to clarify, 1PIF is the only format that supports all of 1Password's data structures. I'd recommend using that for importing -- but only export data if necessary to move it to a different app, as these are plaintext and not secure, as Greg mentioned.

  • brentybrenty

    Team Member

    Great! But not everyone who comes to the 1Password support forum will be, so it's worth mentioning. :+1:

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file