Moving an item is actually copy + move to trash

Hi!
We recently discovered that moving an item between vaults doesn't actually move it, it's a combination of 'copy' and 'move to trash'. I would classify this as an unexpected behaviour from a user standpoint.

This might pose a security issue if an item has been erroneously created in or moved to a vault, or if the item no longer fits within the scope of the vault and needs to be secured in a separate vault. The user "moves" the item, but it is still available in the trash of the originating vault. This is unexpected by the user who now thinks that the item is secured.

This problem is exacerbated by the inability to remove single items from the trash.

  1. Do you agree that this is unexpected behaviour from a users standpoint?
  2. Will you consider making changes to adress this?
    Suggestion: Per Team/Vault setting to convert 'move' to 'copy' + 'delete (skip trash)'

1Password Version: 7.3.2
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • BenBen AWS Team

    Team Member
    edited October 2019

    Hi @homebranch,

    There has been a fair amount of discussion around this behavior internally. The challenge with changing this behavior is that it may very well result in data loss scenarios. Also consider that even if we did make the proposed change, it really wouldn't solve the problem you are trying to solve. With the item having been in the source vault originally, unless the password has changed after the move occured, anyone who had noted that password prior to the move would still have access to the account. The point being that it really doesn't accomplish this goal anyway:

    This is unexpected by the user who now thinks that the item is secured.

    I could see the argument being made that the proposed behavior provides a level of "security theater." The real solution here is to be sure to change the credentials after moving items between vaults of different security/access levels. Admittedly we do not do a good job of expressing that, at present.

    The internal debate about how to best handle this is still ongoing, and we may indeed ultimately implement something like you are suggesting. But either way I would suggest that if at all possible you make the above point to your staff.

    Ben

  • Hi @Ben
    Thanks for your prompt reply!

    I understand your points, and do sympathize with them. Especially that any item that has been accessible should be considered compromised.

    The biggest problem I retain after reading your reply is the case of a vault changing security level and having items moved out, together with the mentioned security theater. This should be a rare enough case that it can be handled, though expressing what is actually happening would probably be a good idea. Maybe changing the “move” action name, eg “copy & trash” or similar.

    I’ll make sure to disseminate this information to select staff that are most likely to be affected.

    Jonas

  • BenBen AWS Team

    Team Member

    You're welcome! I do believe there is room for improvement here, we just haven't quite settled on what that improvement should look like at this point.

    Ben

  • Perhaps users can be notified that the item they moved is now sitting in the trash?

  • BenBen AWS Team

    Team Member

    Perhaps. :) There is ongoing brainstorming about how we can best explain the situation as well as the recommended steps when attempting to revoke access to secrets (the only way to do so is to change said secrets).

    Ben

  • can i ask if the items that were moved (they do appear in the new vault) are safe to be deleted from trash. There's no option to delete a single item as a test so just want to make doubly sure.

  • ag_anaag_ana

    Team Member

    @budgefrownie:

    If they are already in the new vault, and you confirm that everything is ok and you will not need the trashed copy anymore, you can certainly empty the trash.

  • thanks for the quick reply - I can confirm they are in the new vault (x) and the ones in trash refer to the old vault (y). I suppose I could just leave them in trash but always prefer to clean that up

  • brentybrenty

    Team Member

    Indeed, it's really a matter of personal preference. Cheers! :)

  • We recently discovered this issue as well, and while I get that moving a password doesn't ensure that someone who previously had access to it didn't save it somewhere else, at least taking it out of the trash when the copy succeeds would ensure that casual poking around doesn't uncover secrets that people should not have access to. And that argument is not relevant when you're considering adding new people to a vault, because they never had access to that thing that was "moved"/"deleted" but in actuality is still sitting there in the Trash in plain sight. At the very least, it feels like the trash should be emptied automatically much faster than it currently is, because it currently seems like we have passwords in the Trash from 4-5 years ago. Something like 30 days seems pretty reasonable, but that's just my opinion. Overall, this does feel like a "bug" from a security standpoint because it's very unexpected behavior, and arguably confusing UX can be a security issue.

    Thanks for your consideration!

  • BenBen AWS Team

    Team Member

    Thanks for taking the time to share your perspective @ibrahima. I personally would tend to agree with an automatic emptying of the trash after a period of a month or less. On the other hand I've also had conversations with more than a few customers who have felt strongly that the trash should be preserved forever, even after I made the argument that they probably wouldn't resist emptying the trash can in their house on occasion. ;)

    Ben

  • I also got caught out when assuming that "move" did what it says it should do. Renaming "move" to what it actually does (“copy & trash”) as @Jonas suggests seems to be a simple interim step until you decide what "improvement" looks like.

    As for the moved item being compromised because it was available in the vault until then: well that is a matter for the vault owner to address. Having the ability to remove (i.e. permanently delete) a single or multiple selected items from trash (which I seem to be able to do everywhere except 1password) also seems to be a reasonable way to address the issue (assuming that it is obvious that the item is copied and trashed rather than moved).

    As for revoking access to a secret: @Ben you are correct that the only way is to change said secret (after removing others' ability to access it).

    Regarding the emptying of trash. @Ben you are correct regarding emptying a house trash can. But the reality is that many people I come across (myself included) seem to use trash as an archive (perhaps we're afraid of really losing access to an item) so a more accurate analogy may be the to think of "trash" as the "spare room". By implication this means that we keep stuff around until we decide to remove it; which may be one or multiple items at a time, or clearing the entire room. Once again the approach of being able to permanently delete individual or multiple selected items from trash appears to be the appropriate solution. And with reference to the same "spare room" analogy, perhaps implement a maximum size for trash (100 items?) in the same vein as a room has a physical size beyond which you cannot fill it.

    2c worth from Australia.

  • john_mjohn_m

    Team Member

    Hi @Tisme, welcome to our forum :chuffed:

    And thank you for taking the time to share your feedback! In case it helps you or anyone else reading this thread our accounts do come with an Item History feature; as part of this feature, when you empty the Trash for a vault, the items that were in the trash actually go into an archive for that vault automatically. Archived items can be restored using Item History if you change your mind about emptying the Trash. You can learn more about Item History here: https://support.1password.com/item-history-teams/

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file