1password on USB

jpartain89
jpartain89
Community Member

There should be a 1password system that can work through a USB key, or Bluetooth system, or something similar.

For the USB key, it can act like the HTML file that is inside of Dropbox, but will give all of the editing powers of the full Dropbox on any other platform.

For the Bluetooth system, it could use an extension in chrome/Firefox/IE/Safari that would read login tokens from our mobile devices.

Comments

  • Megan
    Megan
    1Password Alumni

    Hi @jpartain89‌

    Thanks so much for letting us know that you're interested in something like this!

    Now, I'm not a developer, but it seems to me that, in order to have all of the editing powers of the full app, it would essentially have to be the full app on the USB (which seems complicated). If you want it to work on multiple platforms, that's an additional challenge! I hope I'm not misunderstanding.

    Nevertheless, it is an intriguing suggestion! :)

  • RichardPayne
    RichardPayne
    Community Member

    Having it work cross platforms from a single exe is not possible unless you write it in Java. Even then I'm not completely sure.

  • RunInCircles
    RunInCircles
    Community Member

    The original description is a little hard to follow.
    If I read this correctly, its about using a thumb drive as a VPN key?

    I’ve wondered the same thing.

    However, the thumb drive then requires a password key, or would be 1 password wide open, correct?

    Also in the news recently:
    Considering all the coverage recently about USB being inherently vulnerable , this probably undermines the security features 1 password provides. Use of off-the-shelf thumb drives - especially the bargain basement discount ones which people sometimes buy at the checkout counter, could be compromised - or become easily compromised just for plugging into a computer.

  • RichardPayne
    RichardPayne
    Community Member

    @RunInCircles‌ in what way are they vulnerable?

  • jpartain89
    jpartain89
    Community Member

    Hi @Megan‌,

    Much akin to the current tools to allow the installation of "portable" applications onto USB Drives, (Chrome Portable, Firefox, someone made a portable dropbox that downloaded files onto the USB) or use an app called PortableApps.com for the installations.

    Now, this wouldn't be a cross-platform way of doing it, as I can see the hinderances (without having us pay for the licenses for multi OS's), it could also act as a key system for the .html file that is saved away into DropBox.

    @RunInCircles‌, No, not a VPN key.

    But, the USB drive in relation to a trusted, signed in account on a computer, or a certain trigger of events could leave it unlocked.

    Or, since most of us can USE USB keys as Unlockers for our devices, it wouldn't require a minute-long relogin scenario like w/ dropbox .html file.

    Since we could have the USB key as a trusted device, we could set up different security parameters.

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    I like @jpartain89‌'s approach to this. But I think we need to distinguish or clarify a number of different possibilities for what we might want/expect of a USB portable 1Password.

    1. Read only

      This would be the easiest to do, as we could do it, like 1PasswordAnywhere, all in JavaScript. We would just need to bundle with a web browser that we configure to accept loading lots of "local" files. This is sort of like SurfEasy's USB thing. It is mostly just a specially configured version of Mozilla to use the SurfEasy VPN.

    2. Read and Write

      This would require executables for at least Windows and Mac (and probably some common form of Linux). This would basically be a "new" app that doesn't harness the full features of any operating system. This would be nice, but developing something like this is going to take a lot time.

    3. What kind of synching do we need

      This, of course, depends on whether we go read-only or read-write. But there should be some reliable way to keep this data up to date with changes you make to your 1Password data elsewhere.

    Upon those questions much depends. In particular the choice of data format and what sorts of programs we need to develop "from scratch" all depend on each other.

    One of the big, but not so visible, differences between 1Password 3 for Mac and its successors is the separation of data formats. 1Password 3 (and 1Password 1 for Windows) used the Agile Keychain format directly. That is, the same data format that was designed for data synchronization over file based sync systems (such as Dropbox) was used as the data format used locally on Mac and Windows. These became very limiting in a number of ways. One of the reasons that we are able to encrypt so much more metadata in 1Password 4 and 5 is because we use a more efficient "local" format. On Mac that is an sqlite database that just stays local. So we have a local format and a sync format.

    We can do read-only in JavaScript for the Agile Keychain format. It is what we do for 1PasswordAnywhere. But this also means that we don't get the advantages of the newer data formats. Given that USB thingies are easily lost or stolen, we really should be using the latest and greatest crypto on these. The OPVault format is a sync format. As 1Password for Windows and 1Password for Mac take very different approaches to their local format, we are left with three (or more choices)

    1. Stick with the Agile Keychain Format for Portable 1Password.
    2. Write a completely new Mac client that deals with "local format" the way that 1Password for Windows does
    3. Write a completely new Windows client that deals with "local format" the way that 1Password for Mac does
    4. Come up with yet a new data format and write a completely new Mac and Windows client to deal with it

    Even if we stuck with the Agile Keychain format for this, I would recommend extreme caution in trying to get anything beyond "read only" in JavaScript until we have more confidence in the random number generators available in modern JavaScript engines. (It's getting there, but I still urge caution.)

  • RunInCircles
    RunInCircles
    Community Member
    edited November 2014

    RichardPayne,

    Re: USB vulnerability: It has been in the news as potentially vulnerable.
    Not sure if this is a stuxnet variant of malware.

    Whether that’s overblown or not - remains to be seen.

    • I think its been covered in a Frontline report and also SecurityNow podcast.

    People who are concerned enough about their computer security to use 1password, or another password wallet, likely have a heightened sense of how vulnerable they may be.

    Its long been a standing policy NOT to use USB devices on supposedly military-secure machines. Actually, that includes other removable media as well.

    Going on a limb to use email as an example: Your address is only as secure as the dumbest or most blasé & lackadaisical person you communicate with using email.

    Its bordering off-topic to delve into this here.
    If the thumb drive is used on multiple computers, there is the potential to acquire the malware from a less secure one than your own. (Assuming its not already on the thumb drive at purchase).

    Buying the cheapest thumb drive at the checkout counter
    probably doesn’t get you the best quality control, either.

  • RichardPayne
    RichardPayne
    Community Member

    I'm not saying you're wrong, but I suspect that this

    Its long been a standing policy NOT to use USB devices on supposedly military-secure machines.

    is more likely to do with the risk of classified information being stolen.

  • Eow
    Eow
    Community Member

    Hello

    I just saw a product called IronKey - a USB drive with hardware encryption and portable applications. One of those were a password manager. Just wondering if 1Password would be able to launch from a USB drive one day, so you always have your encrypted data vault with you and on the go?

    Thought it would be pretty cool.

  • Megan
    Megan
    1Password Alumni

    Hi @Eow,

    I've merged your comment with an existing discussion in our Lounge. You're certainly not the first one to think that this is an interesting idea. :)

  • Eow
    Eow
    Community Member

    Thank you very much:) Great to know!

  • David Silverman
    David Silverman
    Community Member

    I'd like to also request that 1Password have a version that runs on a USB stick. Roboform has this and it's called Roboform2Go. I use it at work since my company does not allow us to install password managers. It allows me to use almost ALL of the features of Roboform and not install anything on my PC. Does Agile Bits have any plans to create something like this? It would be a HUGE help for everyone who wants to use the program but cannot install it on their computer.

  • Drew_AG
    Drew_AG
    1Password Alumni

    Thanks for your feedback David! :)

This discussion has been closed.