Security and the web app login form

I just migrated over to 1PW for Families, and I have a few security concerns:

1) As part of your security protocol, 1PW uses a 3-part login -- the user name, the account key, and the master password. Now, on my iOS devices, when I launch the web app via Safari, the user name and the account key (partially obscured) are both pre-filled. This information does not appear in the iOS > settings > safari > saved passwords section (which is good). When I clear Safari's cached data, the fields are no longer filled. So where is it stored? Doesn't that present a security risk? Anyone who knows how to view the website's source code could potentially see the unobscured account key. I'm not sure if that can be done with Safari, but I can do it in Firefox with a plugin called Firebug. To be honest, I would prefer that all 3 fields remain unfilled by default. I know that can be done by checking the "public or shared computer" field, but I can't be sure all of my invited family members will do the same. The bottom line is, it defeats the purpose of having both an account key and a master password if one is automatically pre-filled as soon as the page loads. In addition, if all 1PW users have their account keys stored in Safari's data file, which is typically backed up through the daily iCloud backup, this seems like a pretty major weakness, and sooner or later a target for hackers.

2) As a long time 1PW for iOS user, I'm accustomed to a high degree of security, including the fact that the app locks as soon as I switch to another app. This is very good. But the new web app (accessed via both iOS and Windows, concerns me. I haven't tested it fully yet, but what happens if I forget to log out of the web app? Is it still accessible? I'm worried because now several family members, each with several devices and living all over the country, will have my account key stored in their browsers. Please help me feel better about this.

3) This is not a security question, but it's related to the above. When I cleared the Safari cached data and then launched the URL, the 3 fields were indeed blank. But when I clicked on the 1PW browser extension to fill in those fields, it didn't quite work right. The 3 fields are, in order, user name, account key, and master password. But 1PW left the name field blank, then put my user name in the second field where account key goes. It did fill the master password field properly. FYI, in my 1PW login entry for this website, I manually created an "account key" field. So the information is all there, but the browser extension doesn't populate the fields correctly. Is this a case where I need to manually create the login from the filled website login form?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • brentybrenty

    Team Member

    When I clear Safari's cached data, the fields are no longer filled. So where is it stored? Doesn't that present a security risk? Anyone who knows how to view the website's source code could potentially see the unobscured account key.

    @MDBrown: Great questions! The browser does not save this information itself; rather, the 1Password for Teams/Families website can use the browser's local storage to cache data for itself securely. It is also not part of the webpage itself, so viewing the source code won't reveal anything. This isn't something that the browser even knows how to read. It's simply hanging onto a blob of data from the site for future use.

    The bottom line is, it defeats the purpose of having both an account key and a master password if one is automatically pre-filled as soon as the page loads. In addition, if all 1PW users have their account keys stored in Safari's data file, which is typically backed up through the daily iCloud backup, this seems like a pretty major weakness, and sooner or later a target for hackers.

    Having the Account Key stored locally is convenient, and it is a convenience you can afford on systems you control without sacrificing security. But it's entirely up to you whether or not you take advantage of that. The browser's local storage is not sent to Apple, and even if you were to give someone your Account Key, it's useless without your Master Password. I think you really just want to read the white paper. ;)

    But the new web app (accessed via both iOS and Windows, concerns me. I haven't tested it fully yet, but what happens if I forget to log out of the web app? Is it still accessible? I'm worried because now several family members, each with several devices and living all over the country, will have my account key stored in their browsers. Please help me feel better about this.

    I encourage you to try it yourself! The web interface also has a timeout, so that you'll have to login again after a while.

    The 3 fields are, in order, user name, account key, and master password. But 1PW left the name field blank, then put my user name in the second field where account key goes. It did fill the master password field properly. FYI, in my 1PW login entry for this website, I manually created an "account key" field. So the information is all there, but the browser extension doesn't populate the fields correctly. Is this a case where I need to manually create the login from the filled website login form?

    1Password fills login forms based on what it learns about the IDs when saving the login...so if you've created it by hand it won't have any of this information. The best thing to do is fill the fields correctly and then save a login using the browser extension. That way 1Password will know what goes where so it can fill it for you in the future. I hope this helps! :)

  • BenBen AWS Team

    Team Member

    To add to what brenty said if you do not want the account key to be filled on a particular computer you can check the box that says "This is a public or shared computer" when signing into your account on the web.

    Thanks!

    Ben

This discussion has been closed.