To protect your privacy: email us with billing or account questions instead of posting here.

Firefox loophole or intentional behavior?

Let me straight to the point first: Firefox will prompt to save 1Password login info when I try to login my 1password domain on it; no other browser on my Mac gives such a prompt. Is it intentional or a bug?

Now more detail:

I am not very comfortable of storing my 1Password info inside 1Password. Although, by simple logic, only the people who actually breaks into my 1Password account have access to it, so whether to have all the information store in 1Password should not impact on my account security by any means.

The reason why I think it might be an intentional decision by AgileBit is that: 1. It does make it more convinient when login to the same computer with different browsers, especially when you don't have to type in your account key (or copy it from main 1Password app). 2. The login data are formatted nicely into 1Password when firefox prompt me and I said "save"; even the account key is correctly populated.

The reason why I think it might be unintentional is only FireFox prompts for that, nothing else does.

Please shine me light on this matter if anyone has any idea. Maybe I am just paronoid about this and need more education on how saving 1Password login info in 1Password is no different than what I did for everything else.

Thanks ahead.


1Password Version: 6.5.2
Extension Version: 4.6.3
OS Version: macOS Sierra 10.12.1
Sync Type: 1Password Family Account

Comments

  • Hi @thinkingBanana! Thanks for posting about this. Is Firefox itself prompting you to save your password in the browser, or the 1Password extension in Firefox prompting you to save it? If it's the 1Password extension, that's normal. Saving your 1Password account details in 1Password itself helps you conveniently sign in to your account in a browser by filling your Master Password automatically, and as you mentioned it is not a security issue. Just make sure to have a copy of your Emergency Kit as well in case you need your Master Password or Account Key and don't have one of your devices.

    Something else to note is that your Account Key is saved in each browser and 1Password app you sign in to. This is so you can get it later on, and so you don't have to remember it. In browsers, you can click "This is a public or shared computer" to not save the Account Key and other info when signing in. Hope this helps clear things up! Let me know if you're referring to something else.

  • thinkingBanana
    thinkingBanana
    Community Member

    Interesting, thanks for the explaination.

    That brings up a few more questions though, let me number them so it is easier for you to answer:

    1. What makes only Firefox's 1Password extension does that? Chrome and Safari does not prompt me for saving my Master Password, I though AgileBits prevent the browser extension from saving master password based on the behaviour of Chrome and Safari.

    2. Does user need to be extremely caution when using 1Password's website on a public, unprotected Wi-Fi? Just like banking, there could be phishing Wi-Fi hosted by criminals that trys to steal my Master Password. Or is it as safe as using my local client? I always trusted my local client.

    3. Is it a good practice to save the emergency kit as a PDF in my DropBox? I mean if my Dropbox gets attacked, the hacker will have my emergency kit info. Although I doubt they could do anything about it without my Master Password.

  • AGAlumB
    AGAlumB
    1Password Alumni

    What makes only Firefox's 1Password extension does that? Chrome and Safari does not prompt me for saving my Master Password, I though AgileBits prevent the browser extension from saving master password based on the behaviour of Chrome and Safari.

    @thinkingBanana: First and foremost, keep in mind that everything in your 1Password vault is encrypted using your Master Password. So saving the Master Password in there isn't risky at all: you'll need to know it to get in in the first place! So this is just a convenience thing for logging into the website.

    1Password can only recognize the login and offer to save it if the browser extension is installed. Once you've saved it, it shouldn't offer to save it any longer. But if you'd rather not save it and don't want to be asked anymore, just add an exception in 1Password Preferences > Browsers > Autosave. But if the browser itself is trying to save it, you'll need to change your settings there instead.

    Does user need to be extremely caution when using 1Password's website on a public, unprotected Wi-Fi? Just like banking, there could be phishing Wi-Fi hosted by criminals that trys to steal my Master Password. Or is it as safe as using my local client? I always trusted my local client.

    1Password.com has extremely strict security requirements, and will not even load properly on a home network if "security" software, malware, or something else is interfering with the connection, preventing you from connecting directly to 1Password.com securely. Most websites are not this strict though, so it's best to use a VPN on an untrusted network, or not to use it at all.

    Is it a good practice to save the emergency kit as a PDF in my DropBox? I mean if my Dropbox gets attacked, the hacker will have my emergency kit info. Although I doubt they could do anything about it without my Master Password.

    As long as you use along, strong, unique password for Dropbox and enable two-factor authentication for your account, it isn't so bad to store your Emergency Kit there. However, that would mean having to remember yet another complex password in order to be able to get to it (and have access to the 2FA device). So for that reason it's really best to store a physical copy of the Emergency Kit in something like a safe deposit box. That way you can include your Master Password too in case you forget it, and your attorney could have access to it upon your death if you wish.

  • thinkingBanana
    thinkingBanana
    Community Member

    Thats very clear, thanks a lot!

  • On behalf of Brenty, you're welcome. Let us know if you need something down the road. :)

This discussion has been closed.