Are password manager extensions unsafe?

edited April 2017 in Lounge

This seems a bit concerning.
I guess it predicated on Tavis Ormandy's exploits at Last Pass. (Seems he is up to 3 this month)
The more these password manager things get properly looked at the less safe they seem to be.

networkworld.com/article/3183675/security/stop-using-password-manager-browser-extensions.html

I presume (hope) 1P is different / better / uneffected / ?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • DanielPDanielP

    Team Member

    Hi @toasted

    1Password is unaffected by this type of attack thanks to a design choice we made: our browser extension is "thin", in the sense that it doesn't contain any data. All your data is stored in the 1Password app, and the extension simply talks to the app, without storing any information inside it.

    Having a "thick" browser extension definitely has some advantages (namely, you don't need to install the desktop app if you don't want to), but it means that you become vulnerable to a broader set of attacks like these.

    Daniel

  • I am in the process of switching from Lastpass to 1Password. At this point I am not willing to use the browser extension as I cannot find the same level of security detail on it as is in the agile bits security whitepaper for the password storage. Choosing also to use the wifi sync rather than the 1password sync option for my bank accounts. DanielP - is Agilebits planning to prepare a detailed paper regarding the security of the 1password browser extensions?

  • LastPass posted a post-mortem and included this line: "We strongly urge other extension developers to look for this pattern in their code and ensure they are not vulnerable."

    https://blog.lastpass.com/2017/03/security-update-for-the-lastpass-extension.html/

    Does 1Password use the same pattern?

  • brentybrenty

    Team Member

    @XIII: As Daniel mentioned, while 1Password isn't vulnerable in this way since it doesn't have the database, we're always on the lookout for ways we can improve 1Password's security. I think the fact that the vulnerability Tavis found in our browser extension implementation back in October 2016 required a local user account on Windows says a lot (macOS wasn't affected, but we made the same changes there for consistency in both security and user experience), but we'll continue to work ourselves and with researchers to make sure that 1Password adapts to the ever-changing security landscape. And these are exactly the kinds of things we keep in mind any time we talk about changing how the 1Password browser extensions work.

  • brentybrenty

    Team Member

    I am in the process of switching from Lastpass to 1Password. At this point I am not willing to use the browser extension as I cannot find the same level of security detail on it as is in the agile bits security whitepaper for the password storage. Choosing also to use the wifi sync rather than the 1password sync option for my bank accounts. DanielP - is Agilebits planning to prepare a detailed paper regarding the security of the 1password browser extensions?

    @ScamperD: First of all, thanks for giving 1Password a try! We don't have anything as detailed as the white paper for our browser extensions because it wouldn't be very interesting. The non-security aspects of how 1Password saves and fills logins is fascinating I think, but frankly the browser extension itself is pretty "dumb" — but don't tell our extension team I said that! ;)

    In all seriousness, all of the data and logic for browser integration is in the app itself. To be fair, the extension team works on this "Brain" as well, which is integrated into the apps, so they're rather smart. But because what our extensions have access to and are capable of is so limited itself, it's also a much more limited attack surface than the sort of "standalone" browser extension being discussed here (and often requested by users who would prefer not to have to install an app).

    Now, it's fine if you prefer WLAN Server, but there's also something important I wanted to mention. You probably like local sync because your data is encrypted on your device before being transmitted, so that no one can steal your most important data. I can't argue with that. But the thing is, that's how 1Password works no matter what, regardless of the setup you choose — WLAN Server, Dropbox, 1Password.com, or no sync at all. So you're not actually gaining security by giving up this convenience.

    There's a lot more detail in our security white paper (which is actually a really fun read, even if you're not into cryptography), but I can appreciate that there's a lot going on behind the scenes when it comes to 1Password securing our data that is not particularly accessible or interesting to many people. I think it's also important that 1Password doesn't shove this technical complexity in our faces. So I'd like to offer a few simple points that summarize how 1Password.com secures our data:

    1. It is encrypted locally using the Master Password and Secret Key.
    2. The server receives only an encrypted blob to store.
    3. The Master Password and Secret Key themselves are never transmitted.

    Indeed, when you use 1Password.com, AgileBits never has access to your data, regardless of the setup you choose. Even with 1Password for Families, your data is encrypted on your device, so all the server ever ends up with is an encrypted blob. And since the Secret Key is generated locally, your Master Password is created by you, and neither is ever transmitted, the only one who ever has your password data is you. And since the Secret Key is also used to encrypt the data, 1Password.com is more secure than what we were able to do previously with local vaults. Just something to consider. Cheers! :)

  • As Daniel mentioned, 1Password isn't vulnerable in this way since it doesn't have the database

    I'm afraid I don't understand the reference to a database.

    If I understand the LastPass blog correctly, the similarities are roughly like this?

    • LastPass content script = 1Password extension
    • LastPass remaining JavaScript = 1Password (mini) App

    So theoretically 1Password could have a similar problem where 3rd party sites can fool the extension to provide data from the App?

    To be honest the LastPass blog is a bit too vague for me, so I am hoping you can provide more insight (in the 1Password context), but I won't be disappointed if you can't ;)

  • brentybrenty

    Team Member
    edited April 2017

    @XIII: Normally I'd have the same complaint regarding vaguery, but the full security report is not particularly reader-friendly. That's not a knock; technical stuff like this is really hard to communicate clearly without glossing things over.

    Anyway, with regard to the database, what I'm saying is that the 1Password browser extensions don't have access to it. The "database" is referring to all of the vaults in the app collectively, since these could be local or hosted; the app has a local cache of everything, while the extension has nothing. The 1Password apps (of which 1Password mini is a part) don't live in the browser, so they aren't susceptible to attacks there. On the other hand, a standalone browser extension like they're using lives exclusively in the browser, so that's an entire attack surface; whereas the 1Password extension doesn't have anything to steal, and the app validates both the browser and the extension before connecting and communicating with it. That's not to say that 1Password is somehow invincible; rather it simply isn't susceptible to the same attacks because it has a fundamentally different design.

  • Normally I'd have the same complaint regarding vaguery, but the full security report is not particularly reader-friendly

    I found it rather informative and I learned something new by reading it. Thanks for providing the link!

  • BenBen AWS Team

    Team Member

    Glad it helped, @XIII. :)

    Ben

This discussion has been closed.