1Password Accounts security in general

I'm using 1Password families now but I see multiple security issues here.

  • I cannot disable web access to my vaults data.
  • browser traffic can be intercepted by governments or hackers with access to CA with man-in-the-middle attacks.
  • browser data can be intercepted with simple browser plugin that takes (automated) screen captures.
  • I cannot set a different master password for 'app only' access to my vaults.
  • There is no two-factor authentication available (for unknown browsers/machines).
  • Firefox keeps asking to save my credentials in Firefox itself.
  • Credentials can be intercepted in the browser via a third party extension, possibly giving somebody full access to my vaults.

I hope you can add some extra security to 1Password Accounts very soon.


1Password Version: 6
Extension Version: 4.6
OS Version: W10
Sync Type: 1Password Family Account

Comments

  • brentybrenty

    Team Member

    @admxnl: There was a great discussion recently that went into much greater depth with regard to the web app, so you may want to check that out:

    Security of the 1password.com account creation process

    But I'll be happy to address your specific points here as well:

    I cannot disable web access to my vaults data.

    It's something we can consider, but since the web interface is optional in most cases (we have native apps for popular platforms) the easiest way to avoid web access to your data is to not use that.

    browser traffic can be intercepted by governments or hackers with access to CA with man-in-the-middle attacks.

    Absolutely, and in most cases, that actually matters. However, in the case of 1Password.com, there's nothing useful to intercept by breaking TLS/SSL. The Master Password is chosen by you, the Secret Key is generated locally, both are used to encrypt the data on your device, and nether of those are ever transmitted. So even if someone intercepts your traffic (though we have a number of mitigations for this type of attack) or compromises our server, they won't get anything useful. And if someone compromises your system/network to impersonate 1Password.com (though you can always verify who you're communicating with), while they'll get whatever information you send them, they won't have any of your existing data (and be able to show it to you).

    browser data can be intercepted with simple browser plugin that takes (automated) screen captures.

    Yup. But that's going to be the case whether you're using the web interface or a native app, and applies to everything on your machine, not just 1Password. If your system is compromised, you no longer own it and all bets are off. Nothing can protect you against that, so it's important to only access sensitive data on trusted devices you control. 1Password can keep your data secure on a compromised system, but only if it's encrypted. For you to access it, it needs to be decrypted, and then it could be collected by anyone else in control of the machine.

    I cannot set a different master password for 'app only' access to my vaults.

    That's effectively what your Master Password is with a 1Password.com account. In most cases, that's what you need to access your data (on an authorized device). But to authorize a new device/browser, you'll also need the Secret Key, which is stronger (128-bit random) than any second Master Password you or I will come up with ourselves.

    There is no two-factor authentication available (for unknown browsers/machines).

    That's also a function the Secret Key serves, as it is not only never transmitted and rarely used (limiting the opportunities for it to be collected on your machine if it's compromised), but it's also used in conjunction with your Master Password to encrypt your data. That way it isn't possible to perform a brute force attack on the Master Password itself (which will be the weaker link, no offense, but we're only human!) as the Secret Key is also needed. And each authorized device effectively becomes a second factor with your Secret Key, which you can then use to authorize new devices.

    Firefox keeps asking to save my credentials in Firefox itself.

    Make it stop!

    Credentials can be intercepted in the browser via a third party extension, possibly giving somebody full access to my vaults.

    Indeed, if you're granting an extension that you don't want to be able to collect that (the kind of information you only want to entrust to 1Password) with that kind of access, there isn't anything that can stop it from doing what you've given it permission to do. So at that point you're explicitly trusting it to not do anything malicious (since you authorized that behaviour).

    However, that's also where the Secret Key comes in handy. Modern OSes offer us some protections when it comes to sensitive fields like "password", etc., but that does also depend on there not being bugs there or in the browser. But if for some reason you still want to use some unknown/untrusted extensions and give them a high level of privilege to collect your data, you could login to 1Password.com before installing them (or use a clean browser for this purpose), so that they won't be able to collect your Secret Key on subsequent sessions. Not saying it's a good idea to do this, but it's a precaution you can take if you choose to go this route.

    Ultimately, there isn't a single way to mitigate all of these things, so we've built 1Password with a number of considerations which together help to keep us all secure. After all, we use 1Password too, and we wouldn't expect any less for our own data. I hope this helps. Be sure to let me know if you have any other questions! :)

  • admxnladmxnl
    edited April 2017

    (we have native apps for popular platforms) the easiest way to avoid web access to your data is to not use that.

    @AlexHoffmann from you company suggested I start using 1Password accounts because I want full capabilities in 1Password 6 for Windows, he stated local editing support maybe would never come to 1Password 6. So I finally decided to start using 1Password accounts and now your saying I shouldn't use it?

    There is no way for me to use 1Password 6 for Windows locally without the accounts which has vaults with web access enabled or am I wrong?

    the Secret Key is generated locally, both are used to encrypt the data on your device, and nether of those are ever transmitted

    How come I must enter the secret key on a SSL website to login? It now leaves my machine and is not local anylonger!

    If your system is compromised, you no longer own it and all bets are off. Nothing can protect you against that, so it's important to only access sensitive data on trusted devices you control.

    There is a difference with a system that is compromised and a malicious browser plugin is installed. The browser plugin is still contained in the browser itself and normally could not access sensitive password data but with 1Password Accounts vault web access that is overboard and the browser plugin could access everything!

    That's also a function the Secret Key serves, as it is not only never transmitted and rarely used

    I mean access code generation with an app like Google Authenticator, this is in no way comparable with the secret key you are using which never changes. Even Dropbox is more secure when using two-factor authentication and that service doesn't always contain this kind of sensitive data. I think the secret key is a farce once it has been entered on a website, which I'm obligated to do to manage my account?!
    That is also what I mean with a different master password for vault access. Account management and vault access should be separated.

    Make it stop!

    You could detect local password manager is enabled and suggest to disable it? Why doesn't Chrome ask for saving passwords when using 1Password? You should pro-actively support and protect users!

    Indeed, if you're granting an extension that you don't want to be able to collect that (the kind of information you only want to entrust to 1Password)

    I can remember a discussion with you guys not too long ago about building printing support into 1Password 4, you would not even think about it because traffic from the machine to the printer would be insecure. And now your saying if there are insecure extensions that's your problem if it hijacks very sensitive data? I don't get that. That's why I said vault web access is not safe, it should be disabled by default. You should give users the choice to enable it themselves!

  • brentybrenty

    Team Member

    @AlexHoffmann from you company suggested I start using 1Password accounts because I want full capabilities in 1Password 6 for Windows, he stated local editing support maybe would never come to 1Password 6. So I finally decided to start using 1Password accounts and now your saying I shouldn't use it?

    @admxnl: Sorry for the confusion. That's not really what I was saying at all. I think we're talking about different things here. It sounded like you were concerned that your browser may be compromised, making it unsafe for you to access your data through the 1Password.com web interface. While that in and of itself is something worth addressing, what I'm suggesting is that you can use the native 1Password 6 app in Windows, since that does not involve the browser at all. It's still important to ensure that your system is secure, but at last that accomplishes your goal of not using the browser. Please let me know if/where I've misunderstood what you're trying to do. Perhaps some context from the previous discussion you alluded to would be helpful. Include a link, and I'll be happy to read it over to save you some typing!

    There is no way for me to use 1Password 6 for Windows locally without the accounts which has vaults with web access enabled or am I wrong?

    There is! You can install the native Windows app (1Password 6) from our website, and setup the app with your 1Password account to access your data (which will be cached locally, so you can use it even if you're offline). Again, if you can tell me precisely what you're trying to accomplish, I may be able to offer more insight.

    How come I must enter the secret key on a SSL website to login? It now leaves my machine and is not local anylonger!

    First, you don't have to. But more importantly, as I mentioned in my previous reply, the Secret Key (and your Master Password) is literally never transmitted, and everything is encrypted before SSL/TLS. 1Password.com accounts use the SRP (Secure Remote Password) protocol to prove that each side knows the secret without either having to send it. There's a lot more detail in our security white paper (which is actually a really fun read, even if you're not into cryptography), but I think it's also important that 1Password doesn't shove this technical complexity in our faces. So I'd like to offer a few simple points that summarize how 1Password secures our data:

    1. 1Password data is encrypted locally on the device using the Master Password and Secret Key before it is transmitted.
    2. The server receives only an encrypted blob to store in its database.
    3. The Master Password and Secret Key themselves are never transmitted.

    Without each of these pieces, it's impossible to access anything you have stored in your 1Password account. With a local vault, only the Master Password and vault are needed. That's not to say it's insecure. But we needed to take it a step further for storing people's data on our servers, so that even if the server is breached, it is impossible for someone to gain access to your data.

    And significantly, with a 1Password Account, it is also impossible for someone to perform a brute force attack on your Master Password to try to decrypt the data — because they also need to guess the (randomly generated, 128-bit) Account Key.

    Suffice to say, if someone gains access to our servers and dumps the full database (we've designed 1Password.com with this in mind), they simply don't have what they need to decrypt it, as each individual user alone has the keys to their data. So an attacker won't have that and can't get it from AgileBits, even if they get everything else. So while there's a lot more that goes into making all of this work smoothly, this is something that I think all of us can understand and appreciate. Let me know if that helps!

    There is a difference with a system that is compromised and a malicious browser plugin is installed. The browser plugin is still contained in the browser itself and normally could not access sensitive password data but with 1Password Accounts vault web access that is overboard and the browser plugin could access everything!

    That's not an assumption I'd be comfortable making. A browser extension should be contained within the browser itself, but that is not always the case, as demonstrated regularly by vulnerabilities. If the browser is compromised, that's code executing on your system. That the attacker will be smart enough to pull that off but too dumb to leverage it against the rest of the system is not a bet I'm willing to take with my own data.

    And finally, you can totally use 1Password completely outside of the browser. I don't know many people who do, because a significant benefit is using 1Password to save and fill logins. And if, instead of using the 1Password browser extension, you're copying and pasting login credentials into you're browser, that's no more secure and could just as easily be captured by other extensions you've granted that permission, or other apps on your system monitoring the clipboard. The 1Password browser extensions bypass the clipboard, and, perhaps of more interest to you, 1Password doesn't store your data in the browser; it only gets it on demand from the app.

  • brentybrenty

    Team Member

    I mean access code generation with an app like Google Authenticator, this is in no way comparable with the secret key you are using which never changes. Even Dropbox is more secure when using two-factor authentication and that service doesn't always contain this kind of sensitive data. I think the secret key is a farce once it has been entered on a website, which I'm obligated to do to manage my account?!

    @admxnl: It may be something we add in the future, but 1Password's security is based on encryption, not authentication. Authentication can be spoofed or hijacked (or poorly implemented); encryption is math.

    All of this sounds like you're trying to protect against a compromise of the system/browser you're using ("unknown browsers/machines"), and that's not something that even two-factor authentication can save you from. If you're operating in an insecure environment, what's stopping the attacker from performing a person-in-the-middle attack to capture and use your one-time password and login credentials, or simply capture your data as you enter/access it? I think you know the answer.

    But in the case of the 1Password.com admin console, even if someone were about to performing a person-in-the-middle attack on you (though there are a number of methods we use to prevent this, which I went over earlier) — you guessed it: your Master Password and Secret Key aren't being transmitted, so they cannot be captured that way. And if your machine is newly compromised, you won't need to enter your Secret Key to login in the first place, so they could maybe capture your Master Password, but that is insufficient for them to login to your account, or to decrypt the data cached locally. So at that point they'd need to wait for you to access the data yourself to try to capture it that way. And again, everything else on your computer is already ripe for the taking at that point, so we need to be realistic about this.

    That is also what I mean with a different master password for vault access. Account management and vault access should be separated.

    Thanks for clarifying. It isn't something we have plans of doing, but I'd be interested to hear the specific threat you're trying to protect against.

    You could detect local password manager is enabled and suggest to disable it? Why doesn't Chrome ask for saving passwords when using 1Password? You should pro-actively support and protect users!

    I'm not sure that it's possible to detect that. And frankly, some users choose to use that. 1Password is a password manager, so it isn't its job to police your system. The people who want to use the built in filling features in their browser would be annoyed by that; and the folks who notice this and don't want that behaviour (like you) can simply disable it in the browser.

    I can remember a discussion with you guys not too long ago about building printing support into 1Password 4, you would not even think about it because traffic from the machine to the printer would be insecure. And now your saying if there are insecure extensions that's your problem if it hijacks very sensitive data? I don't get that. That's why I said vault web access is not safe, it should be disabled by default. You should give users the choice to enable it themselves!

    Printed data is inherently plaintext and insecure. Moreover, many printers cache the data that passes through them. So no, we don't recommend taking your encrypted data from and dumping it out into a form where it can more easily be compromised. And, as such, since 1Password is designed to help each of us be more secure, we haven't spent a lot of time working on ways to forego its security benefits. You can always export to plaintext, as that is a feature we do have to include in case someone wants to take their data elsewhere. It isn't our intention to lock anyone's data into 1Password.

    Additionally, we can't control 3rd party extensions any more than we control other software you choose to install on your system — literally: we can't stop you. Web vault access is only unsafe if your system or network is compromised, and it isn't mandatory to use it to access your data. You can use the native app, which is signed digitally, to ensure that you haven't downloaded something malicious. But again, it's your responsibility to secure your equipment.

  • @brenty this quote below is directly from your security whitepaper;

    An attacker who is able to modify the JavaScript client that is sent from the web server to the user’s device will be able to capture the Master Passwords and Account Keys that a user enters or provides.

    Ok, I must believe you when you say the master password is never send because of SRP. But we have zero insight on this protocol and if it's working properly and which revision you are using. Like I said before the master password can easily be captured on browser side with an extension or javascript attack. In the app this would be impossible to do so and makes it a more secure option. You ask me what I'm trying to do and that is to separate my master password that I enter in Chrome to manage my account from the local app in which I want exclusive access to my sensitive password data! I don't care about 1Password.com accounts because I'm only using this for full 1Password v6 capabilities on Windows.

    About the Firefox discussion, I give up. I only want to improve general security for myself and your users.

    Web vault access is only unsafe if your system or network is compromised, and it isn't mandatory to use it to access your data.

    It is mandatory because else I cannot setup my 1Password.com account and there is no other way for me to create a vault in 1Password 6 for Windows that I'm able to sync with other devices and have full app capabilities. If I'm wrong could you explain to me how to do this?

    Maybe I can never win this discussion because you think every access to my vault with 1Password is super-secure but I don't agree with that and would like to disable some features in your product to close as many doors as possible. I hope you can find the time to discuss this with the development team.

  • brentybrenty

    Team Member
    edited April 2017

    Ok, I must believe you when you say the master password is never send because of SRP. But we have zero insight on this protocol and if it's working properly and which revision you are using.

    @admxnl: Right, unless you do some research yourself, you do sort of have to take our word for it to some extent that SRP works. Though if it didn't, we'd not only be handing out large cash rewards to folks who were able to exploit it and going back to the drawing board with regard to 1Password.com, we wouldn't even be using 1Password ourselves.

    Like I said before the master password can easily be captured on browser side with an extension or javascript attack. In the app this would be impossible to do so and makes it a more secure option.

    We're in agreement about that, which is why we've mentioned that we're working to make it possible to use a native app (which can be signed) for admin functions. Though I wouldn't say it would be "impossible" to find a way around that. If you're not willing to check the certificate chain when using 1Password.com you're probably not going to verify the app's signature either. These aren't things we can force the user to do.

    You ask me what I'm trying to do and that is to separate my master password that I enter in Chrome to manage my account from the local app in which I want exclusive access to my sensitive password data! I don't care about 1Password.com accounts because I'm only using this for full 1Password v6 capabilities on Windows.

    That's how 1Password already works, but just as you need to verify you're using a legitimate copy of the 1Password app on your device, you need to verify who you're connecting to on the web, as well as the integrity of your system to ensure you have exclusive access to your sensitive data. There just isn't any way around that. As mentioned in the discussion I referenced earlier:

    There are a few things we have in place to mitigate these sorts of threats though:

    • Using the most recent version of TLS
    • Not supporting weak cypher suites since those could be used for downgrade attacks
    • Using HSTS to prevent downgrade to (insecure) HTTP
    • Offer large monetary incentives to researchers] to help identify weaknesses in our server infrastructure that might expose us to the type of threat you're concerned about
    • Continue to explore new ways to protect 1Password.com (and users) against attackers

    There are also things you (and other users) can do to to protect yourself when using the 1Password.com service:

    • As you mentioned, using the apps is a more secure option, since we're able to digitally sign the code
    • Whether you're using the web app or downloading a native client, verify the certificate of the server you're connected to
    • Keep your browser up to date and heed security notices (expired or invalid certificate warning, for example)
    • Keep your OS up to date
    • Don't allow "security" software to perform a person-in-the-middle attack on your connection

    It sounds like you'd like us to provide a way for you to not have to worry about that, and that is something we put a lot of effort into. But ultimately it's not possible today to remove all of the burden from the user, so some responsibility still rests with you. 1Password — or any other product — is not a replacement for good security hygiene. We'll continue to work to make it easier, but nothing can protect us from ourselves, and I think it's important to keep that in perspective.

    About the Firefox discussion, I give up. I only want to improve general security for myself and your users.

    You're right. I'd encourage you to reach out to Mozilla about having the password saving feature disabled by default in Firefox, as this isn't a change any of us can effect. I'm sorry that isn't something I can help you with.

    It is mandatory because else I cannot setup my 1Password.com account and there is no other way for me to create a vault in 1Password 6 for Windows that I'm able to sync with other devices and have full app capabilities. If I'm wrong could you explain to me how to do this?

    I guess what I mean is that it isn't mandatory to sign up for a 1Password.com membership if it doesn't meet your needs. There are other options out there, and we'd rather you use a competitors' product rather than being unhappy using 1Password, or less secure using nothing at all.

    Maybe I can never win this discussion because you think every access to my vault with 1Password is super-secure but I don't agree with that and would like to disable some features in your product to close as many doors as possible. I hope you can find the time to discuss this with the development team.

    I don't think "winning" is the point at all. And I disagree completely that any way you access your 1Password data is "super-secure". In fact, that's what I've been saying this whole time: you need to — and can — make sure that the environment you're using it in is not putting you at risk. We always recommend against using 1Password on untrusted devices (public computers, etc.) because in order to access your data, it must be decrypted, which provides an opportunity for the owner of that system to capture it.

    But merely disabling a feature won't get you the result you want, as it would inherently need to be possible to enable it again. Removing a feature that can be used insecurely is an alternative, but if we follow that to its logical conclusion, none of us should be using web browsers in the first place — and in that case 1Password has considerably less utility as a password manager.

  • Ok, strange your telling me I need to go to the competition because I don't want web access to my vault and on the other hand you or your colleagues tell me I need 1Password.com accounts because local support maybe is never coming to 1Password 6 for Windows. I was very patient but waiting over 6 months for a feature that maybe would never come is not in my vocabulary.

    I like 1Password very much and would hate switching to another solution. I would rather see you guys put the same amount of effort in adding a function to disable vault web access then you put in this dicussion.

    I also think your explanation is too elaborate, you can just say 'Hey, we're not going to build that for you!'. That's enough information for me and I can decide for myself if I'm going to switch to the competition. By the way, telling me to go to the competition is not very professional.

  • brentybrenty

    Team Member
    edited April 2017

    Ok, strange your telling me I need to go to the competition because I don't want web access to my vault and on the other hand you or your colleagues tell me I need 1Password.com accounts because local support maybe is never coming to 1Password 6 for Windows. I was very patient but waiting over 6 months for a feature that maybe would never come is not in my vocabulary.

    @admxnl: That's not it at all. We obviously would prefer that you be happy using 1Password, but I think it's important to be realistic: It isn't going to be a perfect fit for everyone. You're right that it's never fun waiting for features we want. I've got my own list too, but we have to prioritize the things that do the most good for the greatest number of users.

    I like 1Password very much and would hate switching to another solution. I would rather see you guys put the same amount of effort in adding a function to disable vault web access then you put in this dicussion.

    As much as you might not like the answer, I'm not sure you would have appreciated not getting a response at all. ;)

    Like I said, that isn't something we have plans for. You're the only one asking for it right now, so we need to work on things that help more folks. It may be something we can do in the future though if there's enough interest.

    I also think your explanation is too elaborate, you can just say 'Hey, we're not going to build that for you!'. That's enough information for me and I can decide for myself if I'm going to switch to the competition. By the way, telling me to go to the competition is not very professional.

    Yeah that's not what I said at all. As you can imagine, it helps us financially if you continue using 1Password. However, money is neither the only thing nor the most important. So if we have to choose between you A. using 1Password unhappily, B. using no password manager, or C. using a competitor's product, we'll pick the latter every time. We want happy users not trapped ones. Obviously the other option is that we change 1Password in the way you want us to in the future, but that's not going to help you now and I can't guarantee you that we'll make the changes you want on your schedule. I'm sorry I don't have a better answer for you than that. You should use the tool that best meets your needs today. If that's 1Password, then great! I can promise you that we'll continue to improve it, even if we don't necessarily prioritize the things you want over those that help a greater number of users. That's got to be our focus, and the good news is that if you do continue using 1Password, you'll be a beneficiary of much of what we do as well.

  • admxnladmxnl
    edited April 2017

    OK, I've checked and tried your competition and none of them have a decent interface. >_<

    No password manager is not an option. Competitors are not an option. Browser password manager is not an option. So I have to do it with what's available. I'm stuck with you guys :).

    I still hope you find the time to add real two-factor authentication for new clients like 'Dashlane' does, too bad their interface isn't nearly as good as yours. Probably I'll find this feature back in 1Password in about a year or so, like many other features I requested before that your colleagues were vague about.

    Thanks for your time anyway.

  • brentybrenty

    Team Member

    @admxnl: Likewise, thanks for brining these things up. I'm just sorry I ultimately don't have a perfect solution to offer you. We think that 1Password is pretty darn good, and you could do worse than be stuck" with it. That said, we're also acutely aware of the areas where it could be improved, perhaps more than anyone, and we want to make it better both for our customers and for ourselves. I can't promise any of the changes/features you're asking for right now, but two-factor authentication and admin functions in a native app are very much things we're exploring. So perhaps we'll be able to offer those in the future. Cheers! :)

This discussion has been closed.