Can't disable web (browser) access from 1password.com to unencrypted passwords?

I'm a longtime user of 1PW (since 2011) and have been the ultimate satisfied user/owner, have bought a multi-platform family license as well as personally paid for licences for relatives/friends just so that they would start using 1PW. I have over 1100 items stored in my 1PW vault (don't know if that's a lot compared to other users but mention it just to show how much I use 1PW). I say all this to show how I am committed to long term use of 1PW.

I'm watching all of the hubbub that is going on both these forums and Twitter regarding your current focus on 1password.com and subscriptions moving away from the licensing system. My initial reaction was "Oh cr*p, we're screwed", but the more that I've studied what you're doing and how you're doing it, I was starting to get think that my use of 1PW would still be ok (safe and secure) in the future.

I understand the need for a continuing revenue stream and have no problem with paying a reasonable subscription fee for a tool that is as critical and useful to me as 1PW.

I signed up for a trial Family 1password.com account and have been testing it for the past day and like most of what I see.

However, I currently have at least one concern about the 1password.com setup.

There appears to be no way to disable web access to the entirety of my unencrypted passwords via 1password.com if I have set my passwords to sync via 1password.com.

Limiting the access of unencrypted passwords to only properly setup 1PW applications would seem to eliminate the possible (probable?) web based attack vector to a 1password.com account.

I don't want any web-based access to my unencrypted password "vault". This is the primary reason I've never considered switching to the many other password managers available that are web browser accessible.

My Dropbox sync'd vaults are probably more vulnerable in encrypted form that what is stored using your service and encrypted with the additional Secret Key, but at least with Dropbox my unencrypted passwords are never accessible via a web browser.

Am I missing something here or is there really nothing to prevent web-based (browser) access via 1password.com to all of my unencrypted passwords if you possess the proper credentials (which I realize include my Secret Key and Master Password that are unfortunately static entities)?

Wouldn't a dynamic 2FA for web login to 1password.com go a long way to further secure my passwords from web-based attack?


1Password Version: mac 6.71
Extension Version: don't use
OS Version: macOS 10.12.5
Sync Type: Dropbox (for now)

Comments

  • BenBen AWS Team

    Team Member

    HI @trclayton58,

    Thanks for taking the time to write in, and for the backstory! So glad to hear that you've been with us for so long and that you've been happy with 1Password.

    There appears to be no way to disable web access to the entirety of my unencrypted passwords via 1password.com if I have set my passwords to sync via 1password.com.

    We do not have any unencrypted 1Password data. What is it that lead you to believe that we did? All data is encrypted using your Master Password and Secret Key before being sent to the 1Password service.

    my Secret Key and Master Password that are unfortunately static entities

    These are not static. We don't generally recommend changing them unless you have reason to believe they've been compromised, but it is possible to do so.

    Wouldn't a dynamic 2FA for web login to 1password.com go a long way to further secure my passwords from web-based attack?

    In short: no. We've talked a lot on these forums about the benefits the Secret Key offers compared to MFA, etc. MFA does help prevent replay attacks, but the Secret Key actually strengthens your encryption keys. We feel that because of this the Secret Key is a better alternative to more traditional MFA.

    I hope that helps. Should you have any other questions or concerns, please feel free to ask.

    Ben

  • I must not have been clear in asking my question.
    I'll try again: If I sync my data via 1password.com, can I disable web browser access to my unencrypted passwords?

    To address your reply above: I understand that you do not have any unencrypted data; however, whenever I (or anyone else) am logged in to 1password.com (via a web browser), any and all unencrypted data can be presented to the user via the browser interface (with only the Secret Key and Master Password required to log in to that browser interface).

    Currently, syncing via Dropbox, there is no possible way for anybody using a web browser to view my unencrypted passwords.

    With my current setup, a remote attacker (someone that does not have physical access to one of my devices with 1PW and Dropbox installed) would need both my 1PW Master Password and my Dropbox credentials (including a dynamically changing 2FA) to get access to my data in unencrypted form.

    If I sync my data via 1password.com, all that is required to access my passwords unencrypted from a web browser is my Master Password and my Secret Key which you say are not static because they can be changed, but they might as well be considered static because, if they are compromised it is likely already too late to change them because all my 1PW data is probably already stolen. A compromised account on 1password.com for me means the loss of a thousand passwords.

    I've read all about the benefits of the Secret Key compared to MFA but if the Secret Key (and Master Password) have been compromised how much the encryption has been strengthened doesn't matter because the keys have been exposed and that is all that is necessary to access my passwords unencrypted with a browser via 1password.com.

    If I can't disable web browser access to my unencrypted passwords, dynamic 2FA would minimize if not eliminate this problem.

    I know you consider this an important issue because you offer Duo Push 2FA for Teams.

    Shouldn't individuals and families be entitled to the same level of protection.

  • BenBen AWS Team

    Team Member

    I think I see what you're getting at.

    The short answer is no: you cannot disable the web interface for your 1Password.com account.

    Now, that said, I'd like to elaborate a bit. You mention that you're syncing with Dropbox currently, and that someone would need both your Dropbox password and 1Password password to steal your data. This is partially true. You didn't take the rogue Dropbox employee, or Dropbox having a breach, into consideration. With Dropbox you don't hold the encryption keys: they do. I'll quote from one of their blog posts on this subject:

    "Some concerns have been raised about our Help Center article and other statements that discuss employee access to user data. We agree that we could have provided more details and we will be updating these to make them more clear. Like most major online services, we have a small number of employees who must be able to access user data when legally required to do so. But that’s the exception, not the rule. We have strict policy and technical access controls that prohibit employee access except in these rare circumstances. In addition, we employ a number of physical and electronic security measures to protect user information from unauthorized access."

    https://blogs.dropbox.com/dropbox/2011/04/privacy-security-your-dropbox/

    So they've got the keys. They are, I'm sure, well controlled, but they've got them. With 1Password.com we do not: you do. And you have both your Master Password and your Secret Key to protect you with encryption.

    To be fair, accessing 1Password from the web interface is the highest risk way to access 1Password data. We've talked about this in a few threads, including the one right below yours (perhaps you saw it?):

    https://discussions.agilebits.com/discussion/80102/1password-com-browser-security#latest

    Right now the web interface is critical because it is the only way to accomplish certain tasks. We do have some ideas that we're brainstorming on how to mitigate the risks that do exist, and also to decrease the reliance on the web interface.

    As to your other points: could someone steal both your Master Password and your Secret Key and then gain access to your 1Password data through the web interface? In theory, someone could, yes. But they could also gain access to your 1Password data with the native clients using that information, so I'm not sure I see how shutting off the web interface helps with this problem?
    Also: consider how someone would likely accomplish that. Likely through malware on one of your devices, right? Well if they've got malware on your device they can simply steal your credentials out of the web form fields as you fill them. So again, it is worth considering what the actual threats are and what mitigation would be helpful. 2FA doesn't solve all of the problems that many think it does.

    Ben

  • BenBen AWS Team

    Team Member

    Don't get me wrong -- I'm not bashing Dropbox. I use their service every day. But the level of security with 1Password.com is higher.

    Ben

  • Ok, now you're making me question what I think I know about how 1PW works.

    I accept everything that you said about Dropbox and truly believe that 1password.com's level of security is higher.

    However, I am I wrong in my understanding that 1PW encrypts all of a vault's data on my computer before it is sync'd to Dropbox?

    If this is indeed the case, while I never want my data compromised, aren't I still protected by 1PW's encryption if there is a Dropbox breach albeit with a lower level of encryption than if my data is stored on 1password.com (because the Secret Key isn't involved when using Dropbox)?

    BTW, I do look forward to a future version of 1PW with the admin console built into the application, doing away with the need for any web access at all.

  • BenBen AWS Team

    Team Member

    However, I am I wrong in my understanding that 1PW encrypts all of a vault's data on my computer before it is sync'd to Dropbox?

    Regardless of how your data is synced it is encrypted by 1Password before it leaves your device.

    If this is indeed the case, while I never want my data compromised, aren't I still protected by 1PW's encryption if there is a Dropbox breach albeit with a lower level of encryption than if my data is stored on 1password.com (because the Secret Key isn't involved when using Dropbox)?

    Yes, though I'm not sure "lower level of encryption" is the right term... It just isn't protected by Two-Secret Key Derivation when syncing with Dropbox.

    Ben

This discussion has been closed.