1Password Mini = Security Flaw?

Hi. I just started using 1Password, and I am generally impressed with it - but there is one issue which concerns me. I've installed the Windows app on two Windows laptops (Win8.1 for my wife and Win7 for me.). The app works fine, but the 1Password mini program strikes me as a security risk. Here is the typical scenario that happens when you use the Windows app on either laptop:

  1. Open the main app. Enter your password. App gives you access to your sensitive information, as it is supposed to.
  2. After using the main app, my preferred method to close any Windows program is to click on the X in the upper right-hand corner. At this point, I am assuming the auto-lock of 1Password will engage after three minutes, which is how I have the auto-lock configured in the 1Password Windows app settings.
  3. The program closes, but the mini continues to run in the system tray. As a result, the auto-lock does NOT engage after three minutes (or after any length of time, save for logging out of Windows.) That means that anyone can come along after I have walked away from my computer, open 1Password, and be greeted with all my passwords. I don't like that too much.

Yes, I know I can click on the lock icon in the Windows app to engage the lock feature manually. But either myself or my wife may not remember to do that. And since the mini version of 1Password will always be running in the system tray if you close out of the program by hitting the X in the right-hand corner, you have the potential for all your sensitive information to be exposed. Kind of like closing the door to an actual vault in your house, but the vault door never locks unless you turn a key.

Bottom line: Seems to me this problem would be easily solved if the mini could be disabled from running in the system tray. I realize from reading these forums that there are many people who love the mini app. But I would prefer to have an option to close the mini entirely and not have it open again after I open the main application.

The vast majority of Windows programs have settings that dictate what will happen when you close a program (i.e., minimize the app, or close it completely.) 1Password's Windows app needs that option. If it has it, I sure can't find it any place, either in the settings for the main app or the mini itself.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • GregGreg

    Team Member

    Hello @mjfoxtrot,

    Thank you for reaching out and sharing your thoughts!

    The behaviour you described in a 3-rd step is not correct. 1Password app (AND 1Password mini) should lock after certain time of inactivity, which you set in Options > Security > Auto-Lock. Could you please try to do the following:

    1) Set the Auto-Lock time to 30 seconds.
    2) Close the main app and set the timer for 30 seconds.
    3) Try to open 1Password mini or the main app of 1Password.

    Is 1Password unlocked for you after these steps? If it is, it means that something is interfering in the activity of your PC and it stays active. We need to find out why it is happening if this behaviour is confirmed.

    I will be looking forward to your reply. Thank you!

    Cheers,
    Greg

  • Thanks for your reply, Greg. Much appreciated. Well, I followed your advice with the 30-second setting for auto-lock, and to my surprise, the auto-lock worked just fine after 30 seconds. Both the mini and the main app were locked after 30 seconds.

    I am going to confess ignorance here, and say that I believe the trouble I was having was due to my failure to understand how the auto-lock works. I was under the impression that the auto-lock would kick in no matter what after I closed the main program. I was doing other tasks on the laptop (i.e., moving the mouse and using the keyboard.)

    Am I correct in understanding that such activity will preclude the auto-lock from engaging? Once I stop moving the mouse or using the keyboard, then the auto-lock kicks in after 30 seconds, but any mouse movement will disrupt the countdown to auto-lock? If that is the case, I am fine with it, although it would be worth a note of clarification in the 1Password documentation that "inactivity" means no activity on the PC whatsoever. I had thought "inactivity" in this context referred to not using the mouse or keyboard in 1Password.

  • bundtkatebundtkate

    Team Member

    Hey @mjfoxtrot!

    Am I correct in understanding that such activity will preclude the auto-lock from engaging?

    You are correct. Auto-lock is designed to be a failsafe in case you walk away from your computer and forget to lock 1Password. The setting I see in 1Password 6 on my PC actually says "Lock after computer is idle," but I'm running the latest beta, so it's possible we simply read your mind and fixed the copy before you even knew you wanted it fixed. :wink:

    Alternatively, were you reading about auto-lock somewhere other than within the main app that caused some confusion? I'm always on the hunt for ways to improve our support documents too, so I'd love to hear your feeback! :chuffed:

  • Hi bundtkate. Thanks for answering my question about Auto-lock. Now I understand exactly how it works.

    Your question about the documentation was a good one, and I can answer it in a way that is hopefully helpful to you: Yes, I had been reading about auto-lock on the 1Password support forums. Specifically, these posts, which are rather old:

    https://discussions.agilebits.com/discussion/39515/1password-does-not-log-out-after-i-quit-the-application

    https://discussions.agilebits.com/discussion/14230/auto-logout-after-5-minutes-does-not-always-work

    As far as what I see in my version of the windows app: The setting in the "Security" section simply says "Auto-Lock", and there are two options. The first is "Lock when switching session," and the other is a drop-down box for setting the auto-lock delay (30 seconds, 3 minutes, 5 minutes, etc.)

    I think the wording you have in your beta version, namely, "Lock after computer is idle," would be much more illuminating and is less ambiguous than the wording is now. But if it were me, I would add a second sentence that says, "The program will auto-lock to the password screen if there is no mouse or keyboard activity during the specified time." That may be overkill, but it would make things crystal-clear for thick-headed people like me ;)

  • bundtkatebundtkate

    Team Member
    edited July 2017

    Hey @mjfoxtrot! Thanks for the feedback! Alas, there's nothing I can do about old forum posts, but I'm glad you find the new copy in the beta to be helpful. I knew that copy was missing at one point, but my memory isn't good enough to always keep track of when fixes were implemented sometimes. :blush: For now, I'm glad to have cleared this up for you and that it seems we accidentally did read your mind a bit. :chuffed:

This discussion has been closed.