The 1Password X extension seems very vulnerable if my computer gets hacked.

Bellamy88
Bellamy88
Community Member
edited August 2018 in 1Password in the Browser

Hello, trial user here offering my 2 cents.

I've set the 2FA on my 1Password account so even if my computer was compromised, they'd still need to get passed 2FA from my Google Authenticator which isn't likely, however my 1Password X extension is wide open? Sure I can set it to lock after a certain amount of minutes but having to unlock it every time I need to fill in a password isn't very convenient.

Also you could get a virus on your computer which specifically tries to scrap usernames and passwords from your 1Password X extension when it is unlocked and it's just all there to see, all the virus has to do is click "reveal" and it's there, even my secret key!

I honestly think you should have to enter your master password and submit a 2FA code to enable the "reveal" or "copy" password buttons in 1Password X Extension, it's just too vulnerable in my opinion. There is almost no reason whatsoever why someone who is using 1Password X as designed would need to reveal or copy their passwords because the extension works by giving that popup with the login info anyway.

I am blown away by how amazing this app is and I'm definitely going to sign up for the subscription but I'd really like to see a little more security on the 1Password X extension. All it takes is 1 virus or hack to get through your anti virus and your secret key and passwords for every account you own plus any other documents are in the hands of an attacker.

Proposal: 1Password X > Settings > Security > Reveal and Copy password require 2FA? [Yes/No] (Changing this option itself also requires a 2FA code)

Thanks for reading.


1Password Version: 7.2.576
Extension Version: 1.90
OS Version: Windows 10
Sync Type: Not Provided

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni

    @Bellamy88: Thanks for getting in touch! You're right to be concerned about security, especially when it comes to storing sensitive stuff in 1Password. But it's important to keep in mind that neither 1Password nor anything else can protect sensitive information you access on a compromised machine.

    I've set the 2FA on my 1Password account so even if my computer was compromised, they'd still need to get passed 2FA from my Google Authenticator

    This is not going to protect you the way you seem to think it is. It will only prevent someone from signing into your account on a new device, since they will not have the one-time password. But if they are in control of your computer, they can see anything you do. Two-factor authentication cannot prevent you from giving away your secrets.

    however my 1Password X extension is wide open? Sure I can set it to lock after a certain amount of minutes but having to unlock it every time I need to fill in a password isn't very convenient.

    You can't have it both ways: either 1Password is locked and your data remains encrypted, or it's unlocked and accessible. 1Password gives you a lot of control over that, but you cannot access your data without it being decrypted.

    Also you could get a virus on your computer which specifically tries to scrap usernames and passwords from your 1Password X extension when it is unlocked and it's just all there to see, all the virus has to do is click "reveal" and it's there, even my secret key!

    That's correct. If your computer is compromised, it is no longer really yours. All bets are off. There's nothing that a home security company can do to keep intruders out either if you open the door for them, or they're already in your house. That's what it's like when you relinquish control of your computer to an attacker.

    I honestly think you should have to enter your master password and submit a 2FA code to enable the "reveal" or "copy" password buttons in 1Password X Extension, it's just too vulnerable in my opinion. There is almost no reason whatsoever why someone who is using 1Password X as designed would need to reveal or copy their passwords because the extension works by giving that popup with the login info anyway.

    That's a really good point. Indeed, I rarely reveal passwords. I just have 1Password fill them for me. And the good news is that you're in control here: if you lock 1Password when you're not using it, all of the data is encrypted and there is no way to reveal any of it.

    I am blown away by how amazing this app is and I'm definitely going to sign up for the subscription but I'd really like to see a little more security on the 1Password X extension. All it takes is 1 virus or hack to get through your anti virus and your secret key and passwords for every account you own plus any other documents are in the hands of an attacker.

    Thanks for the kind words. I'm glad you're enjoying 1Password! As far as security, much of this sounds pretty dire, but the bright side is that you're in control: there's a lot you can do to protect yourself by practicing good security hygiene and behaving skeptically online.

    Proposal: 1Password X > Settings > Security > Reveal and Copy password require 2FA? [Yes/No] (Changing this option itself also requires a 2FA code) Thanks for reading.

    It's something we can consider, but it's important to keep in mind that even if copy and reveal are unavailable, if you've already unlocked 1Password and handed your computer over to someone else they can just fill your login credentials and change your passwords to whatever they like, even without ever knowing your original password.

    Anyway, I hope this helps clear some of that up, but please let me know if you have any other questions at all. :)

  • Bellamy88
    Bellamy88
    Community Member

    Hi, thanks for replying.

    I've been using computers for some 17 years and I've never been hacked as far as I know so I think I do have good security habits anyway but when all my passwords are stored in one location, understandably I expect that one location to be as secure as humanly possible should the worst happen.

    Someone actually hacking into your PC remotely is pretty unlikely I think if you have even the most basic security features enabled on your PC and browse and download sensibly, that being said, viruses or malware is more likely, even the best anti viruses cannot catch everything all the time.

    So what I'm saying is a method to protect your 1Password X extension from malware just going in and coping your passwords, they'd run into a 2FA issue, surely that is better than having the passwords completely naked when my extension is unlocked? Basically any interaction with the extension such as revealing, coping, editing, deleting, syncing etc should ideally require some other secondary physical confirmation, like 2FA on your phone.

    Just a thought anyway. Thanks again.

  • AGAlumB
    AGAlumB
    1Password Alumni

    I've been using computers for some 17 years and I've never been hacked as far as I know so I think I do have good security habits anyway but when all my passwords are stored in one location, understandably I expect that one location to be as secure as humanly possible should the worst happen.

    @Bellamy88: Agreed 100%. That's why 1Password.com accounts each use a unique, 128-bit, randomly-generated Secret Key and Master Password (which we recommend be long, strong, and unique) to encrypt the data. Neither of those things are ever transmitted to us, so an attacker would need to get them from you in order to decrypt your data.

    Similarly, 1Password keeps your data secured when you're not accessing it, and also offers controls so you have have it lock automatically in case you forget when you're not using it.

    Someone actually hacking into your PC remotely is pretty unlikely I think if you have even the most basic security features enabled on your PC and browse and download sensibly, that being said, viruses or malware is more likely, even the best anti viruses cannot catch everything all the time.

    Perhaps unlikely, but we all need to be careful of how we behave online. Nothing can prevent someone malicious from getting our stuff if we give them access to it.

    So what I'm saying is a method to protect your 1Password X extension from malware just going in and coping your passwords, they'd run into a 2FA issue, surely that is better than having the passwords completely naked when my extension is unlocked? Basically any interaction with the extension such as revealing, coping, editing, deleting, syncing etc should ideally require some other secondary physical confirmation, like 2FA on your phone. Just a thought anyway. Thanks again.

    Indeed, you can lock 1Password at any time, which prevents anyone from accessing anything there without at least knowing your Master Password. You can also enable two-factor authentication on your 1Password.com account to prevent someone from signing into it on a new device even if you've given them your other account credentials. But please don't give your account credentials away. ;)

This discussion has been closed.