Thinking about jumping from Dashlane to 1Password but have a few concerns
I am looking to switch from Dashlane to 1Password, mainly because my wife is interested in using a password manager and Dashlane does not have any family plans. I had a couple concerns about 1Password that I would like to get feedback on.
One thing I like about Dashlane is I log in with my master password once a day (unless I reboot) and the program stays unlocked. The only time I need to re-enter my master password is if I want to view a secure note, manually view or copy a password to a website, fill in credit card information, or make any changes to the application security settings. This allows the application to always be open, but all the material is still secured behind my master password. This allows me to still auto-login to sites without re-entering the master password more than once a day. In addition, even though the application is open, all my notes/passwords are secured.
I have only been using 1Password for a day and I may be wrong, but it seems to auto-lock the whole application after 10 minutes and if I want to log into a website again I need to type in my master password. I also do not like the fact that when the application is open, my “secure” notes are visible for anyone to see and my passwords are visible as well if I click them. In Dashlane you cannot see any of my notes because it requires the password to access, same with manually looking at the passwords.
Am I missing something or is that how 1Password works? My main issues are having to enter my master-password every 10 minutes (of inactivity) and in those 10 minutes all my secure notes/passwords are visible to people around me.
1Password Version: 7
Extension Version: X
OS Version: Windows 10
Sync Type: 1Password
Comments
-
Hi @masterkaj
We don’t generally recommend leaving 1Password unlocked for long periods of time, particularly if you won’t be with your device for all of that time. I’m not super familiar with Dashlane to be honest but it sounds from your description like it should be possible to set your settings to obtain a similar result in 1Password.
How to set 1Password to lock automatically
That said, this sounds like an oxymoron to me?
This allows the application to always be open, but all the material is still secured behind my master password.
1Password does conceal passwords even when 1Password is unlocked by default.
Ben
0 -
I guess I mean in terms of security/usability I enjoy Dashlane. You login to the windows application with your master password, this unlocks the application and allows editing for 5 minutes. After that 5 minutes (whether you are inactive or not), it locks all manual access to the passwords, notes, etc. but still autofills in webpages and saves passwords for me. Meaning 3 hours later I can login to my bank account automatically without having to type my master password in again.
With 1Password its all or nothing. If I am working for 3 hours the application is "open" the whole time, where any of my secure notes or passwords are easily copied. Say for example you are at work and plan to just walk away for 30 seconds but you get held up for a lot longer. During that 3-10 minute window someone could easily copy my passwords and secure notes without me knowing. However, in Dashlane they would need to know my master password to copy anything. They could still access a webpage with the auto login feature of Dashlane, but they would need to use my computer for that (they could never copy the password).
Does that make sense?
Also I know 1Password conceals passwords, but I can just click them and they show up. In Dashlane I need to re-type my master password to view any concealed material. This is a big deal for secure notes in particular, I never want them to be easily accessible (I want to be forced to type a password to access them). Right now I have 1Password unlocked and I can just see everything.
0 -
Hi @masterkaj,
Does that make sense?
We understand the usability but our concern is how they handle the security, how do they allow access to the encrypted data without your master password? What stops anyone from installing an extension to your chrome browser and just use it to fill in compromised websites since they no longer need to know your master password?
If they allow filling in without your master password, it means they're either not encrypting your data at all or they're handling a dual-encryption protocol, one of which that you have no control over. If they're not doing the latter, then there's no security involved and it's worse than our attempt because at least we don't provide an illusion of security. Note, we have no idea what they're doing exactly, so we may be missing something simple here.
Meaning 3 hours later I can login to my bank account automatically without having to type my master password in again.
What stops anyone from going to your computer and log in to your bank account, transfer it and just leave without you ever knowing what just happened? What's to stop anyone from installing a simple password revealer extension to reveal all passwords filled by Dashlane (all password managers would be impacted but at least with 1Password, you have to unlock first).
I'm sorry but that doesn't sound safe at all or maybe I'm misunderstanding something so simple here and I'm not trying to discredit anyone.
We spend a lot of time trying to find ways to make 1Password faster and easier to use but at the same time, we do not permit anything that could impact the security or risks to your 1Password data. We were one of the few password managers that did not get affected by the auto-fill exploit because everyone thought it was safe and we were the one that said it was never safe to do this by default. We think about what people do and what the risks are and we simply don't allow anything that could increase the risk of getting into your 1Password data.
There's a very good reason we do all or none, it is simply because your master password is the only key that can unlock your encrypted data. Any attempt to work around this, including the use of Windows Hello that we also support but only after unlocking, can be used against you.
At this point, unless there's something simple we're missing, there is no plan to do what you're asking for. It does not sound secure to us and you'd be better off making sure you lock your computer when you leave and/or keeping 1Password's auto-lock timer at very short range like the 30 seconds option.
0
