No encryption for the Sharing options [Confirmed, use multiple vaults for secure sharing]

edited April 2014 in iOS Beta

When sharing a password/login as not plain text, it seems like you should have to enter a pass-phrase or password to encrypt the shared password that you then need to share with the intended recipient. That way if the email is intercepted, the attacker can't just install one password, add the encrypted password (which then unencrypts it), and steel your password.

Comments

  • MikeTMikeT Agile Samurai

    Team Member

    Hi @socaljoker,

    For secure sharing, you can set up a separate vault to share securely with others. They'll need to know the vault password and they can sync with you over Dropbox. That means both sides can add additional items in the same vault and it'll show up on both sides. We are looking into other avenues of secure sharing that doesn't depend on Dropbox.

    As for the current Sharing options, there isn't any encryption involved. The non-plain text version is just the data being just obfuscated by 1Password with a specific algorithm, which can be de-obfuscated easily in the other 1Password apps. It's only meant to prevent the text from being viewed in plain view while it goes through those channels but there isn't any encryption to protect the data from being sniffed up.

  • How unfortunate :/ Seems pretty unrealistic to have to create an entire vault just to share a single password (which was my case). Hope this gets remedied soon. Seems like a pretty big flaw to me.

  • MikeTMikeT Agile Samurai

    Team Member
    edited April 2014

    Hi @socaljoker,

    Yes, I agree, it is a limitation that we don't have single-item secure sharing right now except for heavyweight multiple vaults. It's not a trivial addition for us but we hope to have a better solution for this in the future for 1Password.

    We used to have something like this in the Mac app, where you can export a single item with encryption but the lightweight encryption standard we used became too weak a few years later for us to keep supporting it. So, we dropped it in later versions but we do want to revisit this with a new way to approach this.

This discussion has been closed.