1Password not signing out of extension after time elapses

Note that this is version 3.8.22 on a 10.7.5 Mac.

I've never seen this happen before, but when I started using this computer this morning, my Safari browser was still logged in from the day before. So I did a test and launched the app, and the let my computer idle. As per the settings, the app logged out after 10 minutes. But the extension is not logging out, and it still fills in passwords. It does appear you still support 1Password 3 (as the only option for older version of OS X), and I've never seen this issue before. Any thoughts?

Note that this computer syncs to cloud-based data that newer versions of 1Password also access (as well as the iOS app). So part two of my question is, is my data any less secure because it's accessed and updated by this older version of the 1Password software? Or do versions 3-5 all encrypt my data in equally secure ways?

And question three is, is there a way to get support outside these public boards? I didn't see any, but at times I'd prefer not airing out security issues on a public forum. I ended up creating a new user ID, as I realized my previous user ID could be associated with me, and I'd rather be more obscure with my password security practices (if they day comes someone finds an exploit to 1Password, I'd rather they don't know I use it -- or maybe v3 has known issues, and I definitely don't want to advertise I'm using it still on one machine).

Thanks.

Comments

  • Stephen_C
    Stephen_C
    Community Member

    @SecretDude as you say you're using 1P3 for Mac I've moved your post to the appropriate forum because you will get more help there.

    Stephen

  • SecretDude
    SecretDude
    Community Member

    Thanks, I didn't see there was a separate thread.

  • littlebobbytables
    littlebobbytables
    1Password Alumni

    Hi @SecretDude,

    Let's address the 1Password queries first.

    1. 1Password 3 uses the .agilekeychain as its vault while 1Password 4/5 use it as a sync format in Dropbox. Given they all use the same format they're all as secure as each other, that is to say the system isn't weaker simply because you still use 1Password 3 with copies of 1Password 4/5.
    2. In the 1Password browser extension. After you've unlocked it do you see a red exclamation mark in the sidebar at all, if it is there it would be above the cog icon which is your settings. If you click on the warning symbol what message do you see?
    3. Still in the 1Password browser extension. If you first click on the cog icon for the extension's settings and then enter the Security section, is Enable Universal Lock enabled or disabled?

    Now, to your query regarding the forums. Your vault only exists on your computers and possibly a cloud based sync service if you use one e.g. Dropbox. I'm a little unsure how your username here in the forums would give any insight to allow somebody to either physically identify your IP address or guess as to your Dropbox account. I may be missing something of course but we wouldn't make use of the forums if we believed there was an inherent risk in doing so. If you feel uncomfortable explaining why in a public post then feel free to message me directly instead.

    Let's see if we can figure out why the extension isn't locking. Until we do please note the padlock icon below the settings one, you can use that to manually lock the extension for now.

  • SecretDude
    SecretDude
    Community Member

    Thanks for your response, glad to know my security is just as strong with 1Password 3.

    There is no red exclamation point, and Universal Lock is Enabled.

    Final note, after this happened I restarted my computer. Subsequent tests have shown the extensions locks down as it should. So this seemed like a random aberration… Which is a little disconcerting. Any clue what could cause this to happen with just the extension, but not the main app, but not happen regularly?

    I was using a user name that was the same as my Twitter account. I don't want to get into too many details, but I think if anyone appears to have financial accounts and uses a specific password manager, there might be a reason to target that person. It wouldn't be hard to email me based on my Twitter account, and if I replied, I think that might pass along my IP address, if I'm not taking steps to obfuscate it. That's the connection I could see by using my old forum handle, where a user could theoretically figure out my IP and target an attack to gain access to 1Password. Sure, it's paranoid thinking, but I think paranoid thinking makes sense when it comes to keys to the castle (which a password manager is, IMO).

  • littlebobbytables
    littlebobbytables
    1Password Alumni

    Hi @SecretDude,

    My best guess would have been if Universal Lock wasn't working or disabled. If that isn't the case I'm not sure. There is a helper that relates to Universal Lock, it's what the exclamation mark might have indicated wasn't running. If that isn't running for some reason that could explain why it's behaving now as a reboot might have been the kick in the pants it required.

    While I certainly won't say don't be careful that's quite a chain required. If you use a real email client such as Mail or Thunderbird yes, it will have your IP address. If you use a webmail client then it's their address that is the first in the chain.

    At this point they'll either need to identify your Dropbox account and compromise that or target first your router and then your computer. That would potentially gain them access to your 1Password.agilekeychain. If they just have access to your 1Password.agilekeychain then currently the best option is to brute force your Master Password, this is where a really strong password comes into play and why we use standard encryption techniques to minimise the possibility of weaknesses.

    Obviously though, if somebody manages to compromise your machine then all bets are off no matter what. Say we had unbreakable encryption (words that if used seriously should always spark fear and suspicion), none of it matters if a person can simply observe you using your machine.

    Typically that level of targeting though is believed to mostly happen at the level of governments. Hard to say of course as you won't get a straight answer out of anybody regarding that hot mess. Personally I believe your average criminal is looking for a far softer target.

    One thing you can do is use unique usernames everywhere of course but that easier said than done if you have a lot already set up or want them linked for any reason.

  • SecretDude
    SecretDude
    Community Member

    Thanks for your answer.

    I think I would have noticed the exclamation point under normal circumstances, but even more so as I was trying to figure out why I was still logged in. Guess it's a mystery... Glad I'm in the midst of migrating to a new computer with the current OS and 1Password 5. Guess something was just in a weird state...

    Yeah, anyone would be toast if a government wants into their data (especially the U.S.). Though I'd guess skilled hackers could probably ruin most people's day if they targeted someone. Seems every week a major vulnerability is found in some software, protocol, or OS (or maybe our router, etc.). It's kind of scary times, in my opinion. We can't be secure w/o a password manager, but that password manager could also ruin us if the data and password got into someone else's hands.

  • littlebobbytables
    littlebobbytables
    1Password Alumni

    You're quite correct @SecretDude, it's almost impossible to be safe online without something assisting our crappy human memories and yet whatever you do does smack of all your eggs in one basket.

    I think it's one reason many of our users like 1Password. If you're concerned you're a target imagine how appealing a target cloud based password managers seem. For some they want the company to handle the storing of their data, for others they want to keep that control.

    So a password manager's security lies in strong, standardised and open encryption, a strong password and the hope that you aren't personally targeted for whatever reason. Be warned, think about it too much and you may come to the decision the only way forward is to yank the internet connection completely.

  • SecretDude
    SecretDude
    Community Member
    edited March 2015

    I don't know if this should be a fresh thread, but I just had another weird experience with 1Password 3 and Safari on my 10.7 Mac. I opened the extension, and started typing my master password so I could login to a website. The first three characters showed up (obfuscated by the typical circles) in the 1Password extension pop-up, but the rest of the password didn't appear. I waited a bit to see if it would catch up, but it didn't. So I closed the 1Password box, and then found that the balance of my master password showed up in the username field of the website I was trying to log into (w/o obfuscation). With several issues now, I'm thinking I will stop using 1Password on this computer, unless you have any thoughts on steps to correct several examples of buggy behavior.

    EDIT: Just realized Apple didn't push a security update to 10.7 for the Freak attack either, so maybe it really is time to migrate from this old machine (I don't want to update the OS, for fear of losing access to some legacy software that I may need to access from time to time).

  • littlebobbytables
    littlebobbytables
    1Password Alumni

    Hi @SecretDude,

    Just So I understand correctly, did your Master Password only appear in the address bar after you closed the extension or was it present before you closed the it?

    I know in 1Password 4/5 we use a Secure Event Input field for your Master Password. That's a special field, the same type as used when you're logging into your Mac or having to authenticate yourself to OS X. The idea behind it is the operating system takes extra steps to make sure you're safe when you type it in. We surrender a little control for a large gain in security. I don't know if it was available when we wrote 1Password 3 or not but if it was then we'll be using it there too. So I'm surprised as to what you observed. If focus was accidentally moved from the extension to the address bar that could be one reasonable explanation but not if your Master Password only appeared after the extension was closed, that sounds like some kind of odd keyboard buffer issue. It isn't one I've heard of before.

    A quick search suggests Apple dropped support for Lion around October last year. If that's correct then yes, vulnerabilities such as FREAK may remain unpatched. I certainly wouldn't swear by it but depending on when you got your Mac you may have been running Lion now for almost four years. I wonder if maybe during that time this particular instance of Lion has picked up a bit of cruft as can sometimes happen. I wonder if a clean copy of Lion would exhibit the same odd behaviours you've witnessed recently. I'd be reluctant to suggest it to a user unless it's something their inclined to do anyway. I don't mean to suggest upgrading as you've already mentioned software compatibility, but say you had an external disk you could use to run a second copy of Lion - one of the things you can do that I've always found neat about Macs. This is just thoughts running through my head more than a "you should really do this".

  • SecretDude
    SecretDude
    Community Member

    I think you misread my comment. The password started in the pop-up 1Password extension box, then the balance appeared in the USERNAME filed (not the address bar). I believe the 1Password dialogue box actually covered the username entry filed (the user and password fields are in the top left of that web page). So I couldn't see the field until I closed the 1Password, and it appeared the partial password was sitting there (but w/o being able to see that field until I closed the 1Password box, I can't be sure).

    Yeah, it did cross my mind I could run a fresh version of the OS from elsewhere and see if that helped. But as I'm really trying to migrate away from this computer anyway, I'd rather not spend time with that approach. It's an amazing amount of work (and software upgrades) to move from my main production computer, with various software and hardware attached, to my new computer. I've done Apple migrations in the past, but I wanted to start fresh, and manually update this time, as that seems to be the recommended path for a better functioning system (also nice to not move over all kinds of stuff I don't use/need any more). There are weird hiccups, like I'm having issues printing from the new computer to my semi-old but very solid color laser printer. So I'm actively using both computers, until it seems like I can do all of my daily tasks and work on the new one. Someday...

  • SecretDude
    SecretDude
    Community Member
    edited March 2015

    Ugh, I see I tiled "filed" in several places I meant to type "field"

    And while I'm saying that, I guess I should ask... Do you feel like using another browser on this 10.7 mac would solve the problem? That it's a Mac/Safari issue, rather than a 1Password 3 issue? And I guess the FREAK issues is also more browser than OS?

  • littlebobbytables
    littlebobbytables
    1Password Alumni

    Hi @SecretDude,

    You're correct, I did misread where the rest of the password was entered although in one sense whether it was in the address bar as I thought I'd read or a field on the page, the concern of how you got there is the same. I am stumped though, I can't find a way to shift focus from the lock screen to elsewhere without the lock screen disappearing and I can't think how you could end up where the OS is holding onto a buffer of keyboard input. I can't tell if it's some million to one freak situation or if something just isn't right with your machine now.

    As to your query regarding FREAK. The vulnerability affected Chrome and Safari on OS X as they were using the same system library so when Apple issued the fix it applied equally to Chrome too. I believe Firefox was not vulnerable so it might be worth trying the Firefox browser and the easiest way to know is to visit https://freakattack.com

    Now applications can be at risk as well if they use the same library for any of their own communications. While browsers got the headlines (for obvious reasons) it potentially affects any application that uses SSL/TLS. To use iOS as an example here is an article highlighting this, HTTPS-crippling FREAK exploit affects thousands of Android and iOS apps. As you can see, even when the iOS device was patched there were certain iOS applications that obviously used their own copy of the library and so remained affected. I don't see any reason why this won't hold true for OS X too.

    So it's not a 1Password issue because in OS X we only communicate with the browser and it's the browser's responsibility to be safe but FREAK does go beyond just the browser.

    I don't blame you for the fresh approach. I know Apple are meant to have done a pretty reasonable job of allowing a user to migrate from one machine to another but given I haven't really felt the need to do OS re-installs like I used to with say Windows 98 etc. the only time I get that box fresh state is by manually just moving the data files I do really want to keep when I move from one machine to the next, especially if you've gone through a couple of major OS updates on a single machine. You may very well find my opinion is old school and in the minority and that these days there isn't much benefit from not taking the easy route with migrating.

This discussion has been closed.