1Password Accounts security in general

I mean access code generation with an app like Google Authenticator, this is in no way comparable with the secret key you are using which never changes. Even Dropbox is more secure when using two-factor authentication and that service doesn't always contain this kind of sensitive data. I think the secret key is a farce once it has been entered on a website, which I'm obligated to do to manage my account?!

@admxnl: It may be something we add in the future, but 1Password's security is based on encryption, not authentication. Authentication can be spoofed or hijacked (or poorly implemented); encryption is math.

All of this sounds like you're trying to protect against a compromise of the system/browser you're using ("unknown browsers/machines"), and that's not something that even two-factor authentication can save you from. If you're operating in an insecure environment, what's stopping the attacker from performing a person-in-the-middle attack to capture and use your one-time password and login credentials, or simply capture your data as you enter/access it? I think you know the answer.

But in the case of the 1Password.com admin console, even if someone were about to performing a person-in-the-middle attack on you (though there are a number of methods we use to prevent this, which I went over earlier) — you guessed it: your Master Password and Secret Key aren't being transmitted, so they cannot be captured that way. And if your machine is newly compromised, you won't need to enter your Secret Key to login in the first place, so they could maybe capture your Master Password, but that is insufficient for them to login to your account, or to decrypt the data cached locally. So at that point they'd need to wait for you to access the data yourself to try to capture it that way. And again, everything else on your computer is already ripe for the taking at that point, so we need to be realistic about this.

That is also what I mean with a different master password for vault access. Account management and vault access should be separated.

Thanks for clarifying. It isn't something we have plans of doing, but I'd be interested to hear the specific threat you're trying to protect against.

You could detect local password manager is enabled and suggest to disable it? Why doesn't Chrome ask for saving passwords when using 1Password? You should pro-actively support and protect users!

I'm not sure that it's possible to detect that. And frankly, some users choose to use that. 1Password is a password manager, so it isn't its job to police your system. The people who want to use the built in filling features in their browser would be annoyed by that; and the folks who notice this and don't want that behaviour (like you) can simply disable it in the browser.

I can remember a discussion with you guys not too long ago about building printing support into 1Password 4, you would not even think about it because traffic from the machine to the printer would be insecure. And now your saying if there are insecure extensions that's your problem if it hijacks very sensitive data? I don't get that. That's why I said vault web access is not safe, it should be disabled by default. You should give users the choice to enable it themselves!

Printed data is inherently plaintext and insecure. Moreover, many printers cache the data that passes through them. So no, we don't recommend taking your encrypted data from and dumping it out into a form where it can more easily be compromised. And, as such, since 1Password is designed to help each of us be more secure, we haven't spent a lot of time working on ways to forego its security benefits. You can always export to plaintext, as that is a feature we do have to include in case someone wants to take their data elsewhere. It isn't our intention to lock anyone's data into 1Password.

Additionally, we can't control 3rd party extensions any more than we control other software you choose to install on your system — literally: we can't stop you. Web vault access is only unsafe if your system or network is compromised, and it isn't mandatory to use it to access your data. You can use the native app, which is signed digitally, to ensure that you haven't downloaded something malicious. But again, it's your responsibility to secure your equipment.

Ok, I must believe you when you say the master password is never send because of SRP. But we have zero insight on this protocol and if it's working properly and which revision you are using.

@admxnl: Right, unless you do some research yourself, you do sort of have to take our word for it to some extent that SRP works. Though if it didn't, we'd not only be handing out large cash rewards to folks who were able to exploit it and going back to the drawing board with regard to 1Password.com, we wouldn't even be using 1Password ourselves.

Like I said before the master password can easily be captured on browser side with an extension or javascript attack. In the app this would be impossible to do so and makes it a more secure option.

We're in agreement about that, which is why we've mentioned that we're working to make it possible to use a native app (which can be signed) for admin functions. Though I wouldn't say it would be "impossible" to find a way around that. If you're not willing to check the certificate chain when using 1Password.com you're probably not going to verify the app's signature either. These aren't things we can force the user to do.

You ask me what I'm trying to do and that is to separate my master password that I enter in Chrome to manage my account from the local app in which I want exclusive access to my sensitive password data! I don't care about 1Password.com accounts because I'm only using this for full 1Password v6 capabilities on Windows.

That's how 1Password already works, but just as you need to verify you're using a legitimate copy of the 1Password app on your device, you need to verify who you're connecting to on the web, as well as the integrity of your system to ensure you have exclusive access to your sensitive data. There just isn't any way around that. As mentioned in the discussion I referenced earlier:

There are a few things we have in place to mitigate these sorts of threats though:

• Using the most recent version of TLS
• Not supporting weak cypher suites since those could be used for downgrade attacks
• Using HSTS to prevent downgrade to (insecure) HTTP
• Offer large monetary incentives to researchers] to help identify weaknesses in our server infrastructure that might expose us to the type of threat you're concerned about
• Continue to explore new ways to protect 1Password.com (and users) against attackers

There are also things you (and other users) can do to to protect yourself when using the 1Password.com service:

• As you mentioned, using the apps is a more secure option, since we're able to digitally sign the code
• Whether you're using the web app or downloading a native client, verify the certificate of the server you're connected to
• Keep your browser up to date and heed security notices (expired or invalid certificate warning, for example)
• Keep your OS up to date
• Don't allow "security" software to perform a person-in-the-middle attack on your connection

It sounds like you'd like us to provide a way for you to not have to worry about that, and that is something we put a lot of effort into. But ultimately it's not possible today to remove all of the burden from the user, so some responsibility still rests with you. 1Password — or any other product — is not a replacement for good security hygiene. We'll continue to work to make it easier, but nothing can protect us from ourselves, and I think it's important to keep that in perspective.

About the Firefox discussion, I give up. I only want to improve general security for myself and your users.

You're right. I'd encourage you to reach out to Mozilla about having the password saving feature disabled by default in Firefox, as this isn't a change any of us can effect. I'm sorry that isn't something I can help you with.

It is mandatory because else I cannot setup my 1Password.com account and there is no other way for me to create a vault in 1Password 6 for Windows that I'm able to sync with other devices and have full app capabilities. If I'm wrong could you explain to me how to do this?

I guess what I mean is that it isn't mandatory to sign up for a 1Password.com membership if it doesn't meet your needs. There are other options out there, and we'd rather you use a competitors' product rather than being unhappy using 1Password, or less secure using nothing at all.

Maybe I can never win this discussion because you think every access to my vault with 1Password is super-secure but I don't agree with that and would like to disable some features in your product to close as many doors as possible. I hope you can find the time to discuss this with the development team.

I don't think "winning" is the point at all. And I disagree completely that any way you access your 1Password data is "super-secure". In fact, that's what I've been saying this whole time: you need to — and can — make sure that the environment you're using it in is not putting you at risk. We always recommend against using 1Password on untrusted devices (public computers, etc.) because in order to access your data, it must be decrypted, which provides an opportunity for the owner of that system to capture it.

But merely disabling a feature won't get you the result you want, as it would inherently need to be possible to enable it again. Removing a feature that can be used insecurely is an alternative, but if we follow that to its logical conclusion, none of us should be using web browsers in the first place — and in that case 1Password has considerably less utility as a password manager.

Ok, strange your telling me I need to go to the competition because I don't want web access to my vault and on the other hand you or your colleagues tell me I need 1Password.com accounts because local support maybe is never coming to 1Password 6 for Windows. I was very patient but waiting over 6 months for a feature that maybe would never come is not in my vocabulary.

@admxnl: That's not it at all. We obviously would prefer that you be happy using 1Password, but I think it's important to be realistic: It isn't going to be a perfect fit for everyone. You're right that it's never fun waiting for features we want. I've got my own list too, but we have to prioritize the things that do the most good for the greatest number of users.

I like 1Password very much and would hate switching to another solution. I would rather see you guys put the same amount of effort in adding a function to disable vault web access then you put in this dicussion.

As much as you might not like the answer, I'm not sure you would have appreciated not getting a response at all. ;)

Like I said, that isn't something we have plans for. You're the only one asking for it right now, so we need to work on things that help more folks. It may be something we can do in the future though if there's enough interest.

I also think your explanation is too elaborate, you can just say 'Hey, we're not going to build that for you!'. That's enough information for me and I can decide for myself if I'm going to switch to the competition. By the way, telling me to go to the competition is not very professional.

Yeah that's not what I said at all. As you can imagine, it helps us financially if you continue using 1Password. However, money is neither the only thing nor the most important. So if we have to choose between you A. using 1Password unhappily, B. using no password manager, or C. using a competitor's product, we'll pick the latter every time. We want happy users not trapped ones. Obviously the other option is that we change 1Password in the way you want us to in the future, but that's not going to help you now and I can't guarantee you that we'll make the changes you want on your schedule. I'm sorry I don't have a better answer for you than that. You should use the tool that best meets your needs today. If that's 1Password, then great! I can promise you that we'll continue to improve it, even if we don't necessarily prioritize the things you want over those that help a greater number of users. That's got to be our focus, and the good news is that if you do continue using 1Password, you'll be a beneficiary of much of what we do as well.

@admxnl: Likewise, thanks for brining these things up. I'm just sorry I ultimately don't have a perfect solution to offer you. We think that 1Password is pretty darn good, and you could do worse than be stuck" with it. That said, we're also acutely aware of the areas where it could be improved, perhaps more than anyone, and we want to make it better both for our customers and for ourselves. I can't promise any of the changes/features you're asking for right now, but two-factor authentication and admin functions in a native app are very much things we're exploring. So perhaps we'll be able to offer those in the future. Cheers! :)