How secure is 1password X compared to the desktop and ios version?

With the desktop and IOs versions the secret key is stored in the App on the device. If I have sync turned on in Chrome am I going to have the extension with the secret key inside it being sent over the internet between Chrome on my different devices?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:how secure is 1password x?

Comments

  • Welcome to the forums, @riddifog! 👋

    1Password X stores your Secret Key in local storage which is not synced using the Chrome Sync api. This local storage is only available to 1Password X and is not shared with any other extensions or web pages. If you're curious about the security of 1Password X in general, please see our About 1Password X security guide.

    I hope that helps. Please let me know and I'll be happy to natter on more about how secure 1Password X is. 🙂

    ++dave;

  • riddifog
    riddifog
    Community Member

    Hi Dave

    I think these two points rule out 1Password X for me.

    • Only use 1Password X on trusted computers. 1Password X is sandboxed from untrusted web pages, but it assumes that you trust your web browser and your other browser extensions. It stores your Secret Key in local storage and is not meant to be used on a public computer.
    • Limit your use of other browser extensions. A malicious or badly-made browser extension could interfere with 1Password X or attempt to expose your data. If you need to use untrusted extensions, consider using a separate browser profile just for 1Password X.

    I tend to use Chrome for web development and have a number of extensions installed, switching between profiles is not practical as I need the passwords to access some of the sites I want to use the extensions with.

    I was hoping to be able to use a separate vault in my personal account for use at work with 1Password X but the above points and the fact I can't use a separate password for a vault means it is too big a risk of compromising my account, so I am stuck with the rubbish password manager work provides me with.

    Thanks all the same.

  • maquinn78
    maquinn78
    Community Member

    If you have a 1Password subscription, you could use the web version of 1Password to at least get the passwords. Autofill doesn't work, but at least you can use it. Just an idea. I understand autofill being a big deal.

  • To be clear you shouldn't enter a password on any machine that you don't trust. There's nothing special about 1Password X in this regard. As for malicious browser extensions, note that 1Password X is completely sandboxed from them. The point in the guide is about the fact that when you log in to your account on 1Password.com the malicious extension could steal your login credentials, which would be bad. Again this has nothing to do with 1Password X. It's simply that extensions that can read and modify webpages can do exactly that. You should severely limit those kinds of extensions.

This discussion has been closed.