To protect your privacy: email us with billing or account questions instead of posting here.

Separate password and vaults for less trusted devices

2

Comments

  • bkh
    bkh
    Community Member
    edited January 2018

    AES doesn't work by having multiple passwords in the manner that komentaja wants.

    Surely you don't assert that the use of AES encryption precludes storing one encrypted container inside another encrypted container?

    Obviously I don't know 1Password Families internals, but offhand I don't see any fundamental issue with nesting an encrypted vault in a 1Password account. That would enable komentaja to log into 1Password without exposing the precious subset of passwords.

    Alternatively you could create a local vault.

    That's difficult on the PC until 1PW 7 comes out, because 1PW4 and 1PW6 fight for ownership.

  • darrenNZ
    darrenNZ
    Community Member

    Surely you don't assert that the use of AES encryption precludes storing one encrypted container inside another encrypted container? Obviously I don't know 1Password Families internals, but offhand I don't see any fundamental issue with nesting an encrypted vault in a 1Password account. That would enable komentaja to log into 1Password without exposing the precious subset of passwords.

    @bkh that's one way of doing it but the obvious problem is that you'd reduce security.

    • You could allow 1Password to open with only the secret key
    • Then allow 1Password to open with {password1}
    • Else allow 1Password to open with {password2}

    You'd have to expose the secret key on the insecure computer potentially compromising it. Then you'd only have your master password protecting your "precious subset of passwords".

    Alternatively you could have two secret keys, e.g.

    • {password1} + {secret_key1}
    • {password2} + {secret_key2}

    It goes without saying that this would increase the cognitive burden because users would need multiple secret keys and passwords. In doing so it'd increase the potential for loss because you'd need to remember 2 passwords and securely store 2 secret keys. The scheme becomes somewhat impracticable.

    If you want to read about the internals see here.

    That's difficult on the PC until 1PW 7 comes out, because 1PW4 and 1PW6 fight for ownership.

    1Password 7 will support local vaults and standalone licences for those who prefer them.

    You can also get micro password managers like Password Safe which fit onto a USB stick and can be conveniently used on other computers.

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited January 2018

    If it turns out that I'm actually exposed to an evil maid, then darrenNZ and Brenty can laugh at me for believing in security theater and lowering my guard, because I will have lost everything. But I assert that it is my right to assess my level of threat and make tradeoffs that comport with that assessment. 1Password can preclude stupid choices, but should not prevent reasonable ones.

    @darrenNZ: I agree with you 100% about threat models: each of us needs to decide how to handle our important data. No one's laughing here. This is serious stuff.

    So my feature request, which lines up with what komentaja originally requested, is to have 1Password offer the ability to keep a locked vault in an unlocked 1Password account. This gives an extra layer of defense for precious passwords, loses no security by comparison with the current 1Password, and enables me to get significantly greater convenience that is still appropriate for my threat model.

    The part we're were going to have to agree to disagree is that we should be adding additional complexity to 1Password to accommodate edge cases. As I mentioned above, not only does this add complexity for users, it adds complexity to code which 1Password's security depends on. I didn't mention security theater previously, but I will here, as there are two big risks with doing this: we change 1Password's core security model and functionality, risking a mistake or fundamental design flaw; or we leave 1Password's core security model and functionality intact, introducing a superficial second-level locking mechanism — which would be security theater. For obvious reasons, the former is troubling as we'd be taking something crucial which has been battle tested for over a decade and messing with it, and the latter is abhorrent because it would be a lie.

    Surely you don't assert that the use of AES encryption precludes storing one encrypted container inside another encrypted container?

    In the end, as you pointed out, you can already accomplish the thing you're asking for by using multiple accounts, which are completely discrete and secured individually, rather than a hack or a tacked on feature. With 1Password Teams, you could even use one of the included guest accounts. This isn't going to be something we recommend, as it places an additional burden on the user, and ultimately it's trying to have your cake and eat it too: remaining safe while using 1Password in an unsafe environment. That's a path that goes nowhere though, as you can always further silo data into more and more accounts, encrypted disk images, etc. to try to mitigate compromise rather than using good security hygiene to avoid it in the first place. It's turtles all the way down, and that's not something we're going to focus on since it doesn't help 1Password to help more people.

  • bkh
    bkh
    Community Member

    That's a path that goes nowhere though, as you can always further silo data into more and more accounts, encrypted disk images, etc. to try to mitigate compromise rather than using good security hygiene to avoid it in the first place.

    I understand your larger point, but this sounds perilously close to an assertion that "defense in depth" is pointless, and that good security hygiene provides sufficient protection under your (unstated) threat model.

  • From a technical perspective, what's being asked here is absolutely possible.

    1Password.com is built upon the idea of chains of encryption keys. Even the simplest account has something like 4 encryption keys at play. To implement the desired feature, we'd need to define a new vault type where know that what we're decrypting isn't the decrypted vault key, but an encrypted vault key. Then our apps would need to know that when it hits such a vault that it would need to prompt for an additional password.

    It'd be technically doable. And for some people, with some threat models, it'd probably be a cool feature. It'd add complexity to code and might encourage bad habits though. So it's not something I see us adding anytime soon.

    Rick

  • bkh
    bkh
    Community Member

    Thanks. I hope the snoopy maid and mischievous maid threats lead to some worthwhile discussions over at agilebits.

  • lol. We clearly need more trustable maid services! :p

    Rick

  • tetardbleu
    tetardbleu
    Community Member
    edited February 2018

    Hello,
    I was going to write my own thread, as I was not finding one asking for what I would like. Finally, I found this one!

    To summarize, I also would like the possibility inside 1password to have two accounts (Personal/Work with separate passwords for each one of them.The first account being able to control them all!

    The ideal solution for me would be to have a choice between logging to my personal account which unlock both vaults, when I'm on a secured device/place or unlock only my work vault when I'm... at work. Having only one password, as convenient as it is, doesn't seem so secure when you work in an open space with a lot of people walking through and when you have no complete control over the device you use.

    The possibility to have two separate accounts for 1 person (billed only once) seem to be a good idea (with the second one being managed by the first one ideally). Then the 1password extension could be able to manage several accounts...well... I can imagine it's not so simple, let's just said I wanted to add myself to this thread to encourage a feature like that!
    In the meantime, the family option composed of me and myself could do the trick.
    Thanks for reading.

    P.S. A long time ago, I think we had the possibility to choose which vault to open in the app when we had several ones. Opening the primary vast also opened the others (great feature) but we could also choose to open only a secondary vault with it's own password. The goal would be to retrieve a feature like that in a 1password account. :)

  • Hi @tetardbleu

    You can accomplish what you’ve described now using 1Password Families or 1Password Teams.

    You would have your main account be a family/team member, and that account would be able to unlock all of your vaults. You’d then invite yourself (using a different email address) as a guest, and grant that guest access to only one vault (they will not have access to your Personal / Private vault). That way when you log in as the guest you only get limited access, but you can log in to the main account for full access. You cannot sign in to both of these accounts within the same membership from the apps / extensions, but there would be no reason to... if you want that level of access then sign in to the main account.

    Does that make sense / solve the problem for you?

    Ben

  • bkh
    bkh
    Community Member
    edited February 2018

    You cannot sign in to both of these accounts within the same membership from the apps / extensions, but there would be no reason to...

    @Ben, I think the snoopy maid threat model described earlier does give a reason. A linux user might think about it as analogous to the sudo command. Normally I only have the access of a limited user, but for brief periods of time I can acquire full admin access to do a sensitive operation. This isn't security theater, it is defense in depth.

  • @bkh

    I was responding to the use case that tetardbleu described. There is no need to be signed in to both accounts... being signed in to both accounts wouldn’t do anything for you because the main account would have access to both vaults... if you don’t want access to both vaults then sign in to the guest account which only has access to one vault.

    Ben

  • bkh
    bkh
    Community Member

    @Ben I agree with your reply for tetardbleu's use case, but was reacting as if you were saying that in general there's no reason to want to sign into more than one account within a single membership.

    Your response makes me think I think I may have a fundamental misunderstanding about how the family accounts work. I (mistakenly?) thought that the secret key needed to access an account was bound to the device or login from which the vault is accessed, and that's how I (?mis-) understood your statement "You cannot sign in to both of these accounts within the same membership from the apps / extensions."

    If I am logged into a pc as user XYZ do I have the option of accessing a 1Password family account sometimes as family member A and sometimes as family member B? Similarly, from an iPhone can I access the family account as family member A or B and switch between them? Because the snoopy maid threat model gives me a reason to want to do this and I kind of thought the secret key posed a real obstacle, why is why I pushed back on your comment "but there would be no reason to..." I understand that consideration is not relevant to tetardbleu's use case.

  • tetardbleu
    tetardbleu
    Community Member
    edited February 2018

    @Ben
    Thanks, that's indeed what I thought. Could you just remind me what would be the technical differences between being a guest or being a member inside a family/team ?
    edit: Nevirmind, found the help page about guests users.

  • @tetardbleu

    Thanks for the update. :+1: :)

    @bkh

    The Secret Key is for the person, not the device. The device remembers it, but if you wanted to switch accounts you could sign out of one and sign into the other. You can’t be signed into both simultaneously because the app wouldn’t know, for example, what to do when you tried to save an item into a vault like the Shared vault. Which user created the item?

    Ben

  • bkh
    bkh
    Community Member

    Thanks, Ben. That's helpful to know.

  • You’re welcome. :)

    Ben

  • cronenberg_rick
    cronenberg_rick
    Community Member
    edited August 2018

    Kudos to @komentaja and @bkh for elaborating so deeply on the issue! I have exactly same request. Slightly disappointed with the radical position of 1password team...

    Update after some more thinking - it seems that fundamental assumption in 1password security model is that ALL of my client devices are safe. I do not think this is realistic nowadays - for example I have 1 laptop where I am really careful, 1 smartphone where I am quite careful, 1 laptop which I give to my family, 1 tablet which is often used by family and friends. If any of those gets a keylogger/virus, all my passwords would be stolen and I would urgently have to change all (~300) of my passwords! I surely cannot put anything against 'just don't use it if you are not sure in your device'. But this sucks - keeping a single device 'really' safe requires a lot of effort and good understanding of device software.
    I think, contrary to what 1password team says, it could make a great improvement in security/convenience if it was possible to split passwords in groups, so you would lose only a subset of your passwords if one of your devices is successfully attacked.

    @komentaja, @bkh, do you know if there is another software which manages this case better, but still has nice UX?

  • bkh
    bkh
    Community Member
    edited August 2018

    @cronenberg_rick, I agree with your assessment of the threat. At the cost of some inconvenience, I've used a 1Password family account to make a vault architecture that satisfies my concerns, so I have not looked for another password manager. Here's how it goes.

    First, the devices and exposures. My wife and I have our home PCs, our mobile phones, and a laptop. For us, the mobile phones are "least secure" in that they are used in all kinds of locations, are more exposed to theft, and also are more exposed to "rubber hose cryptography" (see https://www.xkcd.com/538/ ) The home PCs are reasonably well secured, and used only by us. We normally run them as limited users, but occasionally we assume elevated privileges for limited periods of time. The laptop is mostly used in the home, but sometimes in locations where we have good physical security but less confidence in the network security. The laptop will never be connected to any public or semi-public Wi-fi.

    Next the passwords and accounts. My wife and I share many on-line accounts (think amazon and netflix) but also have others that only interest one of us (my wife has no interest in chainsaw parts, I don't care about weaving supplies.) None of our accounts are considered "secret" from the other, just of no interest. We also have financial accounts that we want highly secured, so they should normally be inaccessible, even from the home PCs, until we take special measures to gain access.

    Our solution in 1Password Families is this. We have 5 users (this requires 5 different email addresses, but 3 of them simply forward to our two main email accounts for my wife and I.) So lets say the humans are X and Y. The 5 accounts are X-mobile, X-home, Y-mobile, Y-home, and 1Padmin.

    We use 7 vaults: X-mobile, Y-mobile, shared-mobile; X-home, Y-home, shared-home; and one to be extra-secure.

    User X-mobile has access only to vaults X-mobile and shared-mobile. User X-home has access to vaults X-home and shared-home plus the two mobile vaults. Similarly for user Y. The 1Padmin user has access to all 6 of those vaults, plus that account's private vault which holds the extra-secure data. Additionally, user 1Padmin has the recovery privilege, and is protected with extra-strong login password and master password. The 1Padmin user has logins on one home PC plus the laptop, so that failure of one device isn't a big problem. All 5 1Password emergency kits are printed on paper and stored in a bank safe deposit box (together with a portable drive that contains full backups of the PCs and data backups of the phones.)

    So at home I have continuous easy access to my normal passwords, but the extra-secure passwords are out of reach, even if I make a blunder. But with the modest inconvenience of logging into a different user account on the PC, can get to the financial info for limited periods when needed. On the mobile there is no direct way to access most accounts. It is possible to call someone who is home, and have them log in as 1Padmin to move a password from a home vault to one of the mobile vaults: this is the reason neither X nor Y are storing anything in their private vaults, which would be inaccessible to 1Padmin.

    This solution is a bit heavier than I might wish, but it completely addresses my threat model.

  • @cronenberg_rick

    Welcome to the forum. I dig the username.

    If any of those gets a keylogger/virus, all my passwords would be stolen and I would urgently have to change all (~300) of my passwords!

    I’m not sure I can get behind this line of thinking.

    Part of the difficulty is that if a device you use to access your accounts is compromised it is much more likely malware will simply syphon off credentials as you enter them into web forms, as it is much easier to access the data from there than it is from 1Password.

    That said if a device that you’ve trusted to some level becomes untrusted it is likely reasonable precaution to change any credentials you have shared with that device.

    I think, contrary to what 1password team says, it could make a great improvement in security/convenience if it was possible to split passwords in groups, so you would lose only a subset of your passwords if one of your devices is successfully attacked.

    The reality is that there already are ways to solve this problem in 1Password if you feel it is a threat you may face... multiple users/guests within a membership (each with access to a subset of vaults), local vaults, or separate memberships could all possibly solve this. Which is most appropriate for your situation will depend on a number of factors, starting with what level of membership service you currently offer and if you are willing to use standalone vaults or not (as using them does have some downsides).

    As Rick mentioned:

    It'd be technically doable. And for some people, with some threat models, it'd probably be a cool feature. It'd add complexity to code and might encourage bad habits though. So it's not something I see us adding anytime soon.

    I imagine we’d need a pretty convincing argument that the existing solutions wouldn’t work for a somewhat commonly desired setup in order to justify development time on an alternative.

    Ben

  • cronenberg_rick
    cronenberg_rick
    Community Member

    @bkh, thanks a lot for sharing!

    @Ben,

    Part of the difficulty is that if a device you use to access your accounts is compromised it is much more likely malware will simply syphon off credentials as you enter them into web forms, as it is much easier to access the data from there than it is from 1Password.

    Makes sense. BTW, are you aware of any malware that specifically targets 1password client?

  • pervel
    pervel
    Community Member

    BTW, are you aware of any malware that specifically targets 1password client?

    There is one called OSX.Proton which was discussed here because it had infected downloads of HandBrake for a short period.

  • stenico
    stenico
    Community Member
    edited August 2018

    I would also like to be able to use different credentials for different vaults.

    The "all the eggs in one basket" / "single point of failure" model is - like it or not - poor security practise.

    A few relevant considerations:

    • There is no such thing as a trusted or untrusted device. There are devices we trust more, and devices we trust less.
    • The more exposure that a password/secret has, the more likely it is to be obtained by a bad actor.
    • Requiring the "the key to the kingdom" for e.g. a facebook login is patently wrong.
    • Even the most trusted devices may be comprised by bad actors (e.g. by a zero-day exploit, disgruntled work colleague).
    • That there are some passwords that I may never wish (or need, or be allowed to) to unlock in certain contexts, e.g. (1) highly sensitive work passwords on a home computer, (2) home financial records on a work computer, (3) either of these on an internet-cafe computer.
    • That peoples most important passwords are also the most rarely used.
    • That the secret key does not help because it is either (1) obtainable with the master password (assuming physical access) or (2) just as remotely snoopable as the master password on a keg-logged/rooted machine, at the time when that device is first used (i.e. the internet cafe scenario).

    For basic, good security, tiered access to passwords that need different levels of protection (or that are only used in certain contexts) is essential.

    Possible obvious solutions to this are e.g.:

    • Per-vault passwords
    • Per-vault 2FA
    • Ability to require 2FA for every access request (even on more trusted machines) for certain vaults.
    • Multiple/guest accounts

    Currently, as an individual subscriber to 1password there is no model that works for me. I would have to buy a family membership and use different accounts for different vaults. Can we at least please have e.g. 2 accounts + guest accounts on an individual subscription until you find a way to sort out this issue properly?

  • AGAlumB
    AGAlumB
    1Password Alumni

    @pervel: Indeed, thank you. The good news is that 1Password data is encrypted. The bad news is that it must be decrypted for you to access it. So someone with a compromised machine would just end up giving away their secrets in the end anyway if they accessed their data there.

  • AGAlumB
    AGAlumB
    1Password Alumni

    it seems that fundamental assumption in 1password security model is that ALL of my client devices are safe.

    @cronenberg_rick: Not at all. But you should assume that if your device is not safe all of your data is belong to the attacker. We go to a lot of trouble to keep your data safe no matter what, but giving someone else control over your machine allows them to get your data as you access it yourself.

    I have 1 laptop where I am really careful, 1 smartphone where I am quite careful, 1 laptop which I give to my family, 1 tablet which is often used by family and friends. If any of those gets a keylogger/virus, all my passwords would be stolen and I would urgently have to change all (~300) of my passwords!

    That's about the size of it. We can't expect to safely access sensitive data on a compromised device.

    keeping a single device 'really' safe requires a lot of effort and good understanding of device software.

    I agree, but what's the solution? Neither 1Password nor anything else can't prevent you or someone else with access to your device from compromising it, either intentionally or accidentally.

    That said, you could create separate accounts within 1Password Families for different things if you really want to. For example, I know @prime mentioned using a guest account for data that needs to be accessible on a family (media center?) computer, so that a compromise there won't compromise stuff in any individual's account. Adding this kind of additional complexity by default for all 1Password users is not a solution: remembering multiple passwords is what most people came to 1Password to get away from. But you can do this yourself if you wish.

    At the end of the day, while technology is a great tool that we can use for a lot of things, unfortunately it cannot prevent us from being the authors of our own misfortune. Food for thought.

  • bkh
    bkh
    Community Member

    That's about the size of it. We can't expect to safely access sensitive data on a compromised device.

    But that's not what we're saying. We're not asking you to protect data that we access on a compromised device. We're asking for better support for compartmentalization, rather than the current model of "all the eggs in one really strong basket", so that the compartments containing more-sensitive data remain inaccessible from the compromised device that is only used to access non-sensitive data.

  • @bkh,

    I’m sorry but it seems we may be arguing in circles and conflating the issue.

    There is a way to do what you’re asking. It can be achieved by using multiple accounts / guests within a membership and/or separate memberships. To loop back to your example of sensitive work information... I don’t store that in my personal 1Password membership. I have a separate work membership for that. Even with my avocation (volunteer fire department) I have a separate membership to maintain the information for that context. To what extent this is implemented for your setup is up to you... for most people a single account within a single membership may be adequite. But for many multiple accounts within multiple memberships is going to be a better solution.

    As I mentioned above:

    I imagine we’d need a pretty convincing argument that the existing solutions wouldn’t work for a somewhat commonly desired setup in order to justify development time on an alternative.

    Thus far no one has offered any argument that the existing solutions mentioned are unable to meet the need here.

    Ben

  • stenico
    stenico
    Community Member

    @Ben

    There is a way to do what you’re asking. It can be achieved by using multiple accounts / guests within a membership and/or separate memberships.

    Thanks for this comment. I agree that the existing solutions can meet the need even if not perhaps in the neatest way (which IMO would be via vault-specific passwords).

    The only issue for me is that to get a reasonably secure solution as an individual, I must purchase a family plan which is prohibitively expensive.

    Why not allow a "personal" plan to have e.g. 2 accounts + 2 guests?

  • bkh
    bkh
    Community Member
    edited August 2018

    I’m sorry but it seems we may be arguing in circles and conflating the issue.

    There is a way to do what you’re asking.

    @ben,

    Let me try to be more clear. I know there is a way: about 8 posts above I described how I did it using multiple accounts in families, with a diagram showing the various "permissions" granted by managing vault accessibility. But this is a clumsy, heavy-weight solution. To reiterate the heart of the matter, " We're asking for better support for compartmentalization."

    One analogy that illustrates what I mean by "better support" is the evolution of privilege elevation in Unix and linux. The initial heavy-weight way to obtain elevated privileges was to log out of a limited user account and log in as root. This is where 1Password is now. Later, it became possible to su root, which was notably easier, although it tended to leave a privileged shell running. These days we typically use sudo to elevate privilege for a single action. So the issue isn't an impossibility of compartmentalization in 1Password, it is the clumsiness of the current way we do it.

    Thus far no one has offered any argument that the existing solutions mentioned are unable to meet the need here.

    Indeed. I'm asking Agilebits to consider lowering the threshold. Rather than requiring that we demonstrate inability to meet the need, please consider whether the current solution deserves improvement. I'm arguing that the issue of "all eggs in one basket" is important, and that it may be worthwhile to think whether there may be a more user-friendly solution than having us log into a different account as a way to gain permissions to access a restricted vault. (And I don't mean "more user-friendly" as a trade-off against security.)

  • @stenico

    Indeed this does require either a multi-user membership or multiple memberships. I’m not sure that is something we’d change, but I can certainly bounce the idea around with the team.

    @bkh

    Noted. Thanks. :) I doubt very many people would sign up for 1Password to ultimately continue having to remember a bunch of different passwords, but obviously there are some that want that sort of functionality. We have to weigh those considerations against considerations such as finite development time available, merit of other features that wouldn’t be able to be developed while focusing on this, etc.

    Ben

  • stenico
    stenico
    Community Member
    edited August 2018

    @Ben

    doubt very many people would sign up for 1Password to ultimately continue having to remember a bunch of different passwords

    You have stated that you, a 1password Team Member, do not believe in (or use) a one password solution:

    I don’t store that in my personal 1Password membership. I have a separate work membership for that.

    Most people who think about the situation for more than 30 seconds would agree with you.

    It would be brilliant if you could advocate for 1password to facilitate a context-specific security model within a single personal membership.

This discussion has been closed.