Does the password exposure problem in Windows 1Password exist in Mac and iOS versions?

ftwilson
ftwilson
Community Member

Hello,

Thanks for addressing the below in your Windows forum. Is this an issue in the Mac and (sorry to raise it here, but it seems reasonable) iOS versions?

Todd

A report by a group called Independent Security Evaluators was published today, which claims that 1Password 7 for Windows is failing to implement basic secure memory management controls. The report is available here. [sorry, link didn't copy]

In short, the findings are that (1) when unlocked, 1Password keeps in memory, unencrypted, every item in its database (i.e., all passwords are loaded into memory, rather than just the password for the item you are viewing); and (2) when transitioning from an unlocked to a locked state, 1Password fails to clear from memory the Master Password, Secret Key, and the decrypted items.

The researchers claim to have developed a tool that is able to read, without any administrative permissions whatsoever, the memory that is allocated to 1Password to extract all of these items, with the only requirement being that 1Password had at some point during the session been running and unlocked (even if it had since been locked).

With a closed-source password manager such as 1Password, customers place a tremendous amount of trust in the developers to ensure that the security best-practices are baked into the SDCL -- more so than with any other product, save for (perhaps) an OS. The findings that were announced today, if true, cannot but put a dent in that trust. Customers deserve a thorough response from the 1Password team.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • ryanthered
    ryanthered
    Community Member

    +1.

    The report also alleges that version 7 is far less secure than version 4. While all popular password managers are called out, 1Password seems alarmingly less secure than some alternatives.

    A swift and thorough response is needed.

  • swatson
    swatson
    Community Member

    Answers over here.

  • ftwilson
    ftwilson
    Community Member

    Swatson, thanks, but I don’t see anything on MacOS or iOS versions there. Am I missing something?

  • AGAlumB
    AGAlumB
    1Password Alumni

    @ftwilson: 1Password for Windows is an entirely separate codebase purpose-built for the Windows operating system, so the other apps we make aren't relevant, and the OS itself is what handles memory management.

    However, it's worth reiterating Mike's comment on the topic:

    you have to compromise the system to read its process memory. Once a malware have access to the system memory, there's not much that can be done.

    Essentially, if an attacker has the ability to read memory, they're already in a position where they could get your data even if they could not read memory, as they could do screen recording, screenshots, clipboard and input monitoring, and other things to collect the data as you use it anyway.

    As @jpgoldberg said:

    Keep in mind that the realistic threat from this issue is limited. An attacker who is in a position to exploit this information in memory is already in a very powerful position. No password manager (or anything else) can promise to run securely on a compromised computer.

    So while, all things being equal, clearing memory instantly would be preferable, the tools available to us to do that safely themselves have tradeoffs, and trying to do it ourselves aggressively introduces a whole other class of security, stability, and other problems.

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    @ftwilson, I addressed the Mac question in a comment in that other thread. I'd like to keep the discussion there instead of fragmenting it for each platform.

  • notauser
    notauser
    Community Member

    Kerchoff disagrees with you @brenty .

    "it should not be a problem if it falls into enemy hands"

    A compromised endpoint should be expected. A compromised endpoint isn't justification for non-action, its the measurement to which any good security apparatus is measured up against.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @notauser: Sorry, no. You're superimposing an entirely sound concept into an entirely different context where it doesn't apply. :) If we follow your argument to its logical conclusion, you would not be able to access your data. It must be decrypted in order for it to be useful to you, and the best place to keep it at that time is in memory, not on disk. 1Password data is encrypted when it is on disk, so you're okay in that case even if the device "falls into enemy hands". But when you access it, it must be decrypted in order for it to serve any useful purpose. We're not living in a fantasy world. :)

This discussion has been closed.