1Password - memory attack affect macOS version?

Hi @snowy,

The researcher in this case only evaluated Windows applications, but yes, to a limited extent, this applies to all consumer platforms.

From our Chief Defender Against the Dark Arts, Jeff Goldberg (here):

in principle we have the same issue on Mac, but in practice these things play out differently. It appears that these do get cleared from memory faster on the Mac. Some of this can be attributed specific design, some to automatic reference counting versus garbage collection, and some operating system environment.

We were more concerned about this on Mac when DMA attacks were a thing. But fortunately that environment made it easier to make progress on this. But some of the fundamental issues remain. We need to use Apple’s SecureInput for Master Password input, which is an immutable string [...]

I have since been informed that SecureInput on Apple devices does everything we want. Sure it gives us an immutable string, but it is actually zeroed in memory as soon as it is freed, and it is written a page in memory that is never written to swap.

Note: Jeff wasn't entirely explicit here, but we do use SecureInput... both for the Master Password and when editing items in 1Password for Mac.

Also, considering the fact that this attack requires that the computer already be compromised (e.g. infected with malware), and malware is much less common on Mac than on Windows, that even further reduces the general level of concern on that platform.

I hope that helps. Should you have any other questions or concerns, please feel free to ask.

Ben