Why request the master password again to export?

Please explain the logic in this extra "security" step of asking the user for the master password to export vault items.

If someone has access to the vault already (in which the master password was already entered to unlock), they could already show/copy open vault items into plain text anyway. So why would the app require the user to enter the password again when trying to export vault items?


1Password Version: 7.3.684
Extension Version: n.a.
OS Version: win8.1x64
Sync Type: 1p.com

Comments

  • MrC
    MrC
    Volunteer Moderator

    @4EverMaAT

    A few passwords might be compromised In the situation you mention.

    But consider that without the extra precaution, all of your passwords could be obtained in the same time, The user could send the export via email, or uploaded it to a server very quickly.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @4EverMaAT: 1Password does not decrypt all of your data at once just because you unlocked it. It decrypts some metadata in order to facilitate search, but the rest is only decrypted on demand, as you access it. You're right that if you've left 1Password unlocked that someone could go through and view whatever they want, but that's very different than dumping everything in an instant to exfiltrate, as in MrC's example.

  • Greg
    Greg
    1Password Alumni

    Hi @4EverMaAT,

    Do you see those details when you export your data in .CSV? Please let us know.

    Additionally, please note that there is currently a bug, when the exported data may not appear as clear as expected. We are aware of it and have plans to fix it in the future. Moreover, please be careful with your exported data, as it is not encrypted.

    ++
    Greg

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited May 2019

    @4EverMaAT: And just to clarify, 1PIF is the only format that supports all of 1Password's data structures. I'd recommend using that for importing -- but only export data if necessary to move it to a different app, as these are plaintext and not secure, as Greg mentioned.

  • AGAlumB
    AGAlumB
    1Password Alumni

    Great! But not everyone who comes to the 1Password support forum will be, so it's worth mentioning. :+1:

This discussion has been closed.