German article on security issue with 1Password
Hi!
I am German and I just read an article about an security issue with 1Password for Windows:
I am using a Mac but I wonder if I might have the same risk.
I hope there is somebody speaking German to read the story. I don't have the time and competence to provide a proper technical translation of the issue. But I am happy to read your reply in English.
Thanks a lot,
David
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
@David_Hamburg - thanks for the question! You're far from the first to bring this story up with us; it was in the Washington Post over here in North America. In fact, I'd actually recommend you read the thread in our Lounge section that's devoted to this. It's got both our own position, as well as a lot of thoughtful perspective from users.
0 -
@Lars – thanks for the link to the thread.
I am not an IT expert myself. So I like to ask the stupid question: In reference to this topic does it make any difference whether I use 1Password on Windows or a Mac?
I guess the basic processes of keeping a password in the memory are the same in macOS and Windows. Am I right?
0 -
@David_Hamburg - at a very base level, yes. But the methods employed on the different platforms are, well, different. And at the moment, there are more safeguards in place on the Mac side of the equation than there are on the Windows side. But I want to stress that what's being discussed here is an attack that would require the ability to read process memory, either directly or remotely, both of which would require a compromise of the device in question before that could happen. And by "compromise," I don't just mean that maybe you left your phone in a cafe or someone stole your MacBook Pro at the airport. There would have to be a unique set of circumstances in addition, for this to even be possible. If someone stole/acquired your Mac, if 1Password was not running at the time, then this attack would not be possible. Essentially, if you use our own installer (instead of trying to install 1Password for Mac via Homebrew or something similar), you practice good security in terms of not clicking unknown links/file attachments, and you don't leave your Mac running, unlocked and unattended, you should be safe.
0 -
Thanks a lot! David
0 -
Lars said "If someone stole/acquired your Mac, if 1Password was not running at the time, then this attack would not be possible." I'm unclear on what is meant by "1Password was not running". I am running the subscription version of v7 of 1Password. I installed it from your website. So far as I can tell, 1Password is always running, when I am using my computer. Whenever I boot, I see the 1Password icon in the menu bar. Activity monitor shows me three 1Password processes, even before I have entered my master password into 1Password mini. After waking my computer from sleep, I always need to enter my 1Password master password again. But even before I do that, Activity Monitor shows me that three 1Password processes are running.
Hence my question. In the scenario that Lars describes, where someone steals my MacBook Pro at the airport, while it is asleep and the lid is closed, do you consider 1Password to be running or not running?
0 -
@Nekoninda - the first thing to keep in mind here is that this attack was performed on Windows PCs and 1Password 4 for Windows and 1Password 7 for Windows, so the applicability to Macs is significantly different, due to the different system architecture. If 1Password is running, it is running. ;) For it NOT to be running, you would need to Quit 1Password 7 Completely by typing
^⌥⌘Q(or just holding down theControlandOptionkeys as you choose Quit from the 1Password menu). Whether you choose to do this -- or indeed to shut down your Mac altogether -- is a security decision that's up to you. Most people don't, for convenience reasons, despite the security tradeoff. I'd recommend our Chief Defender Against the Dark Arts (jpgoldberg)'s post in the thread to which I linked @David_Hamburg for a good overview, and this follow-up for a Mac-specific corollary.0
