So what does 1PW recommend?

Gort
Gort
Community Member
edited February 2019 in Lounge

Hi. I've read the long thread...not a programmer but I think I get the gist.

I trust 1PW. Given that, what do you recommend -- specifically?

Do nothing? Just keep using 1PW like usual?
Stop using 1PW for Windows (I use 1PW on multiple OS's)?
Always close 1PW for Windows after I use it?
Open a bunch of Chrome tabs after I use 1PW for Windows?
Only use X -- stop using desktop versions?

Not looking for finger pointing or technical debate. I know that no security if foolproof. I know that anything created by a human can be broken by a human. Don't care about C vs. Rust.

I trust you guys with my most secret stuff.....so please give me your specific recommendation. You owe me that I think. I have seen the recommendations out on the web to stop using 1PW.....looking for your specific recommendations.

Thanks


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • Lars
    Lars
    1Password Alumni

    @Gort - excellent questions, and thanks for asking them. Also, thanks for being a 1Password user.

    We don't have an "official statement" out at this point, so I wouldn't want anyone taking anything I say here as one. But with that understood, I think how you react to this news depends to a large extent on your own assessment of your threat profile. I don't mean that to pass everything off onto individual users, nor skip what I think would be a sensible approach, but we've always said that security is a process and not a product. If there were a product - any product - that could keep people reliably 100% secure under all circumstances, this game would be over and we could all go home: everyone would already own and use this product. But in reality (as you've already noted), that's not how it works, and no security is perfect in all conditions. 1Password is only one of the tools in a user's security toolbox, and that toolbox is not just software apps and hardware firewalls, etc, but also the user's brain, judgment, knowledge and experience.

    As an example, we include options in Preferences > Security that can widely affect how frequently and under what conditions 1Password locks and/or requires your Master Password to unlock. You can choose to set up Touch ID (if your Mac supports it) or not. On iOS, you can do the same. It's arguably less secure to use Touch ID for 1Password (assuming you've got a good, strong Master Password), but we provide it because many users demand it, and we always provide ways to set these options to the most-restrictive setting (not using Touch ID at all, setting the timeout for requiring Master Password on the Mac to 1 or 2 minutes in Preferences > Security, etc).

    The class of threat that was publicized by ISE in the press (and discussed in that larger thread here on this forum) requires direct access to your device's memory. How likely such a thing is depends a great deal on your own security practices that have little or nothing to do with 1Password -- do you never allow your laptop out of your own sight or control, even when you leave to go to the restroom? Do you work in an "open" environment where a lot of other people - especially ones unknown to you work? Are you what you would consider a "high-value target?" By that last, I mean to differentiate between most of us, for whom taking reasonable precautions is more than enough to both discourage and if necessary foil threats of the lower-level sort, and those of us like Ed Snowden or Bill Gates or famous celebrities or other persons-of-interest, who might be "valuable" enough as a target to be the focus of a dedicated, specialized attack on you personally instead of a wide-net phishing/social engineering operation. If you're the latter, I'd advise a much more cautious approach across the board than I would for most ordinary 1Password users.

    Even if you're a "mere mortal" like most of us, it's possible you could be compromised by one ill-advised click on the wrong link or file attachment. But that's no different than it was last week before this news broke. What's different is more people's awareness that yes, things must be decrypted in memory for humans and machines to be able to read/use them, and that therefore all sorts of secrets that 1Password keeps encrypted when locked and not running are in fact in your device's memory in decrypted form while you use 1Password. To be clear WE always knew this -- and it's why we've consistently said that no software can protect you if running on a compromised device. Yet during all the time prior to this Washington Post article, there were no instances of 1Password 7 for Windows or 1Password 4 for Windows (the two versions ISE tested) experiencing such breaches/disclosures of users' encrypted data or Master Passwords "in the wild" -- at least none that were reported in the press or to us, and no one has claimed the $100,000 bounty at BugCrowd for decrypting 1Password data. Why? Well, that's obviously speculative and subject to debate, but if one's assumption is that the only reason this was never reported "for real" previously is because no one knew until ISE disclosed it, I think that's...unlikely. ISE are far from the only people researching password manager security (and all sorts of other aspects of security). That includes both "good guys" who research bugs to notify developers in an attempt to better everyone's security and "black hats" who do it for far darker purposes.

    So what would I recommend? First, continue on with physical device security (meaning: don't let others have access to your devices, etc) as well as good computing hygiene (never click links or attachments in emails or on web pages you don't trust the authorship or provenance of -- and that doesn't just mean "sources you actively DIStrust," but rather ANY sources you don't proactively and affirmatively trust). I assume most people with a passion for security already do this, but it's good to reiterate. Similarly, especially if you're using a Windows device (but even on other devices), turn them OFF when you anticipate you'll be in situations where authorities (or others) might require your device. This varies by jurisdiction, but in the USA, courts have drawn distinctions between compelling you to provide a fingerprint or face scan, vs compelling you to divulge a password. When devices are powered off, after a few minutes, RAM is reset (thus reducing or eliminating "cold boot" attacks), and your password is required to open it. In fact, if heightened security is your aim, it remains a good idea to turn devices OFF when not in use (or at least re-start them and don't have 1Password set to launch at startup), regardless of whether you're about to go through customs screening in Uzbekistan or just heading out to catch a movie. Use Bit Locker or other whole-disk encryption, and as always, use a good strong password, both for 1Password and for your user account on your computer. Don't run your day-to-day work in an account with Admin privileges, but create a separate user account with standard privileges. And if a device is lost or stolen, it's likely most thieves of the smash-and-grab variety are looking for nothing more than something they can wipe and sell, but there's always a chance that 1) your device was ON when it was lost/stolen, 2) 1Password was running and 3) the thieves are both smart enough to know how to break into your user account and interested enough in you to do so and dump memory before the battery runs down - or before you can change your Master Password (and Secret Key if you're a 1password.com member), as well as your other passwords stored in 1Password. Do that right away, in the same way you wouldn't wait a week to notify your credit card providers when your wallet gets stolen.

    Open a bunch of Chrome tabs after I use 1PW for Windows?

    I assume you knew this one was a joke, but on the off chance you didn't, this won't help at all, it's just funny because Chrome has a (partly deserved) reputation as such a memory-hog that the joke is doing this would cause the OS to overwrite any lingering decrypted-in-memory secrets to be freed up for all the new Chrome tabs. 😆

    Bottom line: yes, even in the wake of this "disclosure," I would recommend continuing to use 1Password (or any similar password manager of good repute), on any platforms you currently use it, for many of the same reasons Troy Hunt gave in the video that was linked in that thread (start around 5:28), as well as @SwiftOnSecurity (much more pithily) gave in this tweet over the weekend. The game hasn't changed, security is still a process that requires user participation and judgment, not a product (ours or anyone else's) that can protect you even from yourself.

  • RSaunders
    RSaunders
    Community Member

    @Lars Thanks, this is a great answer.

    How about a Mac version. Should the Menubar Mini version of 1PW be removed by the security conscious? Is this another situation where Windows memory management leads to issues that are less applicable on a Mac?

    While you're at it, iOS and Android versions of this answer are probably more useful than the more-general (actually too vague for action) statement that's the end of the long discussion thread.

  • @RSaunders

    I've replied in more depth about the implications on Mac here:

    1Password - memory attack affect macOS version? — 1Password Forum

    Should the Menubar Mini version of 1PW be removed by the security conscious?

    I wouldn't, no.

    While you're at it, iOS and Android versions of this answer are probably more useful than the more-general (actually too vague for action) statement that's the end of the long discussion thread.

    Mobile devices are even less of a concern when it comes to this as on iOS essentially the only way to install software is through the App Store, with limited exception. Android is similar. If you're only installing apps that have been verified to not be malware you've effectively mitigated the threat.

    Ben

  • UnFleshedOne
    UnFleshedOne
    Community Member

    This is what I do to minimize exposure on windows:

    • run 1Password as an elevated admin (by modifying it's shortcut to always run elevated)

      • this will make its memory unreadable by non-elevated processes, and if you have an elevated malware everything is lost anyway.
      • this might make your machine vulnerable in other ways, in case 1Password itself is compromised and serves as an elevation route. This has a smaller threat profile I think
    • disable browser integration

      • wouldn't work in this scenario and it could launch main binary without elevation by accident (when it isn't running yet)
    • exit application instead of locking it

  • Losing browser integration is a pretty big deal for most. I guess you have to evaluate if the risk of your machine being infected by malware that dumps memory is greater than the convenience and benefit having browser integration provides.

    Ben

  • UnFleshedOne
    UnFleshedOne
    Community Member

    Yeah, it is fairly inconvenient. But I find it is more convenient than running multiple 1Password accounts for truly critical data (like bank accounts and email) and the rest of it or only using 1Password on well protected machines.

  • derek328
    derek328
    Community Member

    @Lars: 1Password keeps encrypted when locked and not running are in fact in your device's memory in decrypted form while you use 1Password.

    Correct me if I'm wrong @Lars, but is that really the case though? As per the secutity research paper, 1Password 7 leaked data even on 100% uncompromised machines, even when 1Password is supposedly "locked" - meaning a user isn't using it.

  • dougl
    dougl
    Community Member

    @ben Agreed, browser integration protects against spoofed sites (among other things). That's FAR more a real-world risk than this one is, and darn near caught a friend of mine recently (e.g. Hey Doug, why did 1Password stop automatically pasting passwords....).

    @Lars I have a blog post in the works on this one myself, and continue to recommend using 1P when I speak to lay audiences. I am watching for emerging targeted malware though (not just 1P, but for all the managers)...but that won't change the PW manager advice, just that I need to revisit my 'xprotect is enough anti-malware on macs' stance. Might have to take another look at Malwarebytes this spring....

    BTW, I presume you've seen the new 'Thunderclap' research: https://threatpost.com/thunderclap-peripheral-security/142244/ that outlines a DMA attack? Thought I'd mention it before someone else does, without regard to the probability of occurrence. It's a neat bit of work, that could be chained together with this vulnerability....but only if the attacker has physical access to the machine, the technical know-how to create a dedicated piece of attack hardware, know that the user has actually launched and run 1Password, and the time necessary to execute it. Again, a neat piece of work, but hardly realistic outside of nation-state level work.

  • Lars
    Lars
    1Password Alumni

    @dougl - yep, we saw Thunderclap a few days ago. I particularly liked The Verge's piece on it, with its subtitle "Remember: don’t just plug random stuff into your computer". Good advice back decades ago with random USB drives/charging ports, good advice now. :)

    It's a neat bit of work, that could be chained together with this vulnerability....but only if the attacker has physical access to the machine, the technical know-how to create a dedicated piece of attack hardware, know that the user has actually launched and run 1Password, and the time necessary to execute it.

    Exactly. Which I'm guessing is why there are no reported "real world" cases of which either we or the tech media are aware of a user's encrypted data in 1Password being breached in this manner. I liken it to car theft: there's plenty of it, yes...but the vast majority of car thieves are of the low-level, "smash-and-grab" variety, whose technical expertise rises not much higher than using a crowbar to smash a window and pry out a stereo or grab a purse from the front seat. Then there are indeed the kind of high-powered, highly-skilled and trained car theft rings that can strip or boost a $2.1M McLaren Speedtail in less than 90 seconds. This threat exists, definitely...but there aren't many who possess both the skill, the time, the funding and the desire to pull it off. And the ones who do exist...don't target Camry owners.

    As you say, state level actors, who might very well go to the trouble to attempt all of the above with an Edward Snowden type of high-value target, might be successful with such a thing...if Snowden was incautious about plugging his device into an untrusted Thunderbolt peripheral or port (or even cable). But he's not. You're not. I'm not. And for anyone else who's curious what steps to take to have the best chance of avoiding this, all of the existing best practices still make one pretty darn safe even in a world where "garbage collection" doesn't always clear data from RAM as thoroughly as it should, "you should be careful about plugging your computer into accessories or chargers you don’t trust" (as The Verge reiterates at least one more time in their piece) is good, simple, actionable advice that the less-technical but still security-conscious can use right away without disrupting their lives or even workflows too much. "Lock your computer when you're not using it" is another.

  • derek328
    derek328
    Community Member

    @Lars thanks for the response. Would definitely appreciate a reply for my follow-up question above as well! Thanks!

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited March 2019

    @Lars: 1Password keeps encrypted when locked and not running are in fact in your device's memory in decrypted form while you use 1Password.

    Correct me if I'm wrong @Lars, but is that really the case though?

    @derek328: 1Password doesn't keep the data in memory at that point. The OS can though, which is the subject of the research.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @Gort: Since Lars originally replied to you, we have created a knowledgebase article on the subject:

    Managing 1Password secrets in memory

    :)

This discussion has been closed.