Changing which vaults to show in 1PasswordX browser extension should require password

Currently once I have unlocked 1passwordX in browser, I can go Settings in the top right corner of the extension (in chrome) and toggle vaults. This should not be possible without first entering a password. In fact, any security related toggles should require I re-enter the password.

As a bonus, you could require password if more than a certain time has passed since last entry, but this is bonus to cover the use case where I'm playing around with settings trying to figure out what works best for me, this would rarely take more than a few minutes. Eg I might have my auto lock on autofill set to a half hour, but changing security settings should require new password entry if it has been more than 5 minutes since last password entry.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:lock vault

Comments

  • ag_yaronag_yaron

    Team Member

    Hey @oschoenborn ,
    Thanks for the suggestion here.

    It's rather funny how users are so different one from another, as we've got quite a few discussions in the forum right now about users complaining that 1Password X requires the Master Password too much/too often :dizzy:

    Our security revolves around protecting your data and privacy, none of which are visible or accessible via the settings of the extension, which is why the settings do not require your Master Password. What is the worst case scenario of someone accessing your extension's settings? Is a Master Password really necessary there or will it be just another inconvenience?

  • I completely agree with those who say master password is required too often for autofill because autofill is used a hundred times a day. Whereas changing settings is once in a while, like a couple of times a year.

    In particular, vaults would be a great way of limiting damage : I could use vault A on one machine (say my work laptop), vault B on another (personal desktop), and "lock out other vaults". In the rare case where I need passwords from a third vault, C, in either machine, I could temporarily enable vault C there. If malware somehow gets access to my passwords in 1passwordX, they will only get the ones in A or B but very unlikely C because of how seldom C is unlocked.

    So what I'm talking about is a setting on each vault in 1passwordX plugin settings "requires master password to toggle ON" ; there is clearly no need for master password to disable a vault. And add an option to require master password to change settings. The option to "lock" vaults would only be available if the settings require master password.

    Pretty simple logic and let's the user decide how much locking they want. No one would be forced into this.

    You just need to give users options, and explain caveats just like you already do with say watchtower where if users turns it on, a pop-up warns about possible consequences.

  • ag_yaronag_yaron

    Team Member

    Hey @oschoenborn ,
    Thanks for the additional details here.

    I think you might be missing the idea of the Master Password and how encryption works here. Your Master Password decrypts (alongside your Secret Key) your entire database and all vaults in it. We can show a Master Password prompt to toggle vaults on and off, but it would be quite useless because all your data is already decrypted the moment you input your Master Password to unlock the extension. There's zero added security here. The toggle just shows/hides vaults. It doesn't keep them locked/unlocked.

    If a malicious 3rd party gained access to your system, it doesn't matter if only one vault is shown as "unlocked" or if all of them are - they might have your entire decrypted data.
    The only way to do what you are asking is by using separate 1Password.com accounts. Each account has its own Master Password and Secret Key, and therefor you can keep one account locked and the other unlocked. That does indeed work, and will require your Master Password when you try to unlock the other account via 1Password X's settings.
    And in general, if a malicious 3rd party or malware gained access to your system, consider your data compromised immediately and act accordingly, even if you're sure everything was locked and encrypted. We do everything we can to keep your data safe, but in case of a breach, change your Master Password and Secret Key.

    You just need to give users options

    This is a big point, and I'm glad you brought it up.
    If we were to implement every feature request by our users (assuming the feature was viable and made sense) as an option in the app, we would have about 14 pages of settings :dizzy:
    In order to keep current day software friendly and easy to use, it has become a standard that less is more. I'm sure you would agree that the vast majority of users are not as tech-savvy as you are, and a lot of options/features would just overwhelm them, causing more damage than actually helping.

    However, we definitely do listen to users feedback and if enough users request something, we investigate it and add it if possible, so I do thank you for taking the time to write to us here and bring this feature request up.
    I hope I was able to clarify the security logic behind the settings and your Master Password. Let me know if you have further questions on this.

  • Ah yes, I do recall seeing that mentioned before, about the master-decrypts-all. How about making 1passwordX "forget" data in disabled vaults immediately after it has decrypted everything?

    Sure there would be a split second where the whole data is available in memory, but this would be better than now and eliminate several categories of attacks (eg someone snooping at my desktop while I'm not there and the auto lock has not kicked in yet; or malware that don't directly read memory of other processes).

    Then if I enable a disabled vault it has to fetch whole thing again so it would ask for master pass. If I disable an enabled vault 1passwordX would immediately discard (from memory) all associated passwords.

    No need for a per-vault setting, maybe just one setting "minimize vaults" (off=current behavior, on=above).

    Heck this is even simpler than my first proposal :)

    Speaking of memory reading, hopefully the sensitive data in 1passwordX is not in clear text in memory, but encrypted with a temporary token (obtained say, from 1password servers)?

  • oliverdunkoliverdunk

    Team Member

    Hey @oschoenborn! I'm a developer on the 1Password X team, and @ag_yaron asked if I could take a look at this.

    The toggles beside vaults on the settings page exclude them from "All Vaults", rather than disabling them entirely. The items in "disabled" vaults won't show in some places, like the suggestions we show below fields. However, there are cases where the items are accessible - for example, we show a "Search Everywhere" button in the popup when a search returns no results - this looks through everything. I think clarifying that hopefully addresses the first part of your question. Since items from those vaults still need to be accessible in some situations, we still need the ability to decrypt them.

    If you're using 1Password for Business, we do have a feature where you can choose which vaults sync to which 1Password apps, which might provide what you're looking for. Unfortunately, this isn't available on the other plans at the moment.

    Regarding the use a temporary token, I'm not sure this would provide any meaningful protection. 1Password X decrypts items as and when they're needed, so the secret would need to be stored in plaintext. If your browser's memory was exposed to an attacker, they would be able to retrieve the secret and perform the same decryption that 1Password would. As Yaron mentioned, we're limited in the protection we can offer on a compromised device - to some extent, we always need trust in the machine we're running on.

  • oliverdunkoliverdunk

    Team Member

    Just leaving an extra comment to thank you for asking this - we put a lot of thought in to this sort of thing, and it's fun to have a chance to talk about it 😁

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file