Concerned about Tavis Ormandy statement

edited June 10 in Lounge

Hi

I have recently gone through an article by Tavis Ormandy https://lock.cmpxchg8b.com/passmgrs.html.
I'm a bit scared now after seeing so many vulnerabilities on password managers. I'm confused now or I have trapped by password manager companies marketing stuff. Is there any way to fix these issues or it already fixed?

Waiting for the reply.

Comments

  • BenBen AWS Team

    Team Member

    Hi @UdhayanithiG

    I'm sorry for any scare. Our Chief Defender Against the Dark Arts, Jeff Goldberg, has written a response to those concerned after reading Tavis's post, here:
    https://reddit.com/r/1Password/comments/ntbf2m/tavis_ormandy_on_password_managers/h0sqhku/

    If you have any follow-up questions after reading we'd be happy to help. Please let us know.

    Ben

  • @Ben I'm happy to see that. But the mentioned vulnerabilities can comprise my credentials? I'm bit worried because it comes from a notable person.

  • BenBen AWS Team

    Team Member

    @UdhayanithiG

    I'd be happy to ask our security team to provide additional clarification on the situation. Could you please elaborate on what specifically you're concerned about which is not addressed in the above linked post?

    Thanks!

    Ben

  • Okay, The article itself too technical for me and I can easily get wrong. But I know a liitle bit about sandbox. So Tavis in the article told, it will affect sandbox performance. Does it true for 1Password?

  • jpgoldbergjpgoldberg Agile Customer Care

    Team Member

    @UdhayanithiG

    But the mentioned vulnerabilities can comprise my credentials? I'm bit worried because it comes from a notable person.

    What he is doing is providing a list of things that password managers need to watch out for, and noting that failure to do so can lead to very serious vulnerabilities. We are, and have been, aware of all of those concerns for a very long time and have designed 1Password with those in mind.

    He (implicitly) makes a very valuable point. Attackers are not going to go after the strongest point of a system (which should be the encryption if it is done right). Attackers will attack elsewhere, including the kinds of things that he lists. And so a good password manager will have to design the product to defend against such attacks. We do.

    He is not claiming that we are vulnerable, only that we (and others) have a number of fronts that we need to defend against. But I can understand why someone might think otherwise from the way he presented things.

  • @jpgoldberg thanks for the clarification.

  • Greetings,

    I learned about this blog post [1] regarding password managers, and wanted to get the 1Password team's thoughts around the arguments made in the post.

    Primarily, I'm curious to learn how 1Password mitigates against IPC attacks and whether 1P's design breaks the browser's sandboxing model.

    Thank you,
    -Roberto.

    [1] https://lock.cmpxchg8b.com/passmgrs.html


    1Password Version: Not Provided
    Extension Version: Not Provided
    OS Version: Not Provided
    Sync Type: Not Provided

  • Official statement from 1Password can be found in this thread:

    https://1password.community/discussion/121383/concerned-about-tavis-ormandy-statement

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file