Security issue: Generated passwords are automatically saved in current (possibly shared) vault

1Adrian
1Adrian
Community Member
edited September 2021 in 1Password in the Browser

Hi,

a generated passwords ist automatically saved, which is fine. But it isn't saved in private vault but in the vault which is currently selected.
This current vault can be a shared one and in that case the password is accessible by others, which the user is not aware of.

I already have another concern with shared vaults, for me it more and more seems like the sharing in 1Password is not well thought through.

I like the simplicity of sharing passwords by being able to share a whole vault, but behaviors like this really destruct security.

The only way to share is to share a whole vault, and it doesn't seem like you thought about the potential risks of this only way.

Also, sharing should be possible in other ways, also to be able to share the same item to multiple people without having to create an enormous number of vaults.

We just switched to 1Password, but these behaviors really make me doubt if it was the right decision.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Referrer: forum-search:Security issue: Generated passwords are automatically saved in current (possibly shared) vault

Comments

  • ag_ana
    ag_ana
    1Password Alumni

    Hi @1Adrian!

    Can you please share the steps that you are following to generate a password? Are you doing it in the desktop app or in the browser extension, for example?

  • 1Adrian
    1Adrian
    Community Member

    Hi @ag_ana, I'm doing it in the browser extension.

    The vault in which the generated password will be saved is shown (see screenshot), but can been overseen. At least to me it happened multiple times.

    Same as for the other issue when moving an item to a shared vault, I think there should be (the option of) a confirmation hint before the generated password is saved to a shared vault.

    Screenshot

  • ag_ana
    ag_ana
    1Password Alumni

    @1Adrian:

    Thank you for the confirmation! I think storing the password in the currently selected vault is a good default choice, but I see how in certain cases you might want this not to be the default behavior. I don't know if the developers have plans to rethink this behavior (I think it would be confusing to users to be in a vault, create an item, and have it end up in a different vault by default), but I can certainly pass your feedback along for future consideration :+1:

  • 1Adrian
    1Adrian
    Community Member

    Yes you're right, it would generally be the best default behavior, but only if there'd be a confirmation hint. Without I see the risk that the password is being saved in a wrong (shared) vault, especially since you can select a vault hours before generating a password.

    I just think that the sharing of items in 1Password is too low-threshold. If a creation or move of an item affects the access of others, do you think a confirmation hint does anything bad? It's just one click, I don't see any disadvantages.

  • @1Adrian

    What you're saying makes complete sense. It wasn't clear which version of 1Password you are using, whether this is the 1Password classic extension or the Safari App Extension.

    One thing I do want to mention - the new version of 1Password for your browser handles this entirely at the browser level. That means you won't see an actual password saved to your vault(s), but to the Password Generator history directly in the browser. It will look something like this:

    image

    If you're open to taking it for a spin, I'd be interested to know if it improves your state of play a little.

  • 1Adrian
    1Adrian
    Community Member

    This looks good @ag_chantelle! Since I'm using Safari, when will this version be available for it?

  • @1Adrian

    The new 1Password for Safari is currently available alongside the Early Access 1Password 8 for Mac. If you're not interested in the Early Access, you can still download it for Safari from Safari > Safari Extensions. Although it will not communicate with 1Password 7 and will act as a standalone web extension in your browser. Alternatively, if you're using any other browser - it is already available there.

This discussion has been closed.