Securing Notes and Passwords

As a former Lastpass user one thing that I used extensively was LP ability to require the user to enter the account's Master password before one gains access to select Secure Notes. This ability to tighten down the security also was able to be applied to individual logins if the end user wanted to. This would allow tightening down the security on certain information. With 1Password one has to shorten down the lock time out to prevent access to this time of information.

Are there any plans on adding some sort of feature to 1Password?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided

Comments

  • Hi @Fedup, first - thanks again for making the switch! We're happy to have you. 😀

    Thanks as well for the question; it has some interesting security implications.

    As a former Lastpass user one thing that I used extensively was LP ability to require the user to enter the account's Master password before one gains access to select Secure Notes. This ability to tighten down the security also was able to be applied to individual logins if the end user wanted to. This would allow tightening down the security on certain information...Are there any plans on adding some sort of feature to 1Password?

    To my knowledge this isn't something we've considered (recently, anyway). But there might be a good case for it, even if its use is somewhat limited.

    Just to chat for a moment, here's what I'm thinking:

    With 1Password one has to shorten down the lock time out to prevent access to this time of information.

    Right. To be specific, the lock time setting is partly meant to guard against local access - basically, shoulder surfing attacks, or someone grabbing an open laptop to copy information or view it directly. Would requiring additional authentication for certain items help here? Maybe it would. That might require the contents of the item to be obscured until authentication is entered, which is something I'll have to discuss with our developers a bit.

    We do sometimes require additional authentication for tasks that are particularly security-sensitive (like if you try to export in 1Password 8, you'll notice you're prompted for your password there).

    In concrete terms, this doesn't guard against someone who has already learned or guessed your account password, since all they'd have to do is put it in again. But it might still have some value for the scenarios where the app is open already, the attacker doesn't know the password, and the lockout time has been set to a longer value for a (legitimate) user's convenience.

    Is that worth the added complexity or potential break in a person's workflow? It could be, if users have to opt-in to such a setting.

    How this would work with 1Password's particular approach to decryption is another question. In any case, I'll get this filed with our development team so we can discuss it in-depth. Thanks for the suggestion, and for the opportunity to make the app stronger yet - we appreciate it! 😃

    ref: dev/core/core#12033

  • Fedup
    Fedup
    Community Member

    Well although I have been using 1Password for 7 months or so I reflect back to my Lastpass usage of 9 years. I only used the file extension to access information including secure notes. I also never had LP lock the account EXCEPT when the browser was closed. That was because I was looking up information for clients etc. all day long. Hence why I availed myself of the secure notes aspect of LP for those notes whose information needed to be protected with passwords all the time.

    Even with 1Password, I am using the extension for a vast amount of the time during the day. I rarely use the 1Password app

This discussion has been closed.