Is it ever unsafe to unlock 1Password?

Tcl
Tcl
Community Member
edited January 2022 in Windows

Excuse my ignorance
But while unlocking 1Password, I noticed the webpage i am on, is showing the unsecure warning in chrome url bar
it was actually a google search page, so most likely google glitching, nothing serious

But can a webpage sniff or read your keyboard while unlocking the 1Password plugin
Probably just luck, after unlocking, the plugin didnt actually open, i have to restart google chrome (co-incidence, maybe, but got me paranoid)

Thanks
Ali

1Password Version: Not Provided
Extension Version: 2.2.2 (Google chrome)
OS Version: Windows

Comments

  • PeterG_1P
    PeterG_1P

    Hi @Tcl, thanks for this important question! We appreciate your security-mindedness; these are important considerations.

    I'd like to get you a more in-depth answer to this than I can give, so I'll be reaching out to some of our specialists here for more information we can share. In the meantime, I can provide some of the basics:

    1. 1Password's security is quite good. We take many measures to protect your information, both on your device and off, and generally go the extra mile to make an attacker's job very, very difficult.

    In case you're interested, we provide a summary of the 1Password security model here, which provides information that may be relevant to your question, including clipboard management, code signature validation, and secure input fields.

    1. However, there's no such thing as absolute security, and it's especially difficult to defend against an attacker who has managed to compromise your device, is running as an administrator, or who has physical access to your device. This is partly why we recommend that folks maintain good security standards generally - for example, keeping the OS updated, firewall operating, only installing necessary apps from trusted sources, and so on.

    Regarding this specific attack scenario, I'll run your question by some team members who are more knowledgeable on those specifics and will hope to have more for you soon. Thanks for the question - I hope this helps!

  • Tcl
    Tcl
    Community Member

    Hi @PeterG_1P just following up on this, were you able to get more details

    Thanks
    Ali

  • PeterG_1P
    PeterG_1P

    Hi @Tcl, sure!

    I hope my initial answer was helpful, but here's some additional follow-up from our security specialists: 👇

    In general, web browsers prevent web pages from manipulating anything that is not on that web page itself (this is part of browser security generally).

    The 1Password extension isn't part of the web pages you visit, which means that those web pages can't manipulate it. By extension (so to speak), they also can't read your keyboard when you are unlocking 1Password.

This discussion has been closed.