Security concerns about 1password 8 for windows
Hello.
While trying to find a safe way to delete 1password data from my computer just in case I give or sell my computer to someone, I found the file that hold informations of the 1password account that is once signed in from a local windows computer.
Just out of curiosity, I opened that file and saw what's inside. I couldn't understand most of the file contents, however, I was able to find, amonng other important looking things, my 1password secret key written in clear text.
I don't know how people think, but I think storing secret keys in clear text without any protections can make 1password weaker, at least a little.
If I remember correctly, 1password security whitepaper, and other pages related to 1password security says 1password can't do much if my computer is compromised.
I know that 1password has amazing security designs, and I appologize if I was wrong, but I think 1password needs to provide as much local protections as possible. It can include memory protections provided by the OS, code injection preventions, obfuscation of locally stored keys and important datas, and making use of dedicated secure elements like TPM chips that are included in most modern computers.
Also, it would be great to see the whitepaper about how 1password protects locally stored data and it's memory.
Please take these to considerations if possible.
Thank you in advance.
1Password Version: 8.4.1
Extension Version: Not Provided
OS Version: windows 11
Comments
-
Hi @sj0123
You are correct: there are minimal protections applied for the Secret Key on your computer. The Secret Key isn't intended to be secret within your system. It is intended to protect the encrypted data that is stored on our servers. The account password is what protects the data on your computer. We cover this in our about your Secret Key guide:
Your 1Password account password protects your data on your devices. Someone who has access to your devices or backups won’t be able to unlock 1Password without your account password, which only you know.
Your Secret Key protects your data off your devices. Someone who attempts a brute-force attack on our servers won’t be able to decrypt your data without your Secret Key, which we never have.We also talk in more depth about this in the white paper under the "Malicious processes on your devices" heading ("Locally exposed Secret Keys" sub-heading), which as of writing is on page 74:
Because the Secret Key must be used to derive the user’s AUK it cannot be encrypted by the same AUK or by any key that is directly or indirectly encrypted with the AUK. Depending on client and client platform the Secret Key may be stored on the device using some of the protections offered by the operating system and may be lightly obfuscated. However, it should be assumed that an attacker who gains read access to the user’s disk will acquire the Secret Key
And there is a relevant footnote:
We are deliberately vague about this, as practice may change rapidly from version to version, including different behaviors on different operating system versions
As for your last question:
Also, it would be great to see the whitepaper about how 1password protects locally stored data and it's memory.
Agreed; documenting this is a work in progress. I hope these answers are helpful. :)
Ben
0 -
Thank you so much for your answer. I fully understand the fact that it isn’t possible to encrypt the secret key and it is possible for an attacker to gain access to stored secret key once he gets access to my computer. However, what I’m saying is that it should be as hard as possible for attackers to retrieve actual keys from a computer(not only the secret key, any information that might be stored in local devices which, if exposed, can be used in cracking attempts.
As I said in the first post, dedicated security chips such as TPM chips, secure enclave for IPhones, and arm trustzone technology, would be a great solution to achieve this as these chips run seperately from the main operating system and gaining access to protected data is extremely difficult, given that the user maintains a secure environment on there systems.
This also would make it possible to unlock 1password with faster methods, such as windows hello across reboots which isn't implemented yet.
This was more of a suggesstion. even if it isn't possible, I understand that, but I really hope I can unlock 1password using windows hello across reboots or process terminations, and 1password being more secure in general.
Thank you.0 -
Hi @sj0123, thank you for this thoughtful response - and we do appreciate these suggestions.
This could be a pretty deep discussion, but for now I'll just say that your points are well-appreciated, and that protections against local attacks or insecurities are something we do put in place - for example, clipboard management, memory protections, code signature validation, and so on. When it comes to the Secret Key and why it can't be encrypted, you and @Ben have already well covered that ground.
As I said in the first post, dedicated security chips such as TPM chips, secure enclave for IPhones, and arm trustzone technology, would be a great solution to achieve this as these chips run seperately from the main operating system and gaining access to protected data is extremely difficult, given that the user maintains a secure environment on there systems.
This is definitely something we're interested in. While I can't share much about forthcoming (hypothetical) features, this is definitely an area where we see some potential - both for security and convenience - and we'll hope that our future efforts here will delight you!
I should note as well that 1Password, even without using Windows Hello to unlock, still scores as very secure by most risk analyses. There's no such thing as "total security", and our security folks can speak more to the details of potential endpoint compromise scenarios, but I thought we should make sure to mention that. 👍
0