Security Design Question

neverTire
neverTire
Community Member

Hi,

I just read the following and would like to know if this has already been discussed:

https://posts.specterops.io/1password-secret-retrieval-methodology-and-implementation-6a9db3f3c709

My understanding, from reading the above, is that once the master password has been entered into 1Password, all password details have been decrypted, residing in memory on the host computer.

The above article refers specifically to a Windows environment, however, I suspect it is the same on a Mac.

If what the article claims is true, then to my way of thinking, this means that 1Password is only as secure as the host environment it is running on, is secure.

Also, this means that when 1Password starts up, it does not check if the executable has been modified, because if it did, then it does not seem possible that the above could have worked.

As a 1Password user, I found the above blog/post, quite disturbing.

Regards,
Peter


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided

Comments

  • mrbeign
    mrbeign
    Community Member

    That was an interesting read. It looks like there was a comment left by someone on the development team for 1Password versions 6 and 7 for Windows and he gave his thoughts.

This discussion has been closed.