1Password 8 fully audited?

PecosBill
PecosBill
Community Member
in Mac

I’ve heard there’s some niceties added with version 8 so I might update soon. Before I do,
1. Did you post how to downgrade in case I hate 8?
2. Considering Log4J and the questionable mod to openSSL a while back, have you audited ALL of the Electron code? I don’t trust it for handling my passwords and can’t see how you would trust the very foundation of your business on it if not.

Comments

  • Ben
    Ben

    Hi @PecosBill

    I'd be happy to get us started with this conversation.

    Did you post how to downgrade in case I hate 8?

    The answer here depends a bit on your current setup that you'd want to revert to. Do you already have a 1Password membership, or would 1Password 8 be your first exposure to that? If you're already using a membership then downgrading to 1Password 7 would be fairly straight forward. It would also be fairly straight forward if you were to upgrade from a standalone (non-membership) setup and then want to downgrade without having made any changes to your data. The only thing I foresee potentially being a bit tricky would be if you:

    1. Are currently using standalone vault(s)
    2. Make changes to your data after upgrading to membership + 1Password 8 that you want to keep
    3. Not want to continue with a membership, but instead want to go back to standalone

    Not that it would be impossible, but it would require some additional work, and frankly I'm not sure we'd be in a position to assist with a reversion of that nature. If that's the situation you're in I'd recommend reaching out to our migration team via email to support+tradein@1password.com to see what possibilities exist.

    Additionally I'd add that with the launch of 1Password 8, 1Password 7 is no longer supported and will only receive important security updates. Although you can continue to use 1Password 7, it’s best to use the latest version of 1Password that includes all the latest features and security updates, so you should upgrade to 1Password 8 for Mac or Windows when you have the chance.

    Considering Log4J and the questionable mod to openSSL a while back, have you audited ALL of the Electron code? I don’t trust it for handling my passwords and can’t see how you would trust the very foundation of your business on it if not.

    A few points here:

    1. For what it's worth, Log4j was a Java-related vulnerability, not a JavaScript vulnerability (similarly named but essentially completely different technologies). We did not at the time and do not now use Log4j in any of our 1Password applications. We have a KB article on this: https://support.1password.com/kb/202112/
    2. We have had multiple external security audits, some quite recently. You can review them here: https://support.1password.com/security-assessments/
    3. We're not using Electron for the business logic of the app. The business logic is handled in what is essentially a headless app written in Rust, and Electron is being utilized to provide a front-end to that headless app. More on this here: https://dteare.medium.com/behind-the-scenes-of-1password-for-linux-d59b19143a23 This post was written with Linux in mind, but is applicable to all of our desktop apps. Our mobile apps use that same "core" headless Rust code, but use their own respective UI technologies.
    4. We've actually contributed an open source Electron hardener to the community. You can read more about that here: https://github.com/1Password/electron-hardener

    I hope that helps. We'd be happy to engage further if you have any follow-up questions.

    Ben

This discussion has been closed.