Feature Request: Emergency Action to set all passwords as compromised manually

Options
Damnatus
Damnatus
Community Member
in Windows

Hi!

A question that arose recently when I was thinking about a device I own being compromised was how to keep track of the needed Password updates if the Account Password could be compromised due to a local virus or trojan with capabilities to exfiltrate the Account Password. While there might be not much 1Password could do when running on a compromised machine, there are still possibilities to help regaining trust and confidentiality of the saved secrets.

Changing the Account Password would only be the first step to regain control, but afterwards all the saved passwords should be regenerated and replaced too.

Currently, it seems that there is no tool that would actively help users to have an oversight of possibly compromised passwords in such a scenario. Correct me if I'm wrong.

The possibility to flag all passwords up to this date as compromised and have them in a Watchtower category would allow to work through the saved passwords (or even just all items). Current order options (like modified by date) are only rudimentary helpful.

I have tried to find out if this feature request was already made, but with the keywords I used I haven't found anything.

I'm not sure how to implement it in a way that minimizes risk of abuse (being cancelled by the malicious actor to prevent change or activated to cause the user to change passwords).

But I think for this, hopefully rare, occasion an "oh sh*t my device has been compromised" button could be helpful. I thought if that button could also revoke access from that device and maybe deletes local data of 1Password, but that also could be abused to the point a malicious actor locks someone completely out).

I would be interested if the 1Password Team has thought about how to assist users in such a scenario and if my suggestion here is helpful.

(These thoughts have been formulated while listening to the great 1Password Podcast and after a possible scare of a compromised device, which turned out to be a False Positive).

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided

Comments

  • PeterG_1P
    PeterG_1P
    Options

    Hello @Damnatus, thanks for this idea! 👋

    I really appreciate you taking the time to describe your use case on this, and the evident level of care you've given it. I'll certainly pass it on to our developers as a feature request, and should be able to do so today after having a think on how best to propose this. Then our developers can take a look at how and whether this might be tackled. While I can't promise when or if this feature might make it into 1Password, I can definitely see why a Break Glass In Case of Compromise kind of feature could be really useful.

    I think this will lead to some great discussions, and can't wait to see what comes out of it. Thank you for lending your inspiration, and I'll be happy to follow up on this for you!

    ref: IDEA-I-1166

  • Damnatus
    Damnatus
    Community Member
    Options

    Hi @PeterG_1P,

    looking forward to the follow up!

    Of course I'm curious about the internal discussions at 1Password about this topic in specific, but in general. The small bits from the 1Password Podcast were very interesting.

  • ag_mike_d
    ag_mike_d
    Options

    Hello again @Damnatus, on behalf of Peter you're most welcome! Thanks for tuning in to the Random But Memorable podcast. I'm glad to hear you've been able to pull some interesting bits from it!

    Have a great day!

This discussion has been closed.