V8 does not lock when quit on Mac
There was a previous topic on this subject but it has been closed. There is still no information forthcoming. I've written an email but did not get an answer.
There are lots of Mac applications which do not quit when the main window is closed so I can live with this. However, I do not know of any other Mac application which does not terminate when quit. This is a monumental breach of security. You can't train Mac users that quitting does not quit. I've known about this issue for about a week and I still forget to manually lock the application before quitting.
Is anything planned? 1Password is at v8.8 at this point ... it's unfathomable to me as to how you could not think that this is a security issue.
1Password Version: 8.8
Extension Version: Not Provided
OS Version: macOS 12.5.1
Browser:_ Not Provided
Comments
-
Hi @Barryl:
Thanks for your feedback on this. We're still discussing this situation internally. In the meantime, using ⌘+Q or closing 1Password from the menu bar using 1Password > Quit will ensure that 1Password locks immediately. Quitting 1Password by closing the window will result in 1Password locking when your auto-lock preferences are triggered, either based on idle time or on the screen lock setting.
Jack
ref: dev/core/core#15295
0 -
Thanks for the answer.
⌘+Q does not ensure that 1Password closes locked; nor does 1Password > Quit from the 1Password application menu. However, selecting Quit from the 1Password menu icon works ... which is what is so frustrating.
I've tried it on macOS 12.5.1 and 11.5.8.
0 -
I agree! I just left my computer on for over an hour with no activity. In the past, 1Password would have closed. I came back and 1Password was very much open, ready for anyone to get into my information. Now, there are many times when I do some other computer work, then I am shocked to find out that my 1Password still is completely active. I have gone to security setting and chose shutting down after "2" minutes. In the past 1Password would time out and I had to sign in again. Not any more! Please fix this so it will work the same way it used to be.
0 -
If you want 1Password to Quit when using
Command
+Q
, or from the Application menu, try setting1Password > Preferences > General - Keep 1Password in the menu bar
to (enable/disable) That should lock the app when quitting. The steps above are for the current nightly (my version in use). With the option above set, any place I quit 1Password locks the application for me. I think they'll also work for you.0 -
Many many thanks. That works on the released 8.8.0 build. 😀
0 -
On behalf of Tommy you're very welcome! If you have any questions in the future, you know where to find us. 😁
I wasn't able to recreate this, could I confirm what steps you took? Was the main 1Password 8 window left open during the inactivity period? Did you notice anything happen after the 2 minute idle time? Thanks, looking forward to finding a solution with you! 👍🏻
0 -
Just updated to V8. When I command+Q quit the app and then restart it (on a Macbook Air 2020, Monterey 12.5.1.), it is UNLOCKED. When I quit the app with the command in the apps menu and then start it again, it is UNLOCKED. This is absolutely useless to me and unacceptable. I CAN and WILL NOT remember to press several buttons in order for a security app to actually be secure and locked! Pls do something about it asap!
0 -
I followed ag_tommy's suggestion. I disabled Keep 1Password in the Menu Bar setting and when I now hit command+Q the application fully quits.
0 -
Thank you, Barryl, that works.
0 -
-
I am sorry, @andrew.l_1P, but this issue is clearly NOT "resolved". What you offered is a cludge at best, and a dangerous one to be frank.
Disabling the setting
Keep 1Password in the menu bar
in Preferences | General is NOT the equivalent of what we had feature-wise in 1Password v7.I have been using 1Password since v3 back in 2009. And honestly, this is the first time I have wondered whether the new version is really an improvement. But I'll save that for later. For now let's focus on v7 vs. v8. Just note when AgileWebSolutions/AgileBits/1Password went from the customary pay-per-version model to the subscription model, I signed up early for a Family membership. So it's not like I'm not a loyal user or haven't been paying regularly for this software. And in relation to this, I'm coming from using 1Password 7 installed/updated via the Mac App Store to now having to manually visit/download the 1Password.com site to even get at v8. (Frankly, this may well be a godsend for most 1Password 7 users, as maybe they'll avoid this headache until such time as you all fix this.)
Now, with 1Passord 7 on my Macs, I logged into my account, at which point the menu bar icon would be launched. When I first tried to use a password, such as in a browser window (and I install the 1Password extension into every browser I have), I would be prompted to unlock 1Password with a popup from the menu bar icon, where I put in my own designated local password (not to be confused with the password used to unlock the 1Password for Families account, the one used in combination with the secret key). But more on that in a minute. Once unlocked, I could access my passwords as needed.
However, the moment I quit 1Password in any form, it locked. This is a setting in 1Password 7 under the
Security
tab to[x] Lock when main window is closed
. So if I closed the main 1Password window, it locked. If I quit 1Password, it locked. If I locked my screen, it locked. If I put my system to sleep, it locked.Now? Ok, now let me describe the process of upgrading to this new version. First was what I already mentioned. I had to MANUALLY do this, as you all don't have this app in the Mac App Store. There may be good reasons for this. Maybe Apple is being onerous about what kind of apps it allows (though v7 had no problem being there). Or maybe it's just 1Password doesn't want to pay Apple's vig. But it sure doesn't bode well, as the user experience isn't as smooth now. Luckily, I'm ok doing manual installs, as I manage a number of my systems with a personal Munki setup. But for regular users? Not sure this is a winning approach frankly. You've increased the friction level for users to get your product. Not smart.
So with 1Password 8.9.4 installed, I went to fire it up. It showed my email address as the username and asked for my password. Only my password didn't work! Took me a minute to realize, but thankfully it occurred to me to try the 1Password for Families password. (Again, I'm lucky. I have more than one system. And I store my sensitive information in __? Yep, 1Password! Sure is a good thing I had more than one system, huh? Imagine any users with just one. They might just have screwed themselves. Did you all think this through?
Ok, so first issue with v8 is that it no longer seems to have the local password feature that v7 has. There's one feature we used to have that is missing.
Then came the big surprise. I was VERY surprised at one point after replacing 1Password 7 with 1Password 8 this evening to quit out of 1Password 8, then to click to bring it back up, and BAM! There it was, open for the world to see! It didn't lock! What the ??? That's not right. For YEARS this program properly locked up my information any time I quit or otherwise stepped away. Doing some testing, it became clear that if I logged out, locked the screen, or put my system to sleep, then it would lock my vaults. But otherwise closing 1Password did not do it. That is a serious change in behavior, and not for the better.
This led me to going online, searching, and eventually landing on this thread. Now I am not done yet. I changed that setting you mentioned, so now 1Password 8 does not stay in the menu bar when I quit it. And yes, that works.
HOWEVER, the workflow is wrong. If you then go into a browser, visit a page that wants login information, and you click the 1Password icon, you obviously don't get a menu bar popup to login, because there's nothing IN the menu bar. What you are prompted with is a popup on the icon itself in the browser that tells you "Press the 1Password icon in your browser's toolbar to unlock", since after all, you told 1Password not to keep itself in the menu bar. So here you better pray the user actually HAS the 1Password icon in their browser toolbar, as sometimes folks don't keep them there.
So assuming it is, you now click on the 1Password icon in your browser's toolbar. This actually appears to fire up the 1Password 8 app for a second, and then it goes away. But you're left with the usual login screen. So you enter your password (again, the main one that in v7 was what you used in combination with the secret key to access your account online). Once you unlock 1Password, you can access your passwords as before.
BUT... now 1Password doesn't even show as being IN USE!! It's NOT in the Dock (i.e., no black dot under its icon). And it's NOT even in the menu bar!! The only indication is the 1Password icon in the browser toolbar showing no lock symbol. THAT IS IT. So now YOU as the user have to ACTIVELY realize this as well as go pursue it, and then figure out just how from there to lock up your vault!!!
Again, NOT as convenient OR secure as v7! Honestly, do you folks not test these features?? Anyone who doesn't notice this may well think that 1Password is not running, as it's quite easy to lose sight of a simple toolbar icon. Heck, until now, I never even really noticed the lock on the 1Password icon. And since you do not have a "Lock when main window is closed" anymore, the scarier part is that all of your secrets are there for the taking. Anyone can walk up to your system if you didn't lock the screen and access your passwords by simply clicking on your 1Password browser toolbar icon!! That is just nuts.
Who honestly thought this was a better setup?? Seriously, this isn't a feature request. This is both an alert to a serious security flaw, as well as a request to put back features that used to exist; namely,
- The ability to set a local password to lock up my vaults that isn't necessarily the one I use for the entire 1Password for Families account
- The ability to install/update 1Password from the Mac App Store
- The ability to lock up 1Password as I could with v7
There's a fundamental concept in software development. You NEVER take away features, unless you are replacing them with something BETTER. In this case, all you've done is take away useful features and leave your users' data more vulnerable. Not cool.
As it stands now, I feel like I have to revert back to using 1Password 7 until something is done. And it is actually making me consider, for the first time since I started using 1Password 13 years ago, whether I should at least look at alternatives such as BitWarden. And that, frankly, sucks. I was really hoping to like this new version. And I clearly had no issue paying for this or I would not have gone to the subscription model as early as I did. (I don't like subscriptions as a customer, but I also can put myself in others' shoes, and from a developer's perspective, subscriptions make sense. You can better gauge what all you can afford to tackle in the coming months/years. And as you have always continued adding features, this was one subscription I was ok with.)
I would very much like to know what 1Password intends to do about this.
0 -
Well it's now Dec 10 and I've received a number of updates. Unfortunately none of the updates solve the quit not quitting issue.
I disabled 1Password in the menu bar so that I at least feel that quitting is secure. However I get those annoying click on the 1Password icon in the menu bar messages whenever I focus on a password field. However there is no 1Password icon in the menu bar because I've disabled it.Security is down and getting around the issue results in functionality being down. I also have a family membership and would like to know what - if anything - is eventually going to be done.
0 -
Bump on this thread - this is absolutely still a problem @andrew.l_1P and @ag_tommy I re-installed latest today and it's still there. Both at my org and in my personal life, I'm amongst many users that are relying on quitting 1pass to actually quit
0 -
Hi folks,
Thanks for the bump, @donkeypagoda, and sharing these details about your use cases @Barryl and @fseesink. I understand the importance of this and while I don't have any updates to share at this time, I've made sure your comments here are connected to our internal tracker on the topic. We'll do our best to update this thread once we have more information but if you'd like to keep an eye on upcoming changes yourself, I recommend checking out the 1Password for Mac Beta Release Notes.
Let me know if you have any questions!
ref: dev/core/core#15295
0 -
So a few more months have passed and everyone's talking about the LastPass debacle and we still effectively have an insecure Mac client. Is there any way to get an answer to "is there any plan to fix the lack of security caused by 1Password not quitting like every other Mac application ever written?"
0 -
I'm using 1Password for the past few months. The version was 7. It was going quite good. Enough satisfied. Unfortunately, or by bad hell of my luck, I updated to version 8 and very much disappointed with this quitting problem. In V7, when I closed 1Password window on my Mac, it'd automatically lock itself. But V8 is not working like that. After that, I found this page and writing my comments now.
It is now April 11, 2023 but still V8 does not work or have an option like "Lock when main window is closed".
It's a great security issue for me. I just closed the 1Password window and opened it again and it required no log in/authentication. Wow.. great for eavesdrop/threat actors.
I will stay updated on this article for a little more time and check my 1Password 8.
I think I may have to take a hard decision on my password manager (currently) 1Password. Loved it (V7). But not V8.0 -
Thank you for following up, our team is still discussing this internally and I don't have any updates to share at this time. For the time being, you can continue to use the workaround that Tommy mentioned or lock 1Password manually using Command-Shift-L before quitting.
1Password stays unlocked even if the main window is closed so that you can still fill logins using Universal AutoFill and 1Password in the browser without having to unlock 1Password each time that you use those features. I personally wouldn't want 1Password to lock when I close the main window of the app since I'll usually continue to use 1Password in the browser. The desktop app and the extension both share a lock state so if the app locked after closing the main window, the browser extension would lock as well. You can have 1Password lock sooner by adjusting your auto-lock settings: How to set 1Password to lock automatically
That all being said, I can definitely see how bringing the option to lock 1Password when the main window is closed to 1Password 8 would be useful to those who used that option in 1Password 7 and I've forwarded your request to our product team. 🙂
-Dave
ref: dev/core/core#15295
ref: PB-324092300 -
Thanks for the reply and the considerations.
@Dave_1PBesides, I also agree with the comments and have my respect. Quoted comments:
I personally wouldn't want 1Password to lock when I close the main window of the app since I'll usually continue to use 1Password in the browser. The desktop app and the extension both share a lock state so if the app locked after closing the main window, the browser extension would lock as well.
But I think it'd be great to give users the options that they want and just leave it to them. Such as, the default for "Lock when main window is closed" can be OFF and can be turned on if a user wants. Again, it would be great. Give us the option please. We want to select or turn off/on by ourselves.
Also, thanks again for forwarding our requests to your product team.
Looking forward to it.0 -
Thank you again for the feedback. 🙂
-Dave
0 -
Bump
0 -
Any hope for this?
0 -
I can only assume that this more than obvious security issue is of no concern to 1Password. The thread was started in Aug '22 and there's been no action on the issue.
I currently do not put 1Password on the menu bar and Command-Q out to get around the 'remaining open' issue. However, I'm always plagued by prompts to click the icon on the menu bar ... which is not there.
It seems to me that your choice of a different set of development tools has led to what I, and it seems others, consider a major security issue.
0 -
Wow not even the typical "I'll pass this on to the developers" response. Now that passkeys are here I'm being constantly prompted to click on the 1Password icon on the menu bar. This is a good thing. The bad thing is that I can't show 1Password in the menubar or the application will not lockdown when I quit the main window.
I can set the applicatiion to lock on sleep, etc. and after being idle for 1 minute ... but there is no way to have a setting to lock when the main window is closed?????
Basically, I'm at the point where I'm working with a reduced feature set so that I can have a little security... somewhat pitiful.
0