How secure is 1P build with Electron?

dvmierlo · September 2022

Hello 1Password team,

On the Bleeping Computer article Microsoft Teams stores auth tokens as cleartext in Windows, Linux, Macs (https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs) I read the following:

“Electron does not support encryption or protected file locations by default, so while the software framework is versatile and easy to use, it is not considered secure enough for developing mission-critical products unless extensive customization and additional work is applied.”

Since 1Password 8 is build with Electron, how much “extensive customization“ has been made to make it absolutely secure? How can I as customer be convinced of this before I switch over to this version?

Regards, Dennis

Ben · September 2022

Hi @dvmierlo

Thanks for taking the time to write with this concern. We'd be happy to talk about our use of Electron, and how we've made sure 1Password continues to be a secure offering. There are a number of factors that have gone into this. First and foremost, it is worth noting that we're essentially only using Electron for the UI for our desktop apps. The business logic is handled in a common core built in Rust. One of our founders, Dave, wrote about this structure, here:

dvmierlo · September 2022

Hi Ben,

Thank you for your reply. I will have reading to do :-) It is very good to hear 1Password is open about this.

Lot’s of greetings,

Dennis

Ben · September 2022

Happy to help. 😀 If we can be of further assistance, please don't hesitate to contact us.

Ben

How secure is 1P build with Electron?

Comments

Behind the scenes of 1Password for Linux | by Dave Teare | Medium

electron-hardener/README.md at main · 1Password/electron-hardener · GitHub

1Password Security Design