CLI GET/EDIT Method Security Concern

1PassUser39398
1PassUser39398
Community Member
in CLI

When using the 1Password CLI, why does doing a GET or EDIT on an item return the item with the password in plain text? Wouldn't it make sense to add a --response none flag?

Even on the front-end UI, if a user is authorized to see the PW, it's not displayed in plain text; you have to actively click to show it.

I'm unsure if templates could solve it, and even if they could, it's a lot more work for an Admin to make a change to all items (eg. changing the url):
1: A command to create a template off of the current item in question
2: Edit the item (eg. URL)
3: Then use the item edit command to make the update
4: Delete the JSON template and move on to the next item

Can someone from the Product team respond as to why it was setup this way?

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided

Comments

  • david.m_1P
    david.m_1P

    Hi @1PassUser39398, thanks for reaching out!

    I'll be happy to submit a feature request for a flag option to conceal passwords when using the CLI! Can you tell me a bit more about how you're using the CLI in your workflow and why this is causing concern? I can then share your feedback with our Product team, so that they have a better insight into what you're trying to accomplish and how the flag will improve your experience.

    I look forward to hearing from you!

    -David

  • 1PassUser39398
    1PassUser39398
    Community Member

    Hi David, the use case is fairly simple. One of our vendors changed their apex domain so we now need to iterate through thousands of credentials updating the URL. To my surprise, when the EDIT command is used, the URL is updated, but the entire item is given in the response with the password in plain text. In your document on this page, you state "Caution: Command arguments can be visible to other processes on your machine". If responses are also visible (or logged), whether natively or using malware, the CLI becomes insecure.

  • david.m_1P
    david.m_1P

    @1PassUser39398

    I appreciate you sharing those details! Our team is looking into improvements for handling concealed fields with 1Password CLI. I've submitted your request to the Product team, so that they can consider adding a flag for concealing sensitive fields when running 1Password CLI commands.

    I'm unable to provide any information on when this may be released, but it will be noted in our release notes if it is implemented.

    Let me know if there's anything else I can help with!

    -David

    ref: PB-40901593
    ref: dev/b5/op#4158