1PasswordAnywhere extension

Gyran
Gyran
Community Member
edited April 2014 in Lounge

Hi!
When I started using Linux at my work I really missed being able to fill out my passwords using 1Password. I know 1Passwordanywhere exist and it is great but I don't want to go to the 1passwordanywhere page and copy paste whenever I need to login so I made this extension.

The extension uses the 1password data that is on dropbox and fills out the login forms the same way as the original extension. To be able to use it you need to be logged in on dropbox (and you have to sync 1password with dropbox). Then just go to a login page and click the extension and fill in your master password. The extension will then hopefully fill in the necessary fields and you can then just log in.
I hope it's ok to do something like this and it's currently not so good looking. But I thought I'd share what I've made so more people can benefit from it.

Hope you all like it and please if you have any suggestions or comments please do tell!

Just get the code from github and install the extension!
https://github.com/Gyran/chrome-1passwordanywhere-extension

«1

Comments

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    Thank you very much for that, @Gyran‌.

    Please forgive me if I can't take a look at it just at the moment.

  • benfdc
    benfdc
    Community Member
    edited April 2014

    Speaking solely for myself, I certainly forgive you, @jpgoldberg. Indeed, my heart bleeds for you just at the moment. But it certainly would be wonderful if @Gyran’s work might form the basis for something that AgileBits could officially support.

  • Gyran
    Gyran
    Community Member

    No problem, I added a bit of styling so it looks a bit like 1password.
    Currently it seems like there is no way to installed a packed extension directly from any other page than the chrome web store. I use a couple of images and other stuff from the 1password app, so if I don't break any rules and I get permission I can also upload it there so it is easier for more people to try the extension?

  • Another1
    Another1
    Community Member
    edited May 2014

    First off, much thanks to Gyran for creating this extension for three reasons;

    1. It works on machines that have no 1password app deployed. In my office, Win 7 is deployed but draconian IT policies prohibit installing 'unauthorized applications' - I will be using this extension every day.
    2. It works on any machine NOW when dropbox is 'broken' for Agilebits extensions
    3. Gyran is incredibly helpful, when I had issues yesterday with the extension he responded promptly to emails and even joined a live web conference with me to debug and fix the issue on the spot.

    Agillebits ought to be suggesting this extension to users (fine, put a disclaimer in but give users the option).

    It will take you 5 minutes to install and works today.

  • Gyran
    Gyran
    Community Member

    The extension is now in production status at Dropbox and Published at the chrome web store! Visit the Github if you want to browse the code to be sure everything is in order.
    Feedback and suggestions are greatly appreciated!

    https://chrome.google.com/webstore/detail/1passwordanywhere-extensi/mbgijoecaafppmdmlgjpahfhekafldfj

  • hawkmoth
    hawkmoth
    Community Member

    Cool! Thanks for the pointer. Almost makes me tempted to switch to Chrome.

  • hawkmoth
    hawkmoth
    Community Member
    edited May 2014

    And, 1PasswordAnywhere is back to working without any extra work arounds, as of not long ago today. (Not sure exactly when whatever fix they made went live.)

  • ajlowndes
    ajlowndes
    Community Member
    edited May 2014

    Gyran, thank you! On my work computer - which is locked down thanks to overzealous IT policies - I used to have two options - either (1) log into dropbox web interface, browse and open the 1passwordanywhere file, type my vault password, find the login I want and copy/paste it to the other tab, or (2) open the 1password app on my iphone, tap in my vault password and find the login I want, then try to type it into the computer without making a mistake. Neither option was particlularly nice or fast. This extension makes it just as easy as using my home computer! Thank you very much!

  • buggypac
    buggypac
    Community Member
    edited May 2014

    Nobody is creeped out by a third party extension that has full access to all decrypted data of your database, by directly reading and decrypting it via having full access to your Dropbox? That's two security-breaches for the price of none!

    I understand the frustration with having to copy-paste logins from 1PasswordAnywhere, and Gyran's solution is slick, but you're all trusting that he'll never sneak in a backdoor in an extension update.

    I am sure his heart is in the right place and that this is completely honest, but it's still a third party app reading all decrypted data, and that will forever be creepy no matter how good his track record turns out to be.

  • Gyran
    Gyran
    Community Member

    Glad that you find u helpfull @ajlowndes‌ !

    That's very true @buggypac‌ but you can always either lookup the source code of the extension on Github or look at the source code of the extension when you download it. Because of that my source code will always be open and you will always be able to look at it before you use it.
    It would be much easier for AgileBits to include a backdoor that would send all your data to them (I don't think they ever will do that) but it would be harder for you to inspect if there is any backdoors in the 1Password applications.

  • buggypac
    buggypac
    Community Member
    edited May 2014

    @Gyran Yep, even from your first post I'm convinced you're just a kind programmer who found a good solution for a problem he was having. Been there, done that myself. I'm glad you decided to release the code. I've checked your other Github projects and see IRC related things and other geeky stuff, and a long history of having released good projects, so I'd rate the risk of you turning evil and releasing something bad in an auto-update to be very low.

    I like the work you've done on the 1PasswordAnywhere workaround, and the code shows that you've put a lot of work into this. I just wish you were AgileBits, since they're the only ones who should be doing this invasive stuff with customer data.

    Maybe @jpgoldberg sees a possibility of releasing an update to the official 1Password extension which adds the ability for it to connect to 1PasswordAnywhere over dropbox too. Then we'd also have their official form-filling code which is very accurate at filling forms correctly. It'd of course be up to him to judge the user experience and security implications (if any) of letting the official extension optionally connect to Dropbox.

    Even better: Perhaps they can release an "1Password Remote" extension, so that they don't clutter up the local-extension and confuse newbies with a new "Remotely connect to 1PasswordAnywhere via Dropbox?" option, which would be confusing in the normal extension ("is it using remote or local data?"). So if they fork their official extension and make two, where the 2nd just consists of the form-filling code, GUI, and some 1PasswordAnywhere-over-Dropbox connectivity, it'd be a great user experience for those who need work-computers to be able to read the database but aren't allowed to install full applications... Then again, perhaps they're happy with 1PasswordAnywhere's copy-paste solution for these use cases, since an extra extension is more work for them.

    Your technique for how to solve this via Dropbox was pretty damn cool, Gyran. I have to say that no matter what happens next. :)

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    I'm sorry that it's taken me so long to take a look at this, @Gyran‌.

    Really pretty code

    First let me thank you for your excellent coding practices in JavaScript. I wish that more JavaScript coder were even a 10th as good as you are are using JavaScript scoping as you do to produce secure and robust code.

    The standard advice

    Your extension does handle a person's Master Password and so officially I have to say what I always say in these circumstances. We must advise people against entering their Master Password into anything that isn't 1Password. In saying so, I am not casting aspersions on either your competence or intentions; it is just something we pretty much have to say.

    No problems jump out at me.

    So with that out of the way, everything I've looked at (and I haven't studied all of it) in version 0.4 looks really nicely done and well handled.

    This system, of course, shares the security properties of 1PasswordAnywhere itself, and so like 1PasswordAnywhere, it should only be used when running a proper 1Password client itself isn't an option. Other than letting a third party extension handle your 1Password secrets (see the standard advice) I don't see any additional risk to this extension.

    Is making 1PasswordAnywhere too convenient a security issue?

    Using 1Password with the 1Password browser extension defends against potential attacks that 1PasswordAnywhere cannot defend against, and so I'm slightly concerned about something that makes 1PasswordAnywhere too convenient.

    Many (although not all) of the problems described in why crypto shouldn't be done in JavaScript apply to 1PasswordAnywhere. The biggest concern is that we can't defend against the possibility that an attacker has damaged your 1Password.html file in malicious ways. If an attacker gains write access to your data on Dropbox there is some mischief they can do with the Agile Keychain Format, but if they manage to modify the JavaScript using by 1PasswordAnywhere, then they can easily grab a copy of your 1Password Master Password (and they already have a copy of your encrypted data).

    There are additional issues in doing cryptography in JavaScript, mostly having to do with memory management of secrets, but also because the web browser provides a large attack surface. This is one of the reasons why in 1Password 4 we've removed almost all of the cryptography from the extension and put that into 1Password Mini.

    So 1PasswordAnywhere hasn't caught up with the kinds of security improvements we've made in 1Password 4. I'm not trying to scare people away from using 1PasswordAnywhere; it is great when one needs it. And for people who wish to make use of their 1Password data on operating systems for which there is no 1Password client, it is necessary. I'm just pointing out that it doesn't have all of the kinds of protections can be built into a full client, and so I have to be wary of something that might encourage use of 1PasswordAnywhere in situations where a stronger option is available.

  • benfdc
    benfdc
    Community Member

    @jpgoldberg writes:

    I have to be wary of something that might encourage use of 1PasswordAnywhere in situations where a stronger option is available.

    One day, AgileBits may port 1Password to Linux and Chromebooks.

    Unless and until that happy day arrives, it would be wonderful if there were a way for AgileBits to put its imprimatur on Gyran’s code.

  • Gyran
    Gyran
    Community Member

    Thank you for having a look at it @jpgoldberg‌, my intention is not to replace the 1password extension but to provide an alternative for those who can't or don't want to install 1password on the local machine. I do understand that you have to advise people to not provide their master password to third-party software but I hope that by having my code totally in the open it might bring some trust to the application.

    Is there a reason that comments by @benfdc‌ isn't shown?

  • buggypac
    buggypac
    Community Member
    edited May 2014

    @Gyran He's shadow-banned so that his posts only display for himself and for AgileBits staff. Check his posting history and you will see that you cannot see any of his regular posts, only his initial thread-starting posts: http://discussions.agilebits.com/discussion/comment/119837/#Comment_119837

    The same is true for all of his other posts: http://discussions.agilebits.com/profile/comments/50317/benfdc

    The second level after shadow-banning is a mode where not even he himself would be able to see his new posts (only staff could see them). This level is less underhanded than shadow-banning, since the user will see that their new posts aren't showing up and will realize that they've angered the Gods.

    The third level is an actual ban (closing the account).

    The wonders of modern forum software and multiple ban-levels! :D

    Now, regarding your extension: I concur with jpgoldberg's analysis that the code is exceptionally well-written. You've also got a track record of releasing geeky tools and strike me as a hobbyist, not an evil guy. That being said, it's a bad idea to enter your master password into anyone's 3rd party program. You are a good guy, but good people sometimes get compromised or do bad things, and that's why 3rd parties are not supposed to have access to any of this. It also intrigues me that AgileBits wants to discourage use of 1PasswordAnywhere due to the risks of doing javascript-crypto (master keys resident in browser memory; the ease of modifying the javascript of the html file to steal the master key after entering it, etc). I can completely stand behind that reasoning, and I fully see why this wouldn't be encouraged as an official extension anytime soon. These caveats aside, I'm impressed by your work and wish you all the best, Gyran.

  • Gyran
    Gyran
    Community Member

    Glad that you all like my coding style :\">

    Most of the stuff @jpgoldberg‌ talked about don't concern the extension. The only thing the extension have in common with 1PasswordAnywhere is the name and some of the code (copied so if 1PasswordAnywhere is compromised the extension is not). The extension is using the raw 1password data and doesn't rely on the 1Password.html file in any way so if an attacker gets write access to your Dropbox you are still safe using the extension. The only thin the extension doesn't protect against is some of the JavaScript crypto stuff.

  • buggypac
    buggypac
    Community Member

    @Gyran Nice! I'm impressed to hear that you've avoided the "modified html/javascript" attack. You're a clever guy. Keep up the good work :)

  • buggypac
    buggypac
    Community Member

    In good news, benfdc is no longer shadow-banned.

  • benfdc
    benfdc
    Community Member

    Easy for you to say, @buggypac. I now no longer know what evil lurks in the hearts of men!

    In all seriousness though, thanks for your post #16, which may have helped to get the ball rolling on resolving the situation. There was a minor misunderstanding that was easily cleared up with the benefit of good will all around, which was (and is) in plentiful supply.

  • buggypac
    buggypac
    Community Member
    edited May 2014

    @benfdc‌ I am happy to hear it. You're a valued member. :)>-

  • benfdc
    benfdc
    Community Member

    :\">

  • benfdc
    benfdc
    Community Member

    @buggypac wrote:

    I fully see why this wouldn't be encouraged as an official extension anytime soon.

    I wonder if you could elaborate on that. @jpgoldberg wrote in #13 above:

    Other than letting a third party extension handle your 1Password secrets (see the standard advice) I don't see any additional risk to this extension.

    Like you, I understand 100% why AgileBits cannot stand behind third-party extensions. However, if AgileBits were to put its imprimatur on a Chrome extension along the lines of @Gyran's for use on Linux and Chromebooks unless and until native 1Password clients are released on those platforms, then it would no longer be a third-party extension and the objection goes away. If the Chrome extension is no more vulnerable than 1Password.html (and it may well be less vulnerable to attacks like shoulder-surfing and clipboard hijacking), I don't see a conceptual problem.

    AgileBits dropped File > Export Selected… > Encrypted Web Page from 1Password 3 several years ago when it determined that the technology was insufficiently secure. I disagreed with that judgment call at the time, but the concerns were legitimate. (I also kept a copy of 1Password 3.5 on my machine for occasions when I wanted to use that export function or the also-dropped File > Export All… > Palm/Treo function.) At some point, AgileBits may make the same determination vis-à-vis 1Password.html. Unless and until that happens, I don’t see a principled reason why a Chrome extension could not be supported.

  • khad
    khad
    1Password Alumni

    [I'm cross-posting in both threads where you asked about this for the benefit of those only following one thread. Sorry for the noise.]

    Thanks for asking about this, @benfdc.

    From a security perspective, we cannot in good conscience recommend a solution that we haven’t written ourselves. It puts all (or much) of the risk on ourselves and only helps customers if we can guarantee that there is no risk for them now or in the future (which we cannot).

    The post you reference which @jpgoldberg‌ has written on May 12, 2014, outlines our official position. We are happy to give compliments where they are due while continuing to correctly indicate that we can’t recommend any non-1Password solution from a security perspective.

    I'm sorry if that wasn't the answer you were looking for, but I hope you can understand the reasons for this.

  • benfdc
    benfdc
    Community Member
    edited June 2014

    we cannot in good conscience recommend a solution that we haven’t written ourselves.

    I’m having trouble understanding your reasoning, @Khad. “Not invented here” is not relevant. The question isn’t who wrote the code, but who controls the code. Obviously, AgileBits can only put its imprimatur on code that it controls.

    I gather that the code for "diceword-ish" password generator currently incorporated in the 1P/Win beta came from outside of AgileBits.

    More generally, 1Password is built atop libraries that you did not write yourselves.

  • khad
    khad
    1Password Alumni

    You're correct. "Not invented here" is not relevant. You are also correct when you state that it is about who controls the code. Using a library in our code puts a static copy of it in our control. That is wholly different than putting our imprimatur on someone else's project which is what it appeared to me you were asking for. Perhaps your definition of imprimatur differs from my understanding of the term from my religious studies.

    If you're asking us to fork someone else's project and claim it as our own, I think that is a different question and one we would also not give an affirmative answer to at this time.

  • benfdc
    benfdc
    Community Member
    edited June 2014

    Fork, collaborate, whatever. That's for AgileBits, or AgileBits and @Gyran, to figure out. (I could not tell from the GitHub page what sort of license @Gyran has put on his code.) Moreover, I am not asking AgileBits to commit to vaporware, or to negotiate in public.

    I’m just saying, from the perspective of a 1Password user, that this is something that I would hope is being pursued, because it seems to me to be something well worth pursuing. You already have free 1Password keychain readers. 1Password.html is one, and it is my understanding that unregistered copies of the downloaded app become readers after the trial period expires. A supported Chrome extension that worked under Linux and on Chromebooks would just be another species of reader. And as @mshallop‌ pointed out in another thread, the Chrome extension would be of greatest use to your paying customers, who would need to own a licensed copy of 1Password on some other platform in order to manage their keychain(s).

  • khad
    khad
    1Password Alumni
    edited June 2014

    Duly noted. Note also, though, that there loads of reader apps written by other folks that we cannot put our seal of approval on. I know you've read it before, but for those following along at home, I think now may not be a bad time for a [re]read of our blog post on this subject:

    You have secrets; we don’t. Why our data format is public

    In particular, I want to draw attention to the points @jpgoldberg‌ made there (emphasis added):

    Recently there’s been progress on third party tools and applications that can read 1Password data, and there are some important factors to consider about these tools:

    • Third party tools for reading 1Password data do not reflect a “break” in 1Password. They, like 1Password, require your Master Password in order to read your data.
    • We have to advise you to never enter your 1Password Master Password into anything that isn’t 1Password. We aren’t casting aspersions on the integrity or competence of any developers, but we simply can’t advise otherwise.
    • Third party tools are “third party”. Although we may sometimes help them understand the details of our data format, they are entirely independent of AgileBits. The fact that we may maintain a good relationship with them is not an endorsement of what they produce.
    • Third party tools exemplify the fact that there is no data lock in with 1Password.

    Our format is open for a reason, but that doesn't mean we can put our seal of approval on these sorts of projects as they come along. I understand that you may be pointing to this particular project as one worthy of a special exception, but as of right now that isn't a path we are planning to head down. Perhaps this will change in the future, and we really appreciate you letting us know you're interested in this!

  • benfdc
    benfdc
    Community Member
    edited June 2014

    I am not arguing for AgileBits to make a special exception to its “no endorsements of third-party apps” policy. That policy is self-evidently sound.

    What I am doing is taking note of the fact that, thanks to @Guyan’s work, we now know that a Chrome extension that functions without a native app is feasible. That being the case, I am urging AgileBits to publish its own extension, perhaps but not necessarily in coordination with @Guyan. This would be especially valuable as an option for your users with Chromebooks, where there is no WINE-based workaround.

  • khad
    khad
    1Password Alumni

    You're right that there is not a solution from AgileBits for Chromebooks at this time apart from 1PasswordAnywhere which is not as robust as @gyran's solution. We're glad that 1Password's format is open and allows for something like that to exist, but it would take resources we don't have at the moment to thoroughly vet it (and perhaps even maintain it) if we were to officially sanction it. That's not to say this won't change someday, but, as you know, we try to steer away from discussing future plans. :)

  • benfdc
    benfdc
    Community Member
    edited June 2014

    Limited resources will always be an issue. Especially if one factors in that @Gyran’s code, like 1Password.html, is based on the legacy keychain. I do believe that AgileBits is “on the record” as working on some sort of 1PasswordAnywhere functionality for the 1P/4 keychain.

    Anyway, all I can do is lay out how things appear from where I sit, which is outside looking in. Thanks for listening, and for giving us as much of a sense as you have about how the picture looks from your side.

    p.s. Speaking of future plans, I note that Apple’s newly-announced iCloud Drive, despite the On all your devices tagline, and unlike Dropbox, apparently will not support Linux or Android.

This discussion has been closed.