Viewing pdf attachments on PC

Hi,

I normally use 1Password on Mac devices, and viewing attachments on those is simple. On my work PC however, it's not so obvious: I have pdf scans of passports for example, attached to passport entries which appear in the wallet section.

If I open the passport, there's no sign of the attachment. Single-clicking on the item in the list of all wallet entries does show it as an attachment, but to view it it, it looks like I need to 'save as', which half defeats the point of trying to keep things secure!

Am I missing something, or is this a bug?

Any help / advice gratefully received.
Anthony

Comments

  • anthonyinsing
    anthonyinsing
    Community Member
    edited October 2014

    Many thanks for this @RichardPayne. Surprised I didn't find these when searching the forums yesterday!

    Having read both, as a non-techie, I can understand the challenges involved and agree with the principle of @mikeT's final post on https://discussions.agilebits.com/discussion/comment/138127/#Comment_138127 that 1Password should remain focused on its core function.

    Guess I'm lucky that I primarily use 1Password on OS X and iOS which does enable me to easily see attachments.

    For the record, I'm a relatively new 1Password user and whilst it hasn't 'transformed my life', it's made one part of it a great deal easier and given me huge peace of mind. Keep up the good work guys, and please remember that the vast majority of users will not have advanced IT skills, so all functions should be designed with the majority of customers in mind, not a minority who want a product / service to do something it wasn't designed for.

  • Drew_AG
    Drew_AG
    1Password Alumni

    Hi @anthonyinsing,

    Thanks for your feedback about this! As you've probably discovered, viewing attachments stored in 1Password is a bit more complex of a topic than it seems. ;)

    I'm happy to hear you're enjoying 1Password on Mac, iOS, and Windows. If you ever need anything else, we're here for you!

  • Psychor
    Psychor
    Community Member
    edited November 2014

    Hi,

    A simple secure attachment viewer would be nice. While I understand the argument "If we add X, someone will then want Y" that in and of itself doesn't justify not adding X. Adding a secure means for viewing images, even if the formats supported (e.g., JPG, GIF & PNG would cover the majority) are limited, and text file would be great. This and the ability to edit attachments from within the application is one feature I miss from KeePass.

    Thank you.

  • @Psychor‌

    If I understand Windows's underlying infrastructur correctly, the editing feature that KeePass has, creates the same potential security drawbacks as viewing an attachment without a built-in viewer component:
    You have to create a copy of the attachment in a temporary location, edit the item, save the changes, and re-add it to the database.
    This would most likely put the temporary file out of the purview of the user, resulting in undesirable behaviour.

    As you all might've seen in the other threads, we're aware of this request and are investigating ways to implement this without compromising security or convenience, while also not losing sight of what 1Password is; a password manager and an encrypted information database.

  • DBrown
    DBrown
    1Password Alumni

    I don't know about KeePass, but any mechanism in which a copy of a file is created (so you can view it), and you either don't know where or don't have easy access to the copy, is inherently less secure than a mechanism in which you decide where to create the copy (so you can decide what to do with it when you finish viewing it).

    I'm not saying a built-in viewer wouldn't be more convenient, just that it would be less secure. So far, we've opted for security over convenience.

  • RichardPayne
    RichardPayne
    Community Member

    and you either don't know where or don't have easy access to the copy, is inherently less secure than a mechanism in which you decide where to create the copy (so you can decide what to do with it when you finish viewing it).

    I'd agree where the user does have access to the saved copy. However, I strongly disagree otherwise. While your position might be true for technically savvy and conscientious users, as you expand your market to regular users I guarantee that they will save it, open it and then forget about it and large proportion of the time. Have 1Password manage the clearing of old files automatically is far safer in my opinion.

  • DBrown
    DBrown
    1Password Alumni

    Thanks, @RichardPayne. I have to say that opinion among the Windows team on this issue is fairly strong.

  • RichardPayne
    RichardPayne
    Community Member

    I have to say that opinion among the Windows team on this issue is fairly strong.

    Strong and unified or strong and varied?

  • DBrown
    DBrown
    1Password Alumni

    Strong and "as seen in the forums." :)

  • RichardPayne
    RichardPayne
    Community Member

    Strong and "as seen in the forums." :)

    That doesn't answer my question.

  • DBrown
    DBrown
    1Password Alumni

    It should, as most of us have expressed our opinions in the forums.

    I'd say it happens that our opinions are similar, though (as stated earlier) we understand that some people would give precedence to a convenient solution over the secure solution currently in place.

  • RichardPayne
    RichardPayne
    Community Member

    Saying that the opinions were all expressed on the forum doesn't tell me if the opinions given were all generally in concordance. Does the Windows team strongly agree on a position or strongly disagree?

  • DBrown
    DBrown
    1Password Alumni
    edited November 2014

    I can't speak for the others, Richard, so I'll say again that our opinions happen to be similar.

    As for the strength of each person's opinion, my impression (based only on the opinions expressed in the forum not having changed much over the years this topic has been discussed) is that they're at least fairly strong.

    More to the point, though, we speak as the 1Password for Windows team, a subset of the AgileBits team, so you're likely to hear little that differs much from what we've decided as a team to implement.

  • RichardPayne
    RichardPayne
    Community Member

    so I'll say again that our opinions happen to be similar.

    That's what I was looking for. Sorry that I missed it on your previous post.

  • Psychor
    Psychor
    Community Member
    edited November 2014

    If I understand Windows's underlying infrastructur correctly, the editing feature that KeePass has, creates the same potential security drawbacks as viewing an attachment without a built-in viewer component: You have to create a copy of the attachment in a temporary location, edit the item, save the changes, and re-add it to the database. This would most likely put the temporary file out of the purview of the user, resulting in undesirable behaviour.

    As you all might've seen in the other threads, we're aware of this request and are investigating ways to implement this without compromising security or convenience, while also not losing sight of what 1Password is; a password manager and an encrypted information database.

    @AlexHoffmann

    Thank for taking the time to respond. The following, I believe, is how KeePass handles attachments: "When trying to open an entry attachment that the built-in editor/viewer cannot handle, KeePass now extracts the attachment to a (EFS-encrypted) temporary file and opens it using the default application associated with this file; afterwards the user can choose between importing/discarding changes and KeePass deletes the temporary file securely." I don't know if that helps or not.

    Assuming, argudeno, that the KeePass solution doesn't differ from having a user perform the same steps manually I'd argue that having it done by the application is still more secure because it requires less from the user yet at the same time doesn't preclude the user from being involved. I don't see how storing a file in a temporary location puts the file out of the purview of the user - a user would simply need to know where to look should they wish to access the temporary file prior to it being properly destroyed.

    As you all might've seen in the other threads, we're aware of this request and are investigating ways to implement this without compromising security or convenience...

    Great.

This discussion has been closed.