"Minimize" feedback -- bug?

ken_

I was looking for a keyboard shortcut for locking 1Password (version 4.4.3, since I haven't upgraded to Yosemite yet), and I didn't think to look in the application menu, so I came across Minimize. I tried it, and sure enough, when I double-click the titlebar or hit command-M, the entire 1Password window turns into the gray "locked" view, and then it minimizes into the dock. It appears in the dock as the gray "locked" window. Success! Right?

Then I clicked the window in the dock, and it expanded, and instantly unlocked, without me typing the master password.

This is kind of worrisome. I'd always assumed that once I see the gray "locked" window, that everything is secure. Apparently that isn't true.

Jasper

Hi @ken_,

When minimizing 1Password, the lock screen shown is only a UI change (it does not actually lock/encrypt your data). I believe we do this so the operating system doesn't cache the unlocked screen, which could contain private data.

If you'd like to lock 1Password, we have a keyboard shortcut for that: ⌃⌥⌘L (Control+Option+Command+L)

You can also take a look at the auto-lock settings under Preferences > Security and choose when 1Password should lock on its own.

Please let us know if you have any other questions. We're always happy to help!

ken_

Hi JasperP. Thanks for responding.

It makes sense that you'd not want to cache the unlocked screen, though I don't claim to understand the technical aspects of that. (Doesn't the operating system already cache the content of non-minimized windows, too, like on the Mission Control screen?)

But the phrase "only a UI change" is strange, especially in this context. Isn't the whole purpose of the UI to show the state of the application? Why does it show the locked-and-secure UI when it's not actually locked?

Given the requirement that minimized windows can't use the normal window, I would expect in this situation for it to show a third state, which looks mostly like the "unlocked" state but without actually showing any private data. Dock icons are tiny so you could greek out all the text and icons, for example, and nobody would be able to tell during normal use, while the private data would not contain anything useful, even on the off chance that somebody malicious got ahold of the GPU cache.

Even disallowing minimization altogether seems like it would be preferable to what it does now, since that wouldn't be misleading to the user.

I'm nervous to use 1Password now, because I have several times looked up a password, minimized the window, and walked away from my computer, thinking it was locked. This seems like it would be a much easier exploit path than trying to extract sensitive data from a cached bitmap.

littlebobbytables

Hi @ken_‌

I've looked at our history of bug reports and it turns out we do this because of the caching done by OS X. It was returning a glimpse of the open vault when maximised, even if the timers meant the vault had locked since it had been minimised. The fix was to switch to the lock screen so that was cached instead. It wasn't the small minimised icon but the full screen we were worried about.

Of course that doesn't help if people like yourself interpret the UI change as meaning it is locked when it isn't. So I think that's something we'll have our developers mull over and see what they think.

Hopefully you found JasperP's post helpful though. The keyboard shortcut he referenced can even be altered to suit your needs (it can be change in the General tab of 1Password's preferences). As well as the keyboard shortcut for locking your vault you can tweak the locking behaviour in the Security tab, again as JasperP mentioned. Between those I'd hope you wouldn't be nervous about using 1Password going forward.

ref: OPM-2680

ken_

Hi LBT,

I appreciate the response. Unfortunately, I'm having trouble getting the keyboard shortcut to work, too.

First, I thought I'd be clever and make the lock shortcut command-M, but 1Password tells me that's already used. Interestingly, that's the only dialog box in the application that seems to not be localized (in Japanese, anyway).

Then I noticed something strange. When I first launch 1Password 4, the keyboard shortcut for Lock in the menu is shown as control-option-command-L. When I open the preferences window, it's shown there as control-option-command-N, and now the menu no longer has a shortcut showing for Lock. At this point, neither control-option-command-N nor control-option-command-L work to lock it.

I can change the lock keyboard shortcut to something new, and then it works, but the new shortcut is never shown in the menu. If I relaunch 1Password 4, the keyboard shortcut works, but again stops working if I ever open the preferences window.

I don't know if it's relevant, but I will note that on my Dvorak layout, pressing the key labeled "L" on my Mac's keyboard produces the letter "N" on the screen.

ken_

Upon further inspection, I can't figure out how the auto-lock is supposed to work, either.

I have 1Password 4, and in the preferences, I have all the auto-lock checkboxes checked, including locking when the main window is closed. That one seems pretty self-explanatory, and the description in the user manual seems to confirm that it should do just what it says.

In the main window, I type my password to unlock it. Then I click the red close-box to close the window. It's now locked, right? In the preferences window, the auto-lock options are dimmed, suggesting to me that even though the main window is closed, it's in the "locked" state. (That's what the preferences do when I explicitly click the lock icon.)

Then I choose "1Password" from the Window menu, and a main window appears again, but it's a strange main window. The left side is all visible, but when I click on any item, the right side just shows the 1Password name/logo. Clicking the lock icon at the top of the window doesn't do anything.

It's not letting me see passwords, but it lets me see all services and usernames. On the duplicate password screen, it shows the accounts I have which use the same password, and the first 3 characters of that password. I would call that "not fully locked".

Even worse, if an item was selected (and showing all its private data on the right side) before closing the main window, when I re-open it, that data is still visible. I can hold down "option" and see the password.

That is, I'm doing: 1. Ensure "Lock when main window is closed" is checked. 2. Unlock. 3. Close main window. 4. Re-open main window. 5. Hold down 'option' key. 6. See password.

That seems bad.

littlebobbytables

@ken_‌

Well there are a few things in there to address.

Lets start with the Lock when main window is closed security option. I'm suspecting, given some of what you wrote, that you're closing the main window while the preference window is open. The preference window is stopping the main application from closing properly and so 1Password hasn't actually closed. Do you keep 1Password permanently in your dock? If you do you can tell if the main program is still running by the little light indicator (as shown below - my dock is on the left hence that screenshot).

If the light white rectangle is present 1Password hasn't closed. Could this explain what you're seeing? If 1Password is allowed to properly close it behaves as expected, for me at least. Also, if it hasn't locked then the option key would reveal the passwords as it is meant to. Does this tally with how you were experimenting at all?

Now for the keyboard shortcuts.

1Password won't let you use a keyboard combination that is already in use so that would explain why ⌘M isn't allowed. Certain third party programs are known to interfere but you can also check in System Preferences > Keyboard > Shortcuts as to which ones OS X will react to.

The ⌃⌥⌘N/L is definitely related to your use of the Dvorak layout and I can replicate that. If I open and close the preferences whilst changing keyboards it alters what is displayed so that it matches. So the shortcut is mapped to a physical key and showing what the correct combination to achieve it is. I assume there is a reason why it's done this way but I'd have to ask the developers.

What I couldn't replicate is the intermittent behaviour of this or to have the keyboard shortcut be blank. I could only get mine to either show the shortcut required e.g. ⌃⌥⌘L or Click to record shortcut or Type shortcut. Can you supply a screenshot of that please while we investigate a little further. Can I ask, do you routinely jump between keyboard layouts at all or do you only have one installed?

ken_

1. Lock when main window is closed.

"I'm suspecting, given some of what you wrote, that you're closing the main window while the preference window is open."

Yes, this seems to explain what I'm seeing.

"The preference window is stopping the main application from closing properly and so 1Password hasn't actually closed."

I think there's a terminology issue, then. On the Mac, windows close; applications quit. (I remember Steve making fun of the phrase "close an application" in a keynote once, even.) 1Password is even specifically saying "Main window closes", not "Application quits" or "All windows close" or "Main window closes (and preferences window isn't also open)", or even "Application closes" (sic).

Regardless of whether this is intended locking behavior, I think the 'not-quite-locked not-quite-unlocked' window is clearly a bug. The app is mostly non-functional, until I quit and restart it.

2. Keyboard shortcuts.

"1Password won't let you use a keyboard combination that is already in use so that would explain why ⌘M isn't allowed."

Yeah, I thought it was a long shot. I just wanted to document everything I did, in case this was something that might have triggered the other weird behavior I was seeing.

"If I open and close the preferences whilst changing keyboards it alters what is displayed so that it matches. So the shortcut is mapped to a physical key and showing what the correct combination to achieve it is."

It's not clear to me, but it sounds like you're saying that 1Password takes the keyboard shortcut I type, then reverse-maps the keystroke to a physical key label, and shows that physical key label in the UI (but only when I close and re-open the preferences window). If so, that is pretty bizarre behavior that I've never seen in any other app, even Mac apps that let the user remap keyboard shortcuts, like Xcode. I can't imagine why that would ever be desired behavior. It's certainly not expected. It kind of defeats the entire purpose of letting the user choose a keyboard layout. It's essentially "Sometimes, we'll just ignore your layout and pretend what you really wanted was QWERTY."

"What I couldn't replicate is the intermittent behaviour of this or to have the keyboard shortcut be blank. I could only get mine to either show the shortcut required e.g. ⌃⌥⌘L or Click to record shortcut or Type shortcut. Can you supply a screenshot of that please while we investigate a little further."

The shortcut goes blank in the application menu, not the preferences window.

I can see about getting a screenshot/video later if you want.

"Can I ask, do you routinely jump between keyboard layouts at all or do you only have one installed?"

I routinely jump between Dvorak and Hiragana (Kotoeri, with 英字のレイアウト set to Dvorak). I don't use any non-Dvorak alphabetic layouts, though. In any layout I use, holding the command key and pressing the key that is 2 keys to the right of "caps lock" is always command-O, for example.

littlebobbytables

@ken_‌

1. This should be resolved in the next release. I've personally never used that particular lock behaviour before so thank you for bringing it to our attention.
2. This will take a bit of investigating I'm afraid. I'm being told we try to get OS X to do as much as possible when it comes to shortcuts, the idea being that we behave as OS X does. Your additional comments do make it clearer where the issue lies though so you can ignore the screenshot request if you wish.

Until a fix is issued for 1. the only advice I can give is to not keep the preferences window open during normal usage. I don't have a workaround for the second. Sorry it isn't better news.

ref: OPM-2688

ken_

Thanks, LBT. I appreciate the response.

I still think 1Password is a pretty good program, and I'll probably buy a license when my free trial is up. I'll just have to remember to be careful with locking it, because that part of the design is not quite as simple as I had assumed it would be.

cheers,

Megan

Hi @ken_,

I'm glad to hear that @littlebobbytables‌ was able to help you out. I'm sorry that you don't find the design quite as simple as you had hoped. If there is anything else we can do, we're here for you!