Feature request: Import from clipboard
I'm looking at coming over from LastPass, thanks to the LogMeIn acquisition. LastPass can export as CSV in a browser window. Unfortunately, I then have to save the exported content as a .csv on disk before I can import to 1Password. Could 1Password offer an import from clipboard option, so I can just copy paste? I'm not worried about the extra mouse clicks. It's that all of my passwords will hit my disk in cleartext. I have an SSD as my only disk (as many users with vaguely modern systems do), and they currently have a very mixed record for being able to securely delete content after it's been written.
As it stands I'm going to have to go dig up an old HDD and use that as an intermediary to hold the CSV file (since secure erasure tools for older hard disks are more mature and trustworthy).
1Password Version: 5.4.1
Extension Version: Not Provided
OS Version: 10.10.5
Sync Type: Not Provided
Comments
-
Could 1Password offer an import from clipboard option, so I can just copy paste? I'm not worried about the extra mouse clicks. It's that all of my passwords will hit my disk in cleartext. I have an SSD as my only disk (as many users with vaguely modern systems do), and they currently have a very mixed record for being able to securely delete content after it's been written.
@1poster: Indeed. It is possible to copy and paste JSON into 1Password to add items, but not arbitrary data. We may be able to add a feature like this in the future, but often the problem is that often even CSV exports are malformed and must be converted, and of course if you're copying and pasting raw clipboard data, without JSON, there's really no way for 1Password to know the format. It's certainly something we can explore, but there are significant challenges there.
And besides, I'd be equally concerned about using the clipboard. If you're worried about someone accessing the hard drive, which should be encrypted with FileVault2 anyway, if you're on Yosemite, that would be accessible as well, as the machine would need to be on and logged in for the contents of the hard drive to be readable.
As it stands I'm going to have to go dig up an old HDD and use that as an intermediary to hold the CSV file (since secure erasure tools for older hard disks are more mature and trustworthy).
That's a great idea! And of course if you really want to have fun, an old hard drive you're no longer using is a great opportunity for some data destruction of the physical variety. Drilling, crushing, explosives — be creative, but be safe! ;)
0 -
Such that I don't bury the lede: I found a better solution. It was from a (fairly popular) InfoSec.SE post discussing this issue, which is to use an ancient but still-viable technique: Save to a RAM disk. Essentially you set up a simulated drive that exists entirely in RAM, write the passwords CSV to it, load the CSV into 1Password, then delete the disk from memory. I'm not going to provide detailed instructions, but for those familiar with the command line, you can find them under "Creating a RAM-backed device and filesystem" in the
hdiutilman page. (This is for OS X. I don't know about other platforms.)As for the other issues, first, thanks for replying and answering so competently. Not many software companies have such good support in their forums. That said, I have to respectfully disagree on the other points.
there's really no way for 1Password to know the format
This isn't different from the current import process. The user has to select from a dropdown for filetype. (Options are: .1pif, generic .csv, LastPass .csv, and .vid.)
I'd be equally concerned about using the clipboard.
I think what you're trying to say here is that if an attacker has real-time access to your system, your clipboard isn't any safer than your hard drive. I'd agree, but that's not the scenario I worry about. I'm more concerned about the scenario where an attacker gains access to your system long after you've imported your passwords. If your passwords were ever written to your SSD, there's a good chance they'll still be there. They won't be in RAM however, if you only use the clipboard (or a RAM disk).
data destruction of the physical variety
Although fun, this is really security by obscurity. It also has potentially negative effects on human and environmental health.
0 -
It is more difficult that you think, and your possible solution only addresses a small fraction of the set of password manager users.
For example, the LastPass extension for Firefox does not export CSV using its Tools menu. It dumps out a simple, dumb, undelinated text dump of Field:Value pairs. And its Chrome extension botches user's passwords that contain certain unsafe HTML characters with undecoded HTML entities.
And most other password managers export only to files.
0 -
Essentially you set up a simulated drive that exists entirely in RAM, write the passwords CSV to it, load the CSV into 1Password, then delete the disk from memory.
@1poster: Okay, that is pretty awesome.
I'm more concerned about the scenario where an attacker gains access to your system long after you've imported your passwords.
Excellent point. Thanks for clarifying that!
Although fun, this is really security by obscurity. It also has potentially negative effects on human and environmental health.
You're absolutely right. That was said a bit tongue-in-cheek, though I do know folks who really enjoy finding creative ways to destroy data. Personally, I am horrified at the idea of destroying something I paid for, even if it's no longer in working condition.
Thanks for sharing your solution, and constructive criticism. :pirate:
0 -
It is more difficult that you think
I definitely don't think importing password data is easy. I think importing from clipboard vs. file system should be equally difficult.
And most other password managers export only to files.
Fair enough. I realize it may not be worth the time to implement, particularly if you don't actually see much of an influx from LastPass users.
Either way the RAM disk solution (which I hadn't thought of when I initially posted) seems like a way to accommodate both the need to write to a file system and the preference to keep passwords off hard disks. It's obviously more complicated than using the clipboard, but should be within reach for those few of us who really care about this sort of thing.
0 -
Hi @1poster,
Your RAM drive idea is pretty damned cunning - I really like it and you're right, making sure something is deleted from an SSD is not easy. Check out https://support.apple.com/en-us/HT205267 and search the page for
CVE-2015-5901for a prime example.It makes you think that a RAM drive may have more uses than just this one once you start to think along those lines.
0
