Feature Suggestion (regarding architecture for all platforms)

wraith
wraith
Community Member

Hi,

I have a feature suggestion that I imagine would require a rearchitecture of the product (and even makes the name 1Password somewhat inaccurate) but would be brilliant for long term security of the database.

I have several "levels" of sensitive passwords, from random forum accounts right through to my email and bank. I know I can manage these with separate databases, but that's difficult due to the way you need to close and switch. Unlocking my database to login to this forum has just exposed my bank password to any malware that could theoretically have full control of my PC (and no amount of secure coding can protect an unlocked database if my PC is owned).

Essentially I'd like the passwords (and stored OTP's) to be encrypted separately to the metadata and other identifying information. Then allow ANY password to be used to encrypt/unlock the passwords (perhaps the metadata would be encrypted with a certificate). I realise that the point of a password manager is to reduce the number of passwords to remember, but hear me out. When I enter the unlock password I could then type the appropriate "level" master password and the resulting decryption will return the correct bank password. If I entered the incorrect level password (or an entirely incorrect master password) then the passwords would still decrypt and appear valid (since the metadata is decrypted separately) but would fail to work since they haven't decrypted with the correct key. Malware on the PC would still have the ability to own the database, however as I log into my bank rarely the risk would be vastly reduced and I would be more likely to identify the issue before it caused exposure (compared to now where my database is unlocked 80% of the time my PC is on because I'm actively using the PC, and hence logging into "low level" systems).

This approach would allow:

  • tiered password levels so that decrypting the 1Password database with my forum password does not allow possible malware on my PC to suddenly get access to my bank passwords
  • plausible deniability and obscurity when decrypting the database with an incorrect or lower level password
  • flexible management within the one database, allowing people who only want one master password through to people who want many
  • quick entry via extension when entering passwords since most commonly used passwords would be secured with a simpler master password (entering the master password every time would be necessary but does not bother me in the slightest)

I'm not saying my solution is a magic bullet, but it would help. Combined with 2FA this would go a long way to keeping my trust in software to manage my passwords (with the next step being something entirely off-box entered manually).

Cheers,
Wraith


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni

    Unlocking my database to login to this forum has just exposed my bank password to any malware that could theoretically have full control of my PC (and no amount of secure coding can protect an unlocked database if my PC is owned).

    @wraith: This is actually not the case, as 1Password doesn't decrypt your vault wholesale when you unlock it. Instead, it decrypts individual items as you access them. Now, if your computer is really compromised, all bets are off, because malware could, in theory, hijack the mouse and keyboard and go through your vault on its own...but it would really have to have some clever logic or a human at the other end for that to work.

    A better option might be separate, completely discrete (and discreet. ha) vaults. The 'tiered security' suggestion has come up before, and I guess my primary objection to it is that — in order for any of us to benefit from it — it places an even larger organizational burden on the user, to determine which 'tier' of security to bestow on each item. "Well, why not have a 'default' security level?" you might ask. You'd kind of have to to make it useable for saving new items without fiddling. But the net effect will be almost everyone using the 'default tier' for every item...which puts us right back where we started. Sure, you might use it, but your less-tech-savvy relatives sure wouldn't. And those are the people who need 1Password the most. And if we can't come up with a solution that people will actually use, we're better off — all of us — if our focus remans on improvements that help everyone be more secure.

    As a nerd, I love the idea; but as a user, it gives me a headache. I'd love to hear more of your thoughts. Maybe there's another direction we can go with this that might work for nerds and non-nerds alike. :)

  • wraith
    wraith
    Community Member
    edited November 2015

    @brenty My thought was that if someone only uses the one encryption password then they've only made one tier and it's no harder to manage as a user. I wasn't proposing you create a specifically tiered system as such, rather that it just support more than one tier by leveraging the fact that if you decrypt a string with the incorrect key then technically it will decrypt, it's just that the results are gibberish. The nice thing is that since random passwords are gibberish these days anyway then someone sniffing around won't realise that they don't have the correct password. By allowing the user to choose the encryption key when creating the item (rather than always using the master password) then you've instantly created unlimited tiers.

    I definitely agree that all bets are off if malware has compromised your PC but it's still better that the malware only has access to those things you've currently unlocked (ie the ones that correctly decrypt with the currently active password). Managing separate vaults is far more difficult (and even more beyond less tech-savvy relatives). I think my suggestion would add a little overhead when initially creating/saving passwords into the database, but from a daily use perspective would be the same as it is now, there'd just be that mental step for people using more than one decryption password to think "which password do I use" when filling into the browser for the bank versus for a forum.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @wraith: Indeed. It's something we can explore as we develop future version of 1Password. Unfortunately people forgetting their Master Passwords is all too common even when they only have one, so having to remember 1-More-Password is asking for a lot considering that's a key benefit of 1Password in the first place. With 1Password for Teams this problem is solved by the Recovery group (since the whole point of it is you aren't alone), but we'd need to find a way of making it practical for individual users as well to avoid introducing a new problem.

This discussion has been closed.