In regards to different types of malware, how safe is 1Password's data?
Correct me if I'm wrong, but the only time when 1Password's data is not encrypted (yes, I'm aware data such as titles and URLs are not encrypted, at least with the previous AgileBits format as opposed to the 'new' OPVault right?) is when you are using a particular item (example: login, etc.)...after you unlock your vault of course. All the rest of the data is encrypted still as I read from a comment by @brenty in this thread:
Keep in mind that anything (or anyone) you give access to your system, if malicious, could simply access data as you do. After all, you need to unlock 1Password to use a login. And while it is stored on disk encrypted, it needs to be decrypted temporarily for it to be of any use to you. For example, if you mistakenly install a malicious app, it could simply collect data as you use it — or a malicious person with access to your machine could install something for the same purpose.
But we're very conscious of this, so 1Password ~doesn't~ decrypt all of your data when you unlock the app. Instead, it only decrypts each item as you use it, so that your vault cannot be compromised simply by installing a malicious app. But it's important to only install software from trusted sources, because if you do give up your system to malicious software, anything ~not~ encrypted will be fair game. At the point when someone else 'owns' it, all bets are off. 1Password cannot protect you if you give your vault + password to someone else (or simply hand over the data in unencrypted form).
Then I was reading this thread and in a comment made by @jpgoldberg he states:
If your computer has malware on it, then it is possible for some malware to get data from 1Password once you unlock it.
Could someone please elaborate on this? How could malware get to the data/vault if most (or all of it) of it is still encrypted even if you unlock it with your Master Password as stated above by @brenty? Is @jpgoldberg referring to only the data that is temporarily decrypted and in use that malware could get to?
Hope that makes sense.
Thanks!
I wasn't sure where I should post this since this isn't necessarily about any particular version of 1Password.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
@ScarySulley: The Lounge is a great place to have a more in-depth discussion on data security. Thanks for getting the ball rolling!
A concrete example of data being decrypted immediately when you unlock 1Password is that it will display the item you were viewing previously, and of course that will need to be decrypted for that to happen. At that point, malware could simply take a screenshot (though your password will be concealed by default. You should assume that malware can see and do anything you can, since it's functionally you, with the same privileges and access you have.
0 -
Thank you for your reply @brenty,
A concrete example of data being decrypted immediately when you unlock 1Password is that it will display the item you were viewing previously,
Is this for all versions of 1Password? Because when I unlock 1Password, it always shows the first item as opposed to the last viewed/used item I was on when 1Password was previously unlocked/open.
and of course that will need to be decrypted for that to happen.
Interesting...so to be clear, it is when you click on/choose an actual item that 1Password will temporarily decrypt all that relevant information?
At that point, malware could simply take a screenshot (though your password will be concealed by default. You should assume that malware can see and do anything you can, since it's functionally you, with the same privileges and access you have.
So malware could take a screen shot, but if I don't 'reveal' it by pressing Alt (Windows), Option (Mac) or the equivalent action for Android and iOS, then any malware can't get the password through a screenshot. Although they could get the user name, notes, title, etc. — through a screenshot — as those fields are not concealed.
So right now we're talking about malware that could take a screenshot of the 1Password window and information currently being displayed at any given moment. But could malware get the decrypted information by any other means, besides a screenshot, since it is decrypted? I think I read where malware could see the contents of the clipboard when you copy a password from 1Password. But, say for instance, you had 1Password open on a login (and that seems to be the only time information gets temporarily decrypted from earlier above), could malware somehow take or access that decrypted information (not a screenshot), regardless if a password has been copied to the clipboard from 1Password? Hope that makes sense!
Thanks again @brenty! :)
0 -
@ScarySulley: Any time! I'm sorry for the delay, but I'm trying to get you some more details on the specifics regarding your questions. As far as malware, it really depends on how it's designed, but anything even remotely serious about data collection should be monitoring the clipboard, taking screenshots, and logging keystrokes at bare minimum. We'll get back to you shortly! :)
0 -
Hi @ScarySulley, you ask an important and tricky question, for which there will be no simple answer.
Before I get into attempting to answer it, I would like to remind everyone of something that we have to say about defenses against malware running on the machine on which you use 1Password . From a discussion of keystroke loggers:
I have said it before, and I’ll say it again: 1Password and Knox cannot provide complete protection against a compromised operating system. There is a saying (for which I cannot find a source), “Once an attacker has broken into your computer [and obtained root privileges], it is no longer your computer.” So in principle, there is nothing that 1Password can do to protect you if your computer is compromised.
In practice, however, there are steps we can and do take which dramatically reduce the chances that some malware running on your computer, particularly keystroke loggers, could capture your Master Password.
When it comes to a compromise that allows the attacker to analyze memory while you have 1Password unlocked, there isn't all that much we can do in practice (as opposed to defending against superficial key stroke loggers).
Shortish answer
You should behave as if all data is decrypted and in memory when 1Password is unlocked. Although we often attempt to only "decrypt items as needed" we are not going to guarantee that that is the case.
Once you have unlocked 1Password the amount of data that will be decrypted in memory varies from platform to platform and from time to time and from version to version. So although we like to be explicit in our documentation about security, we are deliberately vague about things that depend so much on the resources of the machine we are running on.
Why the deliberate vagueness?
As I said, things differ from case to case and operating system to operating system (often depending on system resources). For example, we always will decrypt the "overview" information first. This is what is needed to present a list of items. And as you mentioned, in the legacy Agile Keychain Format that data isn't encrypted in the first place.
On mobile devices where we need to think more in terms of resource constraints (including power usage), you will find that we tend to decrypt overviews and then only decrypt an item detail when needed. But this, again, is subject to change. We are not going to promise to always behave that way.
But now contrast with features like being able to search on passwords or perform a Security Audit. Those functions, which were computationally out of reach a few years ago on many devices are now standard features on the Desktop. They do require decrypting the item details of all items to get to the encrypted passwords.
Because of all of these differences and the fact that actual details even on a given platform may differ from release to release, we need to be vague. And so you should behave as if all data is decrypted once you unlock 1Password even though much may actually remain undecrypted1.
Threat model vs theatrics
An attacker who can get at your memory while 1Password is unlocked will necessarily be able to get at your master decryption keys. Such an attacker will almost certainly be able to get at your encrypted 1Password data. With both your data and the master decryption keys, the attacker will be able to decrypt anything they wish irrespective of what else is in memory.
To someone looking for strings in a core dump of an unlocked 1Password process, the existence of visible secrets will look worse than if only the master decryption keys were in there (which wouldn't be apparently through just looking at strings). So given that the master keys need to be in memory when 1Password is unlocked, there is no real difference in threat from such an attacker. The biggest difference would only be to obscure from the user that a memory dump of an unlocked 1Password would be a bad thing.
Not just theatrics
There are good reasons to try to reduce the amount of decrypted secrets that live in memory beyond security theater. But those involve edge cases (where, say, only a portion of memory is available to the attacker). And so we do design with this in mind. But we do not let such considerations trump substantial performance or the availability of features like Security Audit.
-
"undecrypted" is not an unjustifiable word. Take that George Orwell! ↩︎
0 -
-
I wanted to follow up here to reiterate out that it's important to not to access sensitive information on an untrusted device, whether that be a public internet terminal or your own that's been compromised, rather than trying to figure out what you can "get away with" when your machine is infected. The premise of this discussion is that the machine is infected and still being used to access sensitive information, and it's important to recognize that this represents taking an unnecessary risk.
Now, 1Password also does it's best to minimize risk in case of just such an eventuality. The one thing you can be confident of, regardless of platform, configuration, or compromise, is that all of your 1Password data is secured until you unlock the vault to access it. So when in doubt, always use a trusted machine. It's always possible that for all of our diligence, both as users and developers, an unknown OS vulnerability could be exploited to do something heretofore believed impossible. So we should assume that malware is smarter than we know it to be and take the necessary precautions ourselves as well.
0 -
Thank you for the very detailed responses @brenty and @jpgoldberg,
Hmmm...It does seem that there is no clear and easy answer to this.
Some more questions that are all sorta related to eachother (bear with me): 8-)
So while there's no clear answer as to which data is encrypted or decrypted at any given time when the 1Password vault is unlocked, can the data that is encrypted, while the 1Password vault is unlocked, be attacked/compromised/corrupted somehow? I know since it's encrypted, the data would be useless without the Master Password, but could it be "messed up" somehow? Hope that makes sense!
Just to verify...while the 1Password vault is locked and thus all the data is encrypted*, it is not possible for malware to attack/compromise/corrupt any of the encrypted data...? I know since it's encrypted, the data would be useless without the Master Password, but could it be "messed up" somehow? Hope that makes sense!
Related to #2...since there are two different vault formats that can be used, the older AgileBits and the newer OPVault, that encrypt data a bit differently (AgileBits format doesn't encrypt titles and URLs for example, where the OPVault encrypts all data), can the data that is not encrypted in the AgileBits format be attacked/compromised/corrupted while the vault is locked?
Yes, I repeated the last two sentences for the first two questions since they were relevant to both questions. :)
Thanks again!
*I know the two different vault formats encrypt data differently, hence question #3.
0 -
So while there's no clear answer as to which data is encrypted or decrypted at any given time when the 1Password vault is unlocked, can the data that is encrypted, while the 1Password vault is unlocked, be attacked/compromised/corrupted somehow? I know since it's encrypted, the data would be useless without the Master Password, but could it be "messed up" somehow? Hope that makes sense!
@ScarySulley: Whoa. I'm glad you brought this up. I wasn't thinking in that direction at all based on your questions, but that's perhaps just as important as encryption! Having reliable backups of your data is absolutely crucial.
If someone or something else has control over your system or access to part of it, they can do a lot of damage. They could simply delete your data, or, even "better", encrypt it themselves for extortion purposes. Ransomware has grown in "popularity" and will likely only continue to do so. People used to write viruses for fun or hacker cred, but it's turning into a real business... :(
Just to verify...while the 1Password vault is locked and thus all the data is encrypted*, it is not possible for malware to attack/compromise/corrupt any of the encrypted data...? I know since it's encrypted, the data would be useless without the Master Password, but could it be "messed up" somehow? Hope that makes sense!
Absolutely. See #1.
Related to #2...since there are two different vault formats that can be used, the older AgileBits and the newer OPVault, that encrypt data a bit differently (AgileBits format doesn't encrypt titles and URLs for example, where the OPVault encrypts all data), can the data that is not encrypted in the AgileBits format be attacked/compromised/corrupted while the vault is locked?
Yes, I repeated the last two sentences for the first two questions since they were relevant to both questions. :)
Thanks again!
*I know the two different vault formats encrypt data differently, hence question #3.See #1. Seriously though, those are all great questions! I was going to link to the OPVault and AgileKeychain design documents here, but it's completely irrelevant if someone shreds your vault digitally.
So while these are different scenarios, the same rationale applies. It sound like I'm being dismissive, but I mean it: I'm glad you brought this up. It's easy to get so caught up in worrying about security that this gets overlooked.
Here's a scenario for you: I spend thousands of dollars on fancy equipment to protect my home: cameras, locks, alarms — the whole kaboogie*. Those crazy teenagers can't break in and steal my awesome video game collection. So they burn down my house. D'oh.
*Note: this is not an actual word.
That's kind of what we're up against with malware, or even just someone mischievous with access to our devices. I can say "all bets are off" til I pass out, but it's important for each of us — myself as well — to keep the truth of this statement in mind. So while 1Password can encrypt our data to keep anyone from accessing it, maybe they don't want to access it. Maybe they want to destroy it or hold it for ransom. Yikes. :dizzy:
0 -
Hi @brenty,
I totally forgot about ransomware and other malware that can cause harm to data in general – encrypted or not. I know 1Password will make automatic encrypted backups every so often. Plus there's the other types of backups (well technically it says "export") that we can do manually that are not encrypted. Even the backups/exports that are stored locally are also at risk of being attacked, encrypted or not. With that said, is there a way to test/check the integrity of backups/exports to be sure they have not been compromised/attacked/corrupted?
While I'm here, can you explain the different ways the Master Password is kept secure as we input it into 1Password? I know Windows has the option to use Secure Desktop that will not allow any other programs to run while you're typing in your Master Password, thus eliminating the chances of malware capturing the Master Password, correct? But how does this work on the other platforms; Mac, iOS and Android?
Lastly I think this question was overlooked from earlier, so I'll just copy and paste it from my second post above:
A concrete example of data being decrypted immediately when you unlock 1Password is that it will display the item you were viewing previously,
Is this for all versions of 1Password? Because when I unlock 1Password, it always shows the first item as opposed to the last viewed/used item I was on when 1Password was previously unlocked/open.
Thank you again @brenty ( and @jpgoldberg ) for your assistance! :)
0 -
Even the backups/exports that are stored locally are also at risk of being attacked, encrypted or not.
@ScarySulley: That's an excellent point. The solution is the same whether we're talking about attack or "benign" data loss (corruption, hardware failure): multiple backups. After all, you may never get infected by malware, but it's pretty much guaranteed that you'll suffer some catastrophic failure at some point. I've had mine already, though I don't think that makes me immune to future disasters — rather, it makes me super paranoid!
With that said, is there a way to test/check the integrity of backups/exports to be sure they have not been compromised/attacked/corrupted?
The only reliable way to do this is to restore. Make a fresh backup first so you can revert to your most recent data. But 1Password will verify the integrity of the database when it loads. If you can restore from the backup, you're in good shape!
While I'm here, can you explain the different ways the Master Password is kept secure as we input it into 1Password? I know Windows has the option to use Secure Desktop that will not allow any other programs to run while you're typing in your Master Password, thus eliminating the chances of malware capturing the Master Password, correct? But how does this work on the other platforms; Mac, iOS and Android?
Android doesn’t have the equivalent of the iOS Keychain, but we do have options for securely storing data. Android provides a set of KeyStore APIs that allow us to store secrets. This API is used in conjunction with the fingerprint APIs to secure a secret with an encryption key that is secured by your fingerprint. This is similar to the way Touch ID works on iOS. In both cases, apps are sandboxed so that they cannot steal input/data from each other. This is more strict on iOS, but on Android we use a flag to tell the OS it should treat 1Password as a secure app. This flag also prevents screenshot taking and hides 1Password’s content in the Recents (multi-tasking).
Where Windows (7 and later) support Secure Desktop, and OS X and iOS have Secure Input to prevent key logging, on Android we treat the Master Password as a protected field and the security is dependant on the OS and keyboard the user is using. For example, if the user rooted their device to bypass sandbox restrictions, it’s possible another app on the device is keylogging protected fields. Third-party keyboards can listen onto what you are typing, so it’s important to trust the keyboard you are using. iOS forbids 3rd party keyboards from being used in secure fields altogether.
If someone is able to install data collection software of any kind on your Mac or PC (or possibly a rooted/jailbroken mobile device), they could more easily read your information bit by bit from memory as you enter or access it. But at that point they'd probably get more bang for their (your?) buck by stealing your credit cards or valuables -- the computer itself, perhaps. It's important to keep in mind that like any app, 1Password's integrity depends to some extent on the integrity of the system.
Lastly I think this question was overlooked from earlier, so I'll just copy and paste it from my second post above:
A concrete example of data being decrypted immediately when you unlock 1Password is that it will display the item you were viewing previously,
Is this for all versions of 1Password? Because when I unlock 1Password, it always shows the first item as opposed to the last viewed/used item I was on when 1Password was previously unlocked/open.
Thank you again @brenty ( and @jpgoldberg ) for your assistance! :)
Hey, thank you! It's good to feel useful! ;)
0 -
I'm sorry it has taken me so long to add my voice to @brenty's answers to @ScarySulley's excellent follow-up questions. I'll try not to repeat what has already been said, and just add some details about particular points.
When 1Password is unlocked, sufficiently powerful malware operating on the same system can do anything. So I am only going to discuss what can happen when 1Password is locked.
Could [encrypted 1Password data] be "messed up" somehow?
If the attacker is only working with the encrypted data, it doesn't matter whether 1Password is locked or not, so I will focus on the general case. As has already been noted, an attacker could destroy data. Backups are important.
So let's ask whether an attacker can tamper with the data in a way that doesn't simply result in data loss but adversely affects the users security in other ways. The short answer is that the Agile Keychain Format can be maliciously tampered with, but all later data formats cannot.
Indeed, this was an explicit design goal of OPVault:
When the Agile Keychain format was developed, chosen ciphertext attacks (CCA) were seen as theoretical. Furthermore, the primary threat to 1Password users was thought to be from an attacker stealing the data once and pursuing an off-line attack. It did not anticipate an attacker who could tamper with user data that would be subsequently processed by the legitimate owner.
CCAs are no longer just theoretical, and we also see (and encourage) widespread storage of 1Password data in “the cloud” for syncing. Thus, data integrity needs to be addressed in our new design.
Instead of trying to design against particular CCAs or particular mischief that can be done through data manipulation, we simply authenticate everything we can. Authenticated encryption is used whenever we encrypt, and HMACs are calculated over the elements in each item. The item is rejected if the MAC does not verify. The Encrypt-then-MAC construction is better thought of as “Verify-and-only-then-Decrypt.”
So 1Password cryptographically verifies that the data has not been tampered with before attempting to use it in any way. An attacker could change things that would affect synchronization, but I'm calling that a "data loss" situation.
Just to verify...while the 1Password vault is locked and thus all the data is encrypted ...
This is actually trickier than you might think. Forgetting is hard. When you lock 1Password, 1Password tells the computer to "forget" certain things. But exactly when those get fully removed/overwritten in computer memory is unpredictable.1 And this differs from environment to environment.
Can the unencrypted data in the Agile Keychain Format be attacked?
Yes. The Agilekeychain Format did not involve data integrity checks. See my answer to your first question for what we've changed and why.
Moving to Authenticated Encryption with Additional Data, as we did with OPVault prevents a whole class of potential attacks. We've seen some "proofs of concept" demonstrations of what an attacker might be able to do by tampering with a target's Agile Keychain Format, but we've seen no hint of any actual attack.
And again we shouldn't be thinking in terms of powerful malware running on the machine on which you use 1Password. An attacker with full control of the computer on which you run 1Password already has full control. Keep your systems and software up to date.
-
If we were to write and use our own memory management layer instead of having the all of the safety checks that come with the standard tools, we would almost certainly end up creating more problems then we would solve. ↩︎
0 -
-
Thank you @brenty and @jpgoldberg for your responses. Apologizes in advanced, I didn't realize this was post was going to be so long.
Looks like this one got skipped again, so I'll put it first this time :)
A concrete example of data being decrypted immediately when you unlock 1Password is that it will display the item you were viewing previously,
Is this for all versions of 1Password? Because when I unlock 1Password, it always shows the first item as opposed to the last viewed/used item I was on when 1Password was previously unlocked/open.
New stuff for @brenty (I did my best to organize everything)
@ScarySulley: That's an excellent point. The solution is the same whether we're talking about attack or "benign" data loss (corruption, hardware failure): multiple backups. After all, you may never get infected by malware, but it's pretty much guaranteed that you'll suffer some catastrophic failure at some point. I've had mine already, though I don't think that makes me immune to future disasters — rather, it makes me super paranoid!
Yes, having multiple backups, including connected and disconnected, is always a good idea. Even for both malware and hardware failures.
The only reliable way to do this is to restore. Make a fresh backup first so you can revert to your most recent data. But 1Password will verify the integrity of the database when it loads. If you can restore from the backup, you're in good shape!
Oh ok, so 1Password has an auto-check feature to ensure the vault/data is not compromised/corrupted in any way. Interesting. Does this apply to both vault formats? Or do you have to upgrade to the OPVault format?
I just read the comment @jpgoldberg said saying that this data/vault integrity check/verification only applies to the new OPVault format and not the older AgileBits format as discussed at the end of this post below.
Android doesn’t have the equivalent of the iOS Keychain, but we do have options for securely storing data. Android provides a set of KeyStore APIs that allow us to store secrets. This API is used in conjunction with the fingerprint APIs to secure a secret with an encryption key that is secured by your fingerprint. This is similar to the way Touch ID works on iOS. In both cases, apps are sandboxed so that they cannot steal input/data from each other. This is more strict on iOS, but on Android we use a flag to tell the OS it should treat 1Password as a secure app. This flag also prevents screenshot taking and hides 1Password’s content in the Recents (multi-tasking).
- Can you please elaborate on how the iOS Keychain plays a role with 1Password? Correct me if I'm wrong, but the iOS Keychain is Apple's password management app, right?
- Regarding the KeyStore APIs (I'm not quite sure what that means so go easy on me here). Does this mean that those APIs allows the Master Password to be inputed securely when you say "allow us to store secrets." ? Or does that have to do with the way the vault is "secured" ?
- You mentioned fingerprint APIs...what if the phone doesn't have a fingerprint scanner/reader?
- So is it the sandboxing that allows the inputing of the Master Password to be secure so no malware will get it?
- Interesting to know that sandboxing also prevents screenshots from being taken of the 1Password screen so that no information is captured through the screenshot. To clarify, this applies to both iOS and Android, correct?
Where Windows (7 and later) support Secure Desktop, and OS X and iOS have Secure Input to prevent key logging, on Android we treat the Master Password as a protected field and the security is dependant on the OS and keyboard the user is using. For example, if the user rooted their device to bypass sandbox restrictions, it’s possible another app on the device is keylogging protected fields. Third-party keyboards can listen onto what you are typing, so it’s important to trust the keyboard you are using. iOS forbids 3rd party keyboards from being used in secure fields altogether.
It sounds like this paragraph may have answered your previous one, but I'm not quite sure. :blush:
Ok, so OS X and iOS both have a feature called Secure Input that prevents key logging (I'm assuming this is similar to Secure Desktop for Windows?).
Android has a feature that allows for a protected field which is dependent on the OS and keyboard the user is using. So when you say "the security is dependent on the OS" you are referring to whether Android has been rooted and has been allowed to bypass sandbox restrictions. So for maximum security, it's probably best to not root Android unless you know what you're doing, at least in regards to bypassing the sandbox restrictions.
If someone is able to install data collection software of any kind on your Mac or PC (or possibly a rooted/jailbroken mobile device), they could more easily read your information bit by bit from memory as you enter or access it.
I'm assuming that this doesn't apply to inputing the Master Password (and a non-modified Android device) since as discussed above, security measures are in place to prevent the Master Password from being captured?
Going to get somewhat technical here: When you say "bit by bit" you are referring to the actual zero's and one's, right? How could that be useful to an attacker if the data is simply 0's and 1's? Unless they could somehow put those 0's and 1's into a meaningful format...?
But at that point they'd probably get more bang for their (your?) buck by stealing your credit cards or valuables -- the computer itself, perhaps. It's important to keep in mind that like any app, 1Password's integrity depends to some extent on the integrity of the system.
Is this because of my comment above regarding how the 0's and 1's may not be useful if they're not in a readable format and are pretty much worthless?
@jpgoldberg (or @brenty )
So essentially what you're saying is that the new OPVault format is best to use as it's more secure and has the feature/ability to have 1Password check it's integrity as it's unlocked and/or importing a backup vault...? To clarify, the vault/data integrity check 1Password does with the OPVault format, only happens when you unlock 1Password or when you are importing a backup vault?
Also, what versions of 1Password started to have this feature with the OPVault format and does this apply to all platforms (OS X, Windows, iOS, and Android)?
Totally just came up with this new question that I've been meaning to ask for quite some time...
Since we've been talking about inputing data, such as the Master Password, and keeping that secure as it's inputed/typed, what about the keyboard and mouse? What I mean is how secure are wireless/Bluetooth keyboard and mice? I suppose the answer is yes, but is it possible for someone to intercept/capture the wireless connection/signal from the keyboard and mouse (I guess the keyboard is the main concern as that does the typing like for the Master Password) as it goes to the computer/dongle/receiver?
Phew! Final done! haha, thanks again for your time for this discussion. It's a lot of information to take in, but I'm getting a lot of good insight. :)
0 -
Thank you @brenty and @jpgoldberg for your responses. Apologizes in advanced, I didn't realize this was post was going to be so long.
@ScarySulley: lol no problem! :lol:
Looks like this one got skipped again, so I'll put it first this time :)
A concrete example of data being decrypted immediately when you unlock 1Password is that it will display the item you were viewing previously,
Is this for all versions of 1Password? Because when I unlock 1Password, it always shows the first item as opposed to the last viewed/used item I was on when 1Password was previously unlocked/open.I'd answered this one earlier,
A concrete example of data being decrypted immediately when you unlock 1Password is that it will display the item you were viewing previously, and of course that will need to be decrypted for that to happen.
I'm sorry if my answer wasn't as exhaustive as you'd liked! The truth is that I wanted to give one concrete example of this since it varies based not only on platform, but also due to how you're using it. In that example, I was referring to 1Password for Mac, since it will display an item's details based on the vault/category selected. Another is 1Password for iOS, where unlocking the extension will display some information based on the current website/app.
Oh ok, so 1Password has an auto-check feature to ensure the vault/data is not compromised/corrupted in any way. Interesting. Does this apply to both vault formats? Or do you have to upgrade to the OPVault format?
Thinking about this question, I release there's something here that may be relevant to your previous question: 1Password reads "overview" data (such as titles and URLs) when you unlock it so it's able to display a list of items (as opposed to just a long list of incomprehensible UUIDs) and facilitate searching. With AgileKeychain, this data is already available, but with OPVault, it needs to be decrypted before it can be read. And at the same time, 1Password will give an error if there is data that cannot be read. In AgileKeychain this is the extent of it, but OPVault uses authenticated encryption, so in that case 1Password can determine if the data has been corrupted or tampered with. Otherwise, 1Password just needs to be able to read the data.
I just read the comment @jpgoldberg said saying that this data/vault integrity check/verification only applies to the new OPVault format and not the older AgileBits format as discussed at the end of this post below.
I covered that above, but I think there's another way of looking at it that may be more helpful: with AgileKeychain, the test is "can the data be read?" — i.e. is it formatted correctly. This is also the case with OPVault, except that it also verifies that the data matches what was originally written.
Can you please elaborate on how the iOS Keychain plays a role with 1Password? Correct me if I'm wrong, but the iOS Keychain is Apple's password management app, right?
Great question! The iOS Keychain, much like its OS X counterpart, can be used for saving passwords, however that is not it's primary function. It's used system-wide both by the OS and by apps to store data securely. You can look at it easily on a Mac using Keychain Access. This is where authentication token, public keys, private keys, and certificates are stored. For example, Keychain is what makes it so you don't have to login to iCloud every time its accessed. 1Password for iOS uses the Keychain for storing the Master Password to be unlocked using Touch ID — or on older devices for using a PIN code with 1Password.
Regarding the KeyStore APIs (I'm not quite sure what that means so go easy on me here). Does this mean that those APIs allows the Master Password to be inputed securely when you say "allow us to store secrets." ? Or does that have to do with the way the vault is "secured" ?
You mentioned fingerprint APIs...what if the phone doesn't have a fingerprint scanner/reader?
This is similar to the above regarding iOS. A good rule of thumb is that 1Password doesn't store anything with the OS on any platform unless you're using an OS feature as a way to unlock 1Password. Another example is Windows Hello. This only applies to secure storage. Input is separate, and I went over the various platform safeguards against keyloggers earlier.
So is it the sandboxing that allows the inputing of the Master Password to be secure so no malware will get it?
The sandbox makes a big difference with this on iOS and Android. But of course that's provided you don't give another app (in the form of a keyboard) your input. As I mentioned earlier, iOS simply does not allow that in secure fields. On both iOS and Android, we recommend not using a 3rd party keyboard to enter sensitive information. But we have to trust the OS.
Interesting to know that sandboxing also prevents screenshots from being taken of the 1Password screen so that no information is captured through the screenshot. To clarify, this applies to both iOS and Android, correct?
Yes, albeit in slightly different ways. On Android, we're able to disallow taking screenshots within the app entirely. On iOS, other apps only have access to the pictures you take if you grant it to them (you'll probably be familiar with these "this app would like to access your photos/contacts/etc." prompts).
Ok, so OS X and iOS both have a feature called Secure Input that prevents key logging (I'm assuming this is similar to Secure Desktop for Windows?).
In practice, they're similar, but Windows Secure Desktop is super in-your-face since it literally opens a new desktop; whereas Apple's Secure Input blocks access to individual fields, and is something most people don't even know about.
Android has a feature that allows for a protected field which is dependent on the OS and keyboard the user is using. So when you say "the security is dependent on the OS" you are referring to whether Android has been rooted and has been allowed to bypass sandbox restrictions. So for maximum security, it's probably best to not root Android unless you know what you're doing, at least in regards to bypassing the sandbox restrictions.
In that case, yes I was referring to "rooting" or "jailbreaking" devices, but the statement "the security is dependent on the OS" applies more generally. None of us fabricate our own chips, build our own systems, and write our own OSes, so we're inherently putting our trust in the people who do make these things for our security. That sounds scary, but the good news is that we're not alone. The people who make these are using them too, so they're super motivated to make them as secure as they're able.
I'm assuming that this doesn't apply to inputing the Master Password (and a non-modified Android device) since as discussed above, security measures are in place to prevent the Master Password from being captured?
Yes, but again, if you install a rootkit or other deep-seated malware, the integrity of the OS is compromised and you should assume that it can access anything it wants.
"Body is 1691 characters too long." :lol:
0 -
Okay, here's the rest. :tongue:
Going to get somewhat technical here: When you say "bit by bit" you are referring to the actual zero's and one's, right? How could that be useful to an attacker if the data is simply 0's and 1's? Unless they could somehow put those 0's and 1's into a meaningful format...?
Is this because of my comment above regarding how the 0's and 1's may not be useful if they're not in a readable format and are pretty much worthless?I think you're getting a bit too technical here. ;)
It's getting to this stage (the compromise) which is the hard part. And there are toolkits out there that make it really easy for relatively untalented "hackers" to "own" your system. This is the part we need to stop. After that, even a moron could setup some remote connection software and just watch what you do, without bothering trying to dig around for things. At some point, you're bound to open your email account's login in 1Password, and with a quick copy/paste they have what they need to reset most of your other accounts.
So essentially what you're saying is that the new OPVault format is best to use as it's more secure and has the feature/ability to have 1Password check it's integrity as it's unlocked and/or importing a backup vault...? To clarify, the vault/data integrity check 1Password does with the OPVault format, only happens when you unlock 1Password or when you are importing a backup vault?
I think I covered most of this above, but be sure to let me know if there's something you'd like clarified. However, regarding backups, when you do a restore, 1Password will read the entire vault at that time, unlike unlocking an existing vault, which won't load all of the data at once. Restoring from a backup is a good way to be sure that it's intact, and with OPVault this will also verify that the data hasn't been modified in any way.
Also, what versions of 1Password started to have this feature with the OPVault format and does this apply to all platforms (OS X, Windows, iOS, and Android)?
OPVault was originally introduced in 1Password 4 for Mac, and all current stable versions of 1Password support it.
Totally just came up with this new question that I've been meaning to ask for quite some time...
Since we've been talking about inputing data, such as the Master Password, and keeping that secure as it's inputed/typed, what about the keyboard and mouse? What I mean is how secure are wireless/Bluetooth keyboard and mice? I suppose the answer is yes, but is it possible for someone to intercept/capture the wireless connection/signal from the keyboard and mouse (I guess the keyboard is the main concern as that does the typing like for the Master Password) as it goes to the computer/dongle/receiver?Wired input is great because you can unplug it and check to make sure no one's put a hardware key logger in between it and the computer. Though it is encrypted, Bluetooth has had some serious security vulnerabilities in the past. And keep in mind that even if we were confident that it was secure secure overall, many Bluetooth devices (especially "headless" ones like keyboards and mice...) use minimal authentication when setting up, as opposed to verifying the connection on both ends. And when it comes to proprietary wireless peripherals which require their own receiver, it's hard to vouch for their security with any certainty. I prefer Bluetooth when it's used only as a connection mechanism and other encryption is used for data transfer (e.g AirDrop).
Phew! Final done! haha, thanks again for your time for this discussion. It's a lot of information to take in, but I'm getting a lot of good insight. :)
:pirate: :+1:
0 -
Hi @brenty, wow I must say you have have a lot of patience for answering my questions. Ok here we go...
Regarding this "overlooked question" :
A concrete example of data being decrypted immediately when you unlock 1Password is that it will display the item you were viewing previously,
.
I'd answered this one earlier,
.
I'm sorry if my answer wasn't as exhaustive as you'd liked! The truth is that I wanted to give one concrete example of this since it varies based not only on platform, but also due to how you're using it. In that example, I was referring to 1Password for Mac, since it will display an item's details based on the vault/category selected. Another is 1Password for iOS, where unlocking the extension will display some information based on the current website/app.
I couldn't find your answer in the giant wall of text haha...could you please point your answer out to me in a quote, sorry! (yes, I know I'm probably being annoying :blush: ) But essentially that's not a bug of my 1Password that it doesn't display the item I was viewing previously before I locked the vault?...Unless I misunderstood what you were explaining.
In practice, they're similar, but Windows Secure Desktop is super in-your-face since it literally opens a new desktop; whereas Apple's Secure Input blocks access to individual fields, and is something most people don't even know about.
Yea I suppose one could say the Apple way is more seamless and less annoying. But on the other hand, it's nice to see see an actual action take place with the Microsoft way.
In that case, yes I was referring to "rooting" or "jailbreaking" devices, but the statement "the security is dependent on the OS" applies more generally. None of us fabricate our own chips, build our own systems, and write our own OSes, so we're inherently putting our trust in the people who do make these things for our security. That sounds scary, but the good news is that we're not alone. The people who make these are using them too, so they're super motivated to make them as secure as they're able.
Good to know and I never thought of that before. But it would be common sense that if you modify something (rooting or jailbreaking), it might not be as secure, at least if you don't know what you're doing.
I think I covered most of this above, but be sure to let me know if there's something you'd like clarified. However, regarding backups, when you do a restore, 1Password will read the entire vault at that time, unlike unlocking an existing vault, which won't load all of the data at once. Restoring from a backup is a good way to be sure that it's intact, and with OPVault this will also verify that the data hasn't been modified in any way.
So essentially the OPVault format is more secure and does an integrity check to ensure the data/vault is not compromised/corrupted in any way.
Is there a support article/tutorial that shows how to convert to the OPVault format? I did a quick search on the AgileBits Support site, but nothing came up.
There's definitely a lot stuff that happens under the hood in regards to how the OPVault format works, so I'll have to go back and re-read the information you posted (as well as with everything else).
OPVault was originally introduced in 1Password 4 for Mac, and all current stable versions of 1Password support it.
When you say "all current stable versions...," that simply means all non-beta, final public versions, right?
Could you please kindly list all the versions for the different platforms that started to support the OPVault format? I know for Mac it started with 1Password 4, but I'd like a quick list to verify/check with what I have.
And related to that...let's say you are using the OPVault format and one (or more) of the versions on a particular platform you also use (Mac, Windows, iOS, or Android) that does not support the OPVault format? What happens then? Would you have to update 1Password to the latest version of that particular platform?
Wired input is great because you can unplug it and check to make sure no one's put a hardware key logger in between it and the computer. Though it is encrypted, Bluetooth has had some serious security vulnerabilities in the past. And keep in mind that even if we were confident that it was secure secure overall, many Bluetooth devices (especially "headless" ones like keyboards and mice...) use minimal authentication when setting up, as opposed to verifying the connection on both ends. And when it comes to proprietary wireless peripherals which require their own receiver, it's hard to vouch for their security with any certainty. I prefer Bluetooth when it's used only as a connection mechanism and other encryption is used for data transfer (e.g AirDrop).
Ok, so it's as I thought, wired keyboards (and mice) are more secure. I suppose a wireless keyboard/mouse connection shouldn't be an issue in your own home as it would be in a place where other people were with you as well.
Thank you again for your time (seriously mean that) in providing this information! :)
0 -
Hi @brenty, wow I must say you have have a lot of patience for answering my questions. Ok here we go...
@ScarySulley: Likewise! Thanks for being patient with me. See below... :dizzy:
Regarding this "overlooked question" :
A concrete example of data being decrypted immediately when you unlock 1Password is that it will display the item you were viewing previously,
I'd answered this one earlier,
I'm sorry if my answer wasn't as exhaustive as you'd liked! The truth is that I wanted to give one concrete example of this since it varies based not only on platform, but also due to how you're using it. In that example, I was referring to 1Password for Mac, since it will display an item's details based on the vault/category selected. Another is 1Password for iOS, where unlocking the extension will display some information based on the current website/app.I couldn't find your answer in the giant wall of text haha...could you please point your answer out to me in a quote, sorry! (yes, I know I'm probably being annoying :blush: ) But essentially that's not a bug of my 1Password that it doesn't display the item I was viewing previously before I locked the vault?...Unless I misunderstood what you were explaining.
I'm going to be honest. It made sense to me at the time, but even I had difficulty figuring this out just now. I'm sorry for this confusion -- for both of us! :lol:
At any rate, the examples I gave are above in bold. And admittedly, there's got to be a better way of phrasing it, but I can't think of it right now. :unamused:
In practice, they're similar, but Windows Secure Desktop is super in-your-face since it literally opens a new desktop; whereas Apple's Secure Input blocks access to individual fields, and is something most people don't even know about.
Yea I suppose one could say the Apple way is more seamless and less annoying. But on the other hand, it's nice to see see an actual action take place with the Microsoft way.
In that case, yes I was referring to "rooting" or "jailbreaking" devices, but the statement "the security is dependent on the OS" applies more generally. None of us fabricate our own chips, build our own systems, and write our own OSes, so we're inherently putting our trust in the people who do make these things for our security. That sounds scary, but the good news is that we're not alone. The people who make these are using them too, so they're super motivated to make them as secure as they're able.
Good to know and I never thought of that before. But it would be common sense that if you modify something (rooting or jailbreaking), it might not be as secure, at least if you don't know what you're doing.
Honestly, rooting and jailbreaking is fun, but security is the best argument against doing that. By definition, you're "breaking" the OS's defenses against running untrusted code and using private APIs. If that weren't the case, it would be harmless...but it would also be less useful.
So essentially the OPVault format is more secure and does an integrity check to ensure the data/vault is not compromised/corrupted in any way.
Precisely! :) :+1:
Is there a support article/tutorial that shows how to convert to the OPVault format? I did a quick search on the AgileBits Support site, but nothing came up.
Yep! Switch to OPVault. We've been making some changes to the support site, so it's entirely possible that something was broken when you tried to find it earlier.
When you say "all current stable versions...," that simply means all non-beta, final public versions, right?
Correct! 1Password for Android recently got OPVault support, and the only real drawback there is that attachments aren't yet supported (though they are now in the beta).
Could you please kindly list all the versions for the different platforms that started to support the OPVault format? I know for Mac it started with 1Password 4, but I'd like a quick list to verify/check with what I have.
Oh dear. Don't Quote me on this, but it's something like 1Password for Mac version 4, 1Password for Windows version 4, 1Password for iOS version 5, and 1Password for Android version 6. If you want exact releases let me know and I'll see if I can track down some historical information.
And related to that...let's say you are using the OPVault format and one (or more) of the versions on a particular platform you also use (Mac, Windows, iOS, or Android) that does not support the OPVault format? What happens then? Would you have to update 1Password to the latest version of that particular platform?
You'd either need to update to the latest version of 1Password (and likely the OS as well), or switch to AgileKeychain for syncing if updating isn't possible.
Ok, so it's as I thought, wired keyboards (and mice) are more secure. I suppose a wireless keyboard/mouse connection shouldn't be an issue in your own home as it would be in a place where other people were with you as well.
Wireless devices should be secure as well, but there can always be bugs in the driver or OS -- or the protocol itself. This is unlikely, but having data going over the air presents risks that a direct connection doesn't.
Thank you again for your time (seriously mean that) in providing this information! :)
Any time! It's a pleasure. Thanks for reading my "wall of text"! ;)
0 -
Hi @brenty ,
So regarding the "bug" of:
A concrete example of data being decrypted immediately when you unlock 1Password is that it will display the item you were viewing previously,
So essentially my, and I guess everyone else's, 1Password not displaying the same item I was on before 1Password was closed/locked isn't a bug.
Honestly, rooting and jailbreaking is fun, but security is the best argument against doing that. By definition, you're "breaking" the OS's defenses against running untrusted code and using private APIs. If that weren't the case, it would be harmless...but it would also be less useful.
I suppose one could root/jailbreak on a "test" device as opposed to one where they need it to work properly and not having the integrity of it's security compromised.
Precisely! :) :+1:
Yep! Switch to OPVault. We've been making some changes to the support site, so it's entirely possible that something was broken when you tried to find it earlier.
Thanks for the link. However in the article it states (quote feature doesn't seem to format these lines properly):
In order to use the OPVault format with Dropbox, the latest versions of 1Password are required on all platforms:
- Mac and iOS: 1Password 6 or later
- Windows: 1Password 4 or later
- Android: 1Password 6.3 or laterAt least in regards to the Mac version you said the OPVault was introduced and is thus compatible with 1Password 4. But in order to use it (the OPVault and the Mac version) with Dropbox you need to be on 1Password 6 for the Mac...? I'm not sure how this works for the other platforms.
You'd either need to update to the latest version of 1Password (and likely the OS as well), or switch to AgileKeychain for syncing if updating isn't possible.
Ok so essentially having the latest for version for 1Password and the OSes is the best way to go for the most part. But if for some reason you can't update an OS that uses that uses that synced vault (in this case the OPVault version) then all platforms will have to use the older AgileBits version.
Wireless devices should be secure as well, but there can always be bugs in the driver or OS -- or the protocol itself. This is unlikely, but having data going over the air presents risks that a direct connection doesn't.
Thank you for the information.
Any time! It's a pleasure. Thanks for reading my "wall of text"! ;)
Thanks again...at least the "wall of text" is getting smaller! Although I thought I had some more questions for you, but I don't recall them at the moment. Will post back if/when I recall them.
0 -
So essentially my, and I guess everyone else's, 1Password not displaying the same item I was on before 1Password was closed/locked isn't a bug.
@ScarySulley: Correct. Sorry for causing that confusion!
I suppose one could root/jailbreak on a "test" device as opposed to one where they need it to work properly and not having the integrity of it's security compromised.
Well, the security is still compromised...but yeah, if you don't have anything of value on the device it probably won't matter to you.
At least in regards to the Mac version you said the OPVault was introduced and is thus compatible with 1Password 4. But in order to use it (the OPVault and the Mac version) with Dropbox you need to be on 1Password 6 for the Mac...? I'm not sure how this works for the other platforms.
This gets a bit "into the weeds", but while earlier versions of 1Password supported OPVault in some cases, they are no longer supported, both due to the age of the app and the OS itself. And in the case of Dropbox, OPVault is very much separate. Dropbox syncing was supported started with 1Password 3, but OPVault did not exist at that time so only AgileKeychain was available. Using 1Password for Mac as an example, while version 4 introduced support for OPVault, OPVault was not supported for Dropbox syncing until version 6. If you'd enabled Dropbox sync prior to that, an AgileKeychain would have been created.
Ok so essentially having the latest for version for 1Password and the OSes is the best way to go for the most part. But if for some reason you can't update an OS that uses that uses that synced vault (in this case the OPVault version) then all platforms will have to use the older AgileBits version.
Exactly. Even though your 1Password data is encrypted on disk, all apps rely on the security of the OS when in use, so keeping up to date (browser too) is integral to your overall security. Security isn't a binary state, so we all have to do what we can to improve it.
Thanks again...at least the "wall of text" is getting smaller! Although I thought I had some more questions for you, but I don't recall them at the moment. Will post back if/when I recall them.
Sounds good. (Now I'm wondering what the other questions might be!) :lol: :+1:
0 -
Hi @brenty,
You gotta new avatar picture now...almost didn't recognize you! :p
Out of curiosity, I got some questions regarding the new subscription model:
Under the pricing page it lists details for the individual user and family plans. What does "web access" refer to? Is this a replacement for 1Password Anywhere?
It seems as though the individual user subscription plan uses the same hosting that 1Password Families/Teams use. Can the individual subscription plan be used like the standalone (non-subscription) license in that you don't have to use hosting platform 1Password Families/Teams use? But rather store the vault locally and/or use Dropbox?
What is the difference between AgilbeBits.com and 1Password.com? I know they look different, and the two big links on AgilbeBits.com link to 1Password.com, and AgilbeBits.com has prominent links to the standalone non-subscription versions, but why the two separate URLs/sites?
Not sure if I should have posted this in another section, but since the questions cover more than one section/topic, I just sticked to this thread. :)
Thanks!
0 -
You gotta new avatar picture now...almost didn't recognize you!
A few of us have. :)
What does "web access" refer to? Is this a replacement for 1Password Anywhere?
With 1Password.com accounts you can login to our website and interact with all of your 1Password data. View, create, edit, etc. 1PasswordAnywhere was only ever able to view some data and only for one vault at a time. The web interface supports All Vaults and is read/write.
It is 1PasswordAnywhere on steroids. :)
The web interface is also where you'll go to set up your subscription, invite other people (for teams / families), manage vaults, etc.
It seems as though the individual user subscription plan uses the same hosting that 1Password Families/Teams use.
They are all indeed built on the 1Password Teams foundation.
Can the individual subscription plan be used like the standalone (non-subscription) license in that you don't have to use hosting platform 1Password Families/Teams use? But rather store the vault locally and/or use Dropbox?
You can still create local / "standalone" vaults, and optionally sync them with Dropbox. But any vaults that are part of your account will be stored on the 1Password.com service, and that is the only way to get the benefits of the service itself (e.x. it isn't possible to take advantage of the new sharing or web access features with local vaults).
What is the difference between AgilbeBits.com and 1Password.com? I know they look different, and the two big links on AgilbeBits.com link to 1Password.com, and AgilbeBits.com has prominent links to the standalone non-subscription versions, but why the two separate URLs/sites?
I think this is a question we ourselves are still trying to answer internally but I believe the goal right now is to have 1Password.com focus on marketing our 1Password services while AgileBits.com will be more oriented toward the company itself, and may host items like our EULA, etc.
Thanks!
Ben
0 -
Thank you for the information @Ben!
Question for you, @Ben, or @brenty, or anyone of course.
I did an update to 1Password (non-subscription) and it said something in the update notes about 1Password receiving an update that allowed it to work better with the new 1Password hosting service, or something like that. I'm not sure what the exact phrase was. Does the non-subscription 1Password work in some way with the new subscription hosting platform?
Maybe you can direct me or provide the update notes so I can point it out? I really wish I remembered what it said exactly...
Thanks!
0 -
@ScarySulley the identical version of 1Password is currently designed to work with both standalone arrangements and for those who use one of the AgileBits' subscription services. You can see that, if you use the app as a standalone version (as I do), by going to 1Password > Preferences > Accounts, where you'll find an option to sign in to a subscription service.
To be perfectly clear, the app will work both as a standalone version and with one of the subscription services (if you have subscribed to one of those services).
Edit: you can always review the release notes by going to 1Password > Help > Release Notes.
Stephen
0 -
@ScarySulley: Indeed. Stephen_C is right on: the 1Password app is the same regardless of whether you subscribe or purchase a license; it supports both. It just makes sense rather than maintaining separate apps for each. If you're using a standalone license for the app, it won't interact in any way with he server used for the subscription service.
Regarding the release notes, I know what you're referring to but I cannot for the life of me find that specific line:
1Password for Mac release notes
Essentially we want to document any changes both for internal tracking and frankly because many customers appreciate knowing whats new. If you're not a subscriber though, pretty much any reference to a "1Password Account" can be ignored, as it won't apply to you. But don't hesitate to ask if you have any other questions about a new version or anything else. :)
0 -
Interesting, I didn't know that the regular 1Password (non-Teams/Family version) was in fact the same app, but the subscription-based version connects to the hosting service...But wouldn't that mean technically they are two different apps since one is able to something the other can't?
1Password for Mac release notes
Thanks for taking the time to post that!
0 -
@ScarySulley: Great question! I guess it depends on how you look at it to some extent, but quite literally you'll use the exact same 1Password app whether you've purchased a license or subscription. So I'm sticking with "it's the same app"! ;)
You're right that the vault types have different capabilities though, but this has always been the case even with local vaults given the technical differences between formats. However, in the case of the hosted service, the main difference is that there isn't a local format at all, only a database blob. In most current versions of 1Password, this is the case even with local vaults (there's an internal database). But with local vaults an external local copy is created for sync purposes (Dropbox or folder), and of course that isn't the case with a 1Password Account: data is stored on the server and cached on the device locally.
Long story short, we don't have any plans to create, test, and maintain separate team/family/individual/license apps on each platform. I think the simplest way to think of it is that we have an app that reads vaults; with a license, these are always local with optional 3rd party sync; and with a subscription, they are hosted on 1Password.com. 1Password just knows how to access each of these. I hope that helps clarify things. :)
0