Extra password prompt for super sensitive data if 1P is unlocked

Tilo
Tilo
Community Member
edited December 1969 in 1Password 3 – 7 for Mac
Hello Agile Team, first off all i love 1P. Great software, can't remember to work without it.

BUT: Is there any possibility to have a extra prompt for special secret data like credit card numbers so 1P is unlocked but not the hole data.

i admit this i in 99% for my own feelings.

Comments

  • MikeT
    edited December 1969
    You shouldn't have it running unlocked constantly, that's a security risk in itself if you want to be extra paranoid about your security. You might want to have 1PW lock itself after certain period of inactivity and wipe your clipboard after certain time as well.

    Your logins are just as important as with your cc number. I'm willing to bet I can just get your CC numbers by logging into your CC site with the login, so really, it wouldn't matter if your CC is hidden. (Pin is probably a factor but many sites don't bother to ask for Pins).
  • Tilo
    Tilo
    Community Member
    edited December 1969
    I know about these features and i use them but i don't store my bank logins in 1PW because of this missing feature. I think these logins and CC numbers and some notes need these special status. Maybe i am paranoid but i think the software is good if the user has a good feeling to work with it. It would be great if i could set the security level for every item in 1PW.

    I'm not the only one, maybe.
  • jpgoldberg
    jpgoldberg
    1Password Alumni
    edited December 1969
    Hi Tilo,

    The idea of different security levels is something that 1Password can in principle be extended to do. In fact, we do this for the iPhone where typing in a master password can be less than convenient. So we have low security items (which you can use for software licenses and the like) which are only protected by a four digit code.

    The actual format of the Agile Keychain does allow us to extend 1Password in these directions, but there are no plans to do so at this time. You can read more about the keychain design here:

    http://help.agile.ws/1Password3/agile_keychain_design.html

    That being said let me reassure you about the safety of your bank and credit card information even when you data file is "unlocked". Even when your file is unlocked, everything is still encrypted in your data file. Unencrypted data is never written to disk. Items that you don't use aren't even decrypted in memory. It is only when you use or view an item that it actually gets decrypted in memory. Because of this design, there really is little need for the extra complication that an even higher security level would involve.

    As you see from the previous paragraph, the notion of "unlocked" can be a bit misleading. Your "unlocked" data is still well protected. It's really that 1Password has access to a special key that it can use to decrypt individual items when called upon to do so.

    I hope that this reassures about our recommended way to use 1Password. In the end, the security choices that you make are your decision. But I can let you know what all of us are very comfortable using 1Password in this way, and we we are acutely aware of the kinds of real and potential threats that are out there.

    I hope that this helps.

    Cheers,

    -j
  • evo
    evo
    Community Member
    edited December 1969
    I also feel a strong need to store extra sensitive information with a secondary password. I think Agile forgot a very common use case!

    I do use 1Password Auto-lock feature, but I leave it quite wide so as not to be bothered entering the Master Password too often. That's what make 1Password really useful as I only have to type that complicated master password a few times a day.

    But this means that anybody visiting the house can sit down at the computer and access ALL the information while 1Password is unlocked.
    For ordinary things like forum logins, it doesn't matter too much and the risk is acceptable. But NOT for sensitive information.

    So in practice this means that I cannot store bank account logins and credit cards in 1Password just because I cannot take the risk and someone sitting at the computer and access the info while 1Password is unlocked.

    You have to realize that many people will use 1Password maybe 20 times a day for casual access to unimportant sites, and only a few times a week for sensitive sites and credit cards, etc…
    So it really makes sense to have 2 levels (at least) of security. And by the way, why have recognized this fact for the iPhone and not for the Mac???

    And another thing: It drove me crazy to try and figure out what was this Low/High security was ONLY for the iPhone! When I stumbled upon this setting, I thought that was THE solution I was looking for and I tried to use it on the Mac, and it is not obvious at all that this is reserved for the iPhone. Think about the uses who don't have an iPhone, no hint in the GUI that it doesn't concern them! And not even mention I could find in the help file (the Mac help file of course)!


    jpgoldberg wrote:
    Hi Tilo,

    The idea of different security levels is something that 1Password can in principle be extended to do. In fact, we do this for the iPhone where typing in a master password can be less than convenient. So we have low security items (which you can use for software licenses and the like) which are only protected by a four digit code.

    The actual format of the Agile Keychain does allow us to extend 1Password in these directions, but there are no plans to do so at this time. You can read more about the keychain design here:

    http://help.agile.ws/1Password3/agile_keychain_design.html

    That being said let me reassure you about the safety of your bank and credit card information even when you data file is "unlocked". Even when your file is unlocked, everything is still encrypted in your data file. Unencrypted data is never written to disk. Items that you don't use aren't even decrypted in memory. It is only when you use or view an item that it actually gets decrypted in memory. Because of this design, there really is little need for the extra complication that an even higher security level would involve.

    As you see from the previous paragraph, the notion of "unlocked" can be a bit misleading. Your "unlocked" data is still well protected. It's really that 1Password has access to a special key that it can use to decrypt individual items when called upon to do so.

    I hope that this reassures about our recommended way to use 1Password. In the end, the security choices that you make are your decision. But I can let you know what all of us are very comfortable using 1Password in this way, and we we are acutely aware of the kinds of real and potential threats that are out there.

    I hope that this helps.

    Cheers,

    -j
  • MikeT
    edited December 1969
    Jeff, he isn't really talking about keychain file. He's talking about leaving 1PW running unlocked so that he doesn't have to enter the master password all the time. He feel safe in letting 1P running unlocked for logins only but only if the other sections are locked for a second password or remain locked while Logins is unlocked.
  • MikeT
    edited December 1969
    evo wrote:
    I also feel a strong need to store extra sensitive information with a secondary password. I think Agile forgot a very common use case!

    I do use 1Password Auto-lock feature, but I leave it quite wide so as not to be bothered entering the Master Password too often. That's what make 1Password really useful as I only have to type that complicated master password a few times a day.

    But this means that anybody visiting the house can sit down at the computer and access ALL the information while 1Password is unlocked.
    For ordinary things like forum logins, it doesn't matter too much and the risk is acceptable. But NOT for sensitive information.

    So in practice this means that I cannot store bank account logins and credit cards in 1Password just because I cannot take the risk and someone sitting at the computer and access the info while 1Password is unlocked.

    You have to realize that many people will use 1Password maybe 20 times a day for casual access to unimportant sites, and only a few times a week for sensitive sites and credit cards, etc…
    So it really makes sense to have 2 levels (at least) of security. And by the way, why have recognized this fact for the iPhone and not for the Mac???

    And another thing: It drove me crazy to try and figure out what was this Low/High security was ONLY for the iPhone! When I stumbled upon this setting, I thought that was THE solution I was looking for and I tried to use it on the Mac, and it is not obvious at all that this is reserved for the iPhone. Think about the uses who don't have an iPhone, no hint in the GUI that it doesn't concern them! And not even mention I could find in the help file (the Mac help file of course)!


    Those 20 times to casual sites don't require you to open 1P client, you just use the browser to open the extension and let it fill it in. There's a setting there where an unlock does not unlock all the browser and the application. You shouldn't need to run 1P all the time unless you're using secure notes all the time and there's the problem, because 1PW is slowly gaining all the other features. One security model for all sections is not going to work and won't work for most people, Agile should figure out a way to radically change the interface of 1PW to indicate partial locked status.
  • MikeT
    edited December 1969
    You guys are looking for something like this?

    n5VeAl.jpg
  • Tilo
    Tilo
    Community Member
    edited December 1969
    WOW nice to know there are more than one out there missing such a feature. Hope for us to get a solution.
  • jpgoldberg
    jpgoldberg
    1Password Alumni
    edited December 1969
    Thank you all for your very thoughtful and thought provoking comments.

    Mikhail, thanks for your insight into the discussion and highlighting what 1Password can do now.

    Evo and Tilo, I am sure you are not the only ones who have these kinds of concerns. As I said, some of the underlying design of the Agile Keychain format does allow us to move forward in the direction of having multiple levels of passwords for users who would wish that. It is always great to hear about how people use and would like to use 1Password.

    As an aside that doesn't take away from your point, I agree with Mikhail in that I personally wouldn't put credit card info into the same secure category as bank login information. Everyone's credit card numbers are already in the hands of criminals a dozen times over. Not because on-line activity or compromises of individual's computers, but because the security of large merchants has been broken time and again. (The biggest known events of this nature have nothing to do with on-line merchants, but involve big traditional retail chains.) Also, we regularly hand our credit cards to a waiter or busboy who is making minimum wage and can just take a quick photo back and front with his phone.

    I am not for a moment advocating that people be casual about their credit card numbers, but those details are actually far more available to criminals (and harder for criminals to turn into cash) than your online banking information.

    Anyway, that was all an aside. It doesn't take away from the point of the desirability of multiple levels.

    It drove me crazy to try and figure out what was this Low/High security was ONLY for the iPhone!


    The rationale for the low security items on the iPhone and iPod touch only is that those are the devices on which typing in a strong password can be a real inconvenience. I'm sure you agree that a four digit unlock code provides very limited security if someone gets a hold of that data file off your phone.

    One of the big design features of 1Password from the very beginning is to make it easy for people to follow practices that make them more secure. At the same time we certainly recognize that people have different needs, preferences, and concerns. Still leaving your computer open and unattended is not something I would encourage. Your security will be dramatically enhanced not through having multiple levels security within 1Password, but by changing your master password to something that is easier for you to type and setting 1Password to require that master password. If you pick a master password that is so "secure" that you are unwilling to type it a few times throughout the day, you are, in my opinion, actually lowering your security instead of raising it.

    I would also consider using Mac OS X Security features (System Preferences > Security) to require your login password after your computer sleeps or the screen saver begins. I have mine set to 15 minutes after sleep. I also disable automatic login to OS X. This will mean that you have to occasionally enter a password when you sit down at your computer, but this practice will improve your security much more than adding multiple security levels to 1Password. These settings are far more than about your 1Password information. If you are concerned about a malicious person doing something on your computer, they could install software that would grab everything your computer transmitted, even over encrypted connections.

    I am not saying that multiple security levels in 1Password doesn't have a place, but I do feel that the security threats you are considering are better addressed through other practices. And as I said, we always value learning how people use and want to us 1Password. As I said at the outset, some of the internal infrastructure for multiple security levels is already in place, so it is definitely a direction we may want to go someday. Comments like yours are extremely important in those considerations and are most welcome.

    So thank you for your comments and for this discussion. I'm looking forward to hearing more from you.

    Cheers,

    -j
  • evo
    evo
    Community Member
    edited June 2010
    [EDIT]: Sorry I posted my reply below a bit too fast before reading the other replies after my post. However, I do not agree with changing practices to increase security. Things tend to always go back to the easy way. I often let other household members or visiting friends use the Mac, I don't even want to tell them "sorry my Mac is off limits to you because you could access my sensitive information". This would offend them. I just want to have my sensitive info protected while allowing other people to use my mac, and I want to keep 1Password delay very large for myself for the casual uses.
    Also, I am the support person for many family and friends, and I realize they have the same need, even more so!

    While I note the positive attitude from Agile here, I am disappointed to conclude that this feature will not appear any time soon, so I better start looking else where. I may keep 1Password for the casual types of uses, and another utility for the sensitive information (or vice-versa).



    MikhailT wrote:
    Those 20 times to casual sites don't require you to open 1P client, you just use the browser to open the extension and let it fill it in. .


    No, I did not mean to leave the 1Password client app open, I was talking about the use of 1P button in the browser.
    While the access to the 1P button is unlocked, I don't want someone else sitting at my computer being able to login to my bank accounts, or auto-fill credit cards info at an online store.

    Another thing, I do agree that access to other vaults that can only be accessed from within the client app remain protected if I leave the 1Password app closed (since master password is required anew when opening it) but then, I must keep the only master password strictly to myself.
    But I also have a desire to share the usage of the 1P button for casual uses with other people like members of my household, and the only way to do that now is to give them the one and only master password, and then they have access to everything.
    So in the end, I simply cannot use 1Password for sensitive information (other than using another Mac OS X account, which also complicates things).


    To put it another way, I see two main uses for 1Password:
    1- Avoid typing myself credentials for casual sites. The emphasis here is to avoid remembering and typing myself many of these, often in the day. For these I want a large auto-lock delay, a relatively simple 1P password, and I more willing to share it with others.
    2- Increase security for access to sensitive information through the use of strong passwords that are near impossible to remember. For these I want a very short auto-lock delay and I want to be the only one to know the 1P password.

    The above 2 classes are clearly distinct to me and require two different passwords.
    Again this was done for the iPhone by Agile, why not for the desktop application?
  • evo
    evo
    Community Member
    edited June 2010
    jpgoldberg wrote:
    As I said, some of the underlying design of the Agile Keychain format does allow us to move forward in the direction of having multiple levels of passwords for users who would wish that.
    -j


    I realize that, and this is sad, meaning we are not getting that feature anytime soon.
    Could we at least have a way to somehow switch keychains? That would be cumbersome I guess, but at least I could start using 1Password for sensitive information on a different keychain.

    I could also use another Mac OS X user account for sensitive information, but that too, I find very cumbersome, it doesn't fit the way I use my Mac.
  • evo
    evo
    Community Member
    edited June 2010
    jpgoldberg wrote:
    The rationale for the low security items on the iPhone and iPod touch only is that those are the devices on which typing in a strong password can be a real inconvenience. I'm sure you agree that a four digit unlock code provides very limited security if someone gets a hold of that data file off your phone.
    -j


    You did not understand my point on the low/high issue. My point was that it is undocumented in the Desktop app! A desktop-only user like me sees that High/Low option and has no idea what it's for, especially since it has no effect in the Desktop application!

    For an hour, I thought that this was the solution for my need of two password levels in the desktop app, and I was trying in vain to figure out how to use it in the desktop app.

    I now understand that it is in the desktop app only because iPhone users of 1Password synchronize between desktop and iPhone so they need the iPhone-only setting in the Desktop app as well.
    But please realize that someone who is not aware of the iPhone app and its specificity will be really confused with this setting!

    When I say: "It is undocumented", I am not sure actually. I have another gripe... I tried reading the help file a bit, but the absence of a search function prevented me from searching for "High/Low" and go there directly. Obviously, I did not feel like reading it all from start to finish to find out.
    And anyway, reading the help file shouldn't be required, the GUI should make it obvious this setting is only for the "Touch" application.
    Even the fact that the iPhone app refers to "Unlock code" and "Master Password" while the Desktop app refers to High/Low security" (when editing) increases potential for confusion.
  • evo
    evo
    Community Member
    edited June 2010
    jpgoldberg wrote:

    One of the big design features of 1Password from the very beginning is to make it easy for people to follow practices that make them more secure.
    .....

    I am not saying that multiple security levels in 1Password doesn't have a place, but I do feel that the security threats you are considering are better addressed through other practices.
    -j

    First of all, these two ideas above somewhat contradictory....

    It is clear to me that 1Password was initially created to increase security for access to sensitive information, and this application is great for this, fantastic!

    But casual uses were forgotten and not really considered in the design.

    I find it ironically strange that the casual uses were readily identified for the iPhone app but not for the Desktop app, and Agile created the unlock code for the iPhone but not the Desktop app.

    I know it all came to mind because of the lack of multitasking on the iPhone, but it all boils down to the impossibility to have a long auto-lock delay in the iPhone app, while a long delay is precisely incompatible with the high security required for sensitive information. So the needs for the Desktop app and the iPhone app to have two levels of security are actually the same. They both need a lower security level for casual uses!
  • jpgoldberg
    jpgoldberg
    1Password Alumni
    edited December 1969
    Thanks, evo. I do hear you.

    I've just had chat with the developers about multiple security levels in the desktop app, and there certainly is a real desire to enable and make use of multiple security levels in 1Password for Mac (and Windows). There are lots of bits and pieces of managing groups of items that need to be put in place first, so I wouldn't expect to see all these in the immediate future.

    You are also correct, evo, that I got too hung up with the details of a particular expression of needing these. I quibbled with the specific example instead of seeing the broader need. I thank you for your persistence in getting me beyond that.

    You and I may still disagree about the parallels between the iPhone and the Desktop, but I think we both agree that users should have more flexible control security levels. So while I may keep to my current practice, while you and others can make full use of multiple levels.

    Again, thank you for this lively discussion and helping me better understand different (and perfectly reasonable) needs.

    Cheers,

    -j
  • Tilo
    Tilo
    Community Member
    edited December 1969
    First of all, i have to say thank you to all of you and to the great 1PW support team.

    I'm interest if this feature is really a missing one so i added a poll to this thread.
    Please take this not as criticizing or something else in this direction.

    You really do a great job.

    Tilo
  • evo
    evo
    Community Member
    edited December 1969
    Tilo wrote:
    First of all, i have to say thank you to all of you and to the great 1PW support team.

    I'm interest if this feature is really a missing one so i added a poll to this thread.
    Please take this not as criticizing or something else in this direction.

    You really do a great job.

    Tilo


    I agree with this... 1Password is great product and the will of the support team to listen and respond to users here is impressive. I was just too upset for a moment to see this app lessened by a lack of an important feature.

    So far I have only used 1Password for casual purposes and using a long auto-lock delay, while I have kept the sensitive passwords and information in my head. Using it in this limited way is already of great help.
    I just can't wait to make full use of the application when it meets all of my meeds. In the meantime, I have just found another utility that I think will work out to complement 1Password for me, but things will be simpler when I can use 1Password exclusively.
  • MikeT
    edited December 1969
    So, maybe 1PW split into two different modes. The Lite usage for casual browsing and family mode and the Full mode which is the current client. The question is how the keychain would work with it, two different keychains for both mode or mark the sections as Lite and Lite can load from same keychain without loading the sensitive sections.
  • MartyS
    MartyS
    Community Member
    edited December 1969
    Tilo wrote:
    First of all, i have to say thank you to all of you and to the great 1PW support team.

    I'm interest if this feature is really a missing one so i added a poll to this thread.
    Please take this not as criticizing or something else in this direction.

    You really do a great job.

    Tilo


    It's okay... we certainly don't think you're being critical so everything is good! :) We're always trying to do our best at both the products you receive from us as well as the support. While we cannot implement everything that is suggested we do like to hear what's on your mind!
This discussion has been closed.