Sharing on my iPhone shows the password in the text message
I was sharing a password using the "share" option in my 1Password iOS app by using Messages to send it to my son. When I looked at the message I noticed that at the top of the message, For example:
Paprika Cloud Sync
Login
username:
xxxxxxxxxxxxxx
password: xxxxxxxxxxxxxx
notes:
This is the cloud sync for the ....
Tap the link to add Paprika
Cloud Sync to 1Password
This seems like a security hole....
1Password Version: Latest iOS version
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Dropbox
Comments
-
@ajahn: When you share an item via the Share icon, 1Password specifically warns you that the item will be shared in plain text. We're not going to take this option away from you because it can be an insecure way to share, but indeed, when sharing in plain text you do need to be very conscious of the channel you're using to share and make sure you're confident that channel is secure. We can keep things safe within 1Password, but once your data is out in the wild, it's up to you to ensure it's adequately protected. In essence, while these means of sharing are potentially insecure, it's still your choice if you'd like to share this way anyway. We respect that and so we allow you to make that choice. Aside from removing the option to share, all we can do is warn you of the risks so that you're making an informed choice about how to share your data.
Of course, we think there's a better choice here. Wanting an easy way to share was a big thing that motivated the development of 1Password memberships. With a Family account, you can share items securely with your family by moving them to a vault accessible to those you wish to share with. You can set up vaults to share with one or all members of your family and organize items according to who needs access to them. If you're not happy with the existing methods of sharing items, give 1Password Families a try. :chuffed:
0 -
I see. But in the past, that section at the top with clear text was not there, only the section below the ------ which appears to be encrypted. Why change that?
0 -
I think I found a work-around. I can share using email, but before I hit send, I can remove the top part with the clear text userid and password. It really seems odd to have that in there. The contents of the share (bottom section) will give the person the userid/password once they import it into 1Password. Oh well. Not sure exactly how the family plan works, need to research it. But what I want is to have a shared database with my wife, but allow my kids to have their own (not see my passwords unless i share one with them, but let them have their own, and share some back with us.
0 -
which appears to be encrypted. Why change that?
It is not encrypted, and the purpose of having it in plain text at the top is to make that clear.
But what I want is to have a shared database with my wife, but allow my kids to have their own (not see my passwords unless i share one with them, but let them have their own, and share some back with us.
That is exactly what 1Password Families would enable you to do securely. Sharing via the share option is not secure (encrypted) unless the medium in which you send the message is encrypted (PGP encrypted email, iMessage, etc). Items you've shared via standard email or text message have been transmitted in clear text.
Ben
0 -
Got it. Thanks.
0 -
:+1: :)
Ben
0