Hide viewing passwords?
I just installed 1Password for trial and am concerned with how my passwords are available for viewing after logging in.
When I read about 1Password I assumed I'd have to log in once to use my saved passwords, and once again if I were to view them. This doesn't appear to be the case unless I misunderstood something (which I hope is the case).
Here's a screenshot: https://i.imgur.com/FHzvgw8.png
So if I were to walk away from my computer to use the restroom for example, my flatmate can walk up to my computer and view all the passwords unless I log out every time I need to step away? That seems a bit tedious, even google chrome asks for my password to view passwords.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
Hi @topless_banana. You can delete the pictured entry as long as you've got a record of the secret key somewhere safe, e.g. printed out and locked away.
To answer your main question: if you leave your computer unattended, you have bigger problems to be concerned about. Your flatmate could install a keylogger and wait until you next login to 1Password. Game over.
If you don't trust your flatmate then you need to lock your screen. WinKey + L. Ideally you should have separate user accounts.
If you don't want to lock your screen then you have to accept that your passwords may be compromised.
The other solution is to set a really low timeout for when 1Password automatically locks itself. However entering a long master password each time may be tedious in and of itself.
I should add that Google Chrome prompting for your password can easily be circumvented by anybody who knows what they're doing.
0 -
That is not a valid solution, as I mentioned in the example, even google chrome asks for the password to view your passwords. How can a program revolving around password protection not?
My flatmate, little brother or my girlfriend aren't malicious, the moral boundary of viewing someone's password to read private conversations and flat out installing a key logger aren't even close.
This isn't about whether someone would, but the confidence that nobody could.
0 -
There are two solutions, if neither are valid for you then you'll have to re-evaluate your needs.
No password manager asks you for a password to view passwords unless you manually lock it first (or set it to auto-lock). As I already said, Google Chrome's is easily circumvented and all your passwords can be viewed without your password. It's a privacy lock in Google Chrome.
This is how password managers work. There's no way for 1Password to know when you've left your computer unattended. I can guarantee you that people would complain if they had to enter their master password each time they wanted to log into a site!
However if this is a concern to you then the precautionary step of locking 1Password each time is something you'll have to do. Augment it with a very short auto-lock time in case you forget to manually lock 1Password.
If somebody is deceitful enough to view your private passwords then they're inherently untrustworthy but that's another debate.
0 -
One further note, the two password setup you describe (one to login, one to view your passwords) is technically useless.
If somebody could get 1Password to auto-fill the password into a browser, then regardless of a second password in 1Password, your brother or girlfriend could 'see behind the dots' in any password field! It's very easy to override and doesn't even require installation of a keylogger. It's a basic browser trick.
0 -
Thanks for replying.
0 -
@topless_banana: When you unlock 1Password with your Master Password, all of your data is available to anyone with access to your computer, so it's important to consider. It sounds like you want 1Password to require you to enter your Master Password again to reveal any information, and while many people wold find that tedious, the more important issue is that it wold be a lie: at that point you've already given your Master Password to decrypt any data, which you're already viewing (or using, to have 1Password fills a login). It would be the equivalent of lying if we made 1Password present itself to the user as still being secured under these circumstances. We believe very strongly that the user should be able to tell at a glance without question if their vault is secure or if it is not. That's represented by the lock screen. If you see that, you know that 1Password has cleared the encryption keys from memory, so that anyone who wants to access your data at that point will need to have your Master Password in order to do so. It's definitely a nuanced issue, so please let me know if you have any questions at all. As you can probably tell, I don't mind talking about this stuff! :)
0