Concerned about Handoff/Continuity

mickaphd

Hi,

I use Handoff/Continuity and I just noticed that when I copy a password from 1Password iOS, I have it on my mac clipboard.
Moreover and in that specific case, the 90sec system when the clipboard is erased is not working.
It's a little bit insecure no?
Is there a way to block 1Password with Handoff like for example the clipboard of the Alfred application that doesn't 't keep in memory everything's coming from 1Password?

Thanks

M

---

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Lars

@mickaphd - I don't want to make light of the security implications, but there are limits to what we can do about users using things like clipboard managers or other input managers which can save historically every bit of text copied to the clipboard. I realize you're not using a third party service, but the general idea is the same: if you're capturing clipboard entries, then that defeats (or does an end-run around) the clipboard-erasing feature of 1Password. I know of no way to block user-activated system processes in cases like these. 1Password doesn't run with root privileges on your Mac (the only reason the current installer requires you to enter an Admin password is because it modifies the Applications folder when installing), so we're bound by the same rules for Handoff that everyone else is.

To hopefully give you a little peace of mind and/or some potential steps to take, any password copied to your Mac would typically be without context - it would probably be recognizable as a password if someone were to examine the contents of your Mac's clipboard, but for what? If you were working in iOS, there'd be no record on your Mac of what specifically you were doing -- only a bare password. Secondly, if you're in a hostile or unknown environment where someone could be sniffing/reading wi-fi and bluetooth traffic, you should probably turn off features like Handoff anyway. If you're at home or in your office, it's probably worth making a realistic assessment of your threat model there: do you suspect you are in the presence of people who have both the skills to intercept your traffic and the desire to do you harm? If so, you should likely tighten several aspects of your security, including your 1Password security settings, your Handoff/Continuity settings and several other aspects of your normal workflow, just as you would in a hostile public environment.

mickaphd

Thanks for the answer, I agree indeed

Lars

@mickaphd - you're quite welcome! There's often no one "right" answer to questions like these: each person's situation is different (not to mention their risk tolerance and the amount of work they're willing to do to ensure X amount of security). Feel free to drop by anytime if you have questions or issues with 1Password. Cheers! :)

AGAlumB

@mickaphd: This drives me nuts too, and not just with 1Password. There isn't, unfortunately, any granular control over this. The only way to avoid it is by disabling Continuity completely — and I would miss that the rest of the time. :(

KŻP

I'd contacted you on Twitter about this issue yesterday and was pointed here, so I'm using the opportunity to elaborate.

There are iOS Apps (dictionaries, as far as I know) which auto-paste from clipboard. This must be a niche case, but it also is an extremely convenient productivity enhancing feature - While I work on my Mac, I just copy the words I want to get more insight on, and instantly get the break-up from as much as two (split-screen) advanced dictionaries, without having to touch the iPad. Except that every now and then the dictionaries will try to look up the password I've just copied. Sometimes, they'll reach to the online database as well, which is even more problematic.

I understand this is something which goes beyond any simple solution. I thought you could just propagate an empty space and thus wipe Continuity clipboard as well, but it would be too late to prevent dictionaries from intercepting it anyway.

Perhaps it is worth making Apple aware the security apps need an ability to block Continuity from propagating sensitive data put in the clipboard? Turning Handoff OFF and back On every time I want to use 1Password sorts of defies the purpose, not to mention, it isn't exactly a one-click action either.

K.Ż.P.

Ben

Hi there.

I'm not sure there would be any tangible security benefit to such a feature even if it were available.

• A password copied to the clipboard from 1Password is copied without context
• If you believe an app may be malicious in the way it uses the clipboard you may want to reconsider having that app installed. Consider what other data it may be gathering as well. If you're worried about it having access to context-less passwords, there are likely other things that cross the keyboard that would be of concern as well. Personally I wouldn't be comfortable having everything I copy to the clipboard sent to an online database... passwords or not.
• Both macOS and iOS have built-in dictionary tools that may not have the same privacy implications or reliance on the clipboard
• The purpose of the clipboard is to make data available to all applications - limiting that limits the functionality of the clipboard

Considering the above... I wouldn't suspect Apple would be inclined to make changes in this regard, but if you're interested in sharing feedback with them you're welcome to do so here: Product Feedback - Apple. If there are still concerns then I'd recommend minimizing the use of the clipboard with relation to 1Password. There are other tools available, such as autofill as well as drag & drop, which do not expose 1Password data to the clipboard.

Ben