Locking and security

fwolfe
fwolfe
Community Member

If my computer is being used by 1 person in my home, do I need to lock 1password (automatically or not), or can I keep it open all the time. That is, is their a real security risk in this situation that increases as a function of time? Thanks.


1Password Version: 7.07
Extension Version: Not Provided
OS Version: 10.13.6
Sync Type: Not Provided
Referrer: forum-search:why lock 1password

Comments

  • Stephen_C
    Stephen_C
    Community Member

    @fwolfe only you can access the risk of leaving 1Password unlocked in those circumstances. How likely is it others in the home would take a look? How likely is it someone would come in to the home while 1Password is unlocked? Personally I take the view that the lock options (1Password 7 > Preferences > Security, under Auto-lock) are sufficiently comprehensive for me to be able to choose a sensible combination of those that works for me.

    Stephen

  • Lars
    Lars
    1Password Alumni

    @fwolfe - that's a difficult question to answer in absolute terms, because each person's threat profile (not to mention their risk tolerance) is different. More than that, each person's assessment of their own threat profile varies, and sometimes bears little resemblance to what the facts of their situation would suggest. Bottom line: it's up to you. The controls in Preferences > Security allow you a very wide swing in how often 1Password will lock and require your Master Password; if you uncheck all of those boxes, 1Password should only ask you for your Master Password when you log in, restart your Mac or hard-quit 1Password. I personally would never recommend settings that loose, because once set, you tend not to think about them again during normal use, and (particularly if you have a MacBook instead of a desktop iMac or Mac Pro or Mini, you may wind up in situations where it would be unwise to leave things so wide open, and forget to think to change your settings. But that is a question only you can answer.

  • fwolfe
    fwolfe
    Community Member

    Stephan and Lars, Thanks for your comments. Let me pose my question somewhat differently since I believe your relies are directed to the risk associated with someone stealing data from my physical computer. Suppose the only person with access my computer (mac pro) is me. Therefore, there would be no threat from anyone directly operating my physical computer and no one to look over my shoulder at the screen. In that case, is there any security threat from leaving 1password unlocked as opposed to locking it. If so, where does the threat come from and is it possible to estimate the degree of threat. Thanks,

    Fed

  • AGAlumB
    AGAlumB
    1Password Alumni

    @fwolfe: When you say "the only person with access my computer (mac pro) is me", I think that's assuming that you never have any guests, invited or otherwise. While that may be typical for any given day, I do think it's important to plan for the worst.

    Let's approach this a different way: what's the minimum amount of time in which you would step away from your computer and return to pick up where you left off? If that's an hour, make 1Password lock after slightly longer. That way most of the time you'll return to it and can resume without interruption. But in cases where something comes up — delivery, emergency, etc. — you don't need to worry about 1Password remaining unlocked effectively indefinitely, potentially leaving the door wide open for someone who shows up who isn't usually present (setting up some furniture, installing an appliance, fixing a plumbing/electrical/cable issue, etc.) sneaking a peak at your most important data.

    Also, it's worth mentioning that entering your Master Password regularly is not only good security hygiene, but also practice remembering and typing it, which helps you avoid getting locked out yourself.

    The security threat to your 1Password data is anyone other than you being able to access it under any circumstances, and if you leave it unlocked all the time there is nothing stopping that from happening. So it's worth experimenting with the settings to ensure that you need to enter your Master Password to unlock it often but not too often, because there just isn't any way to predict the future. It's better to have your data secure by default, due to auto-lock, and not have to worry about it. :)

  • fwolfe
    fwolfe
    Community Member

    @brenty, thank you for the additional clarifications. These conclusions can now be summed up as follows.

    1) There is no security threat in leaving 1password unlocked per se.

    2) The security threats come about when others gain access to to the computer.

    3) Be careful.

    4) Making "your data secure by default, due to auto-lock" is a good practice.

    Thanks to all who commented.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @brenty, thank you for the additional clarifications.

    @fwolfe: You're very welcome! Glad to help. :chuffed:

    These conclusions can now be summed up as follows.
    1) There is no security threat in leaving 1password unlocked per se.
    2) The security threats come about when others gain access to to the computer.

    I'm not sure we can divorce these two, but certainly it depends largely on a) the level of security you want for your data and b) your personal threat model. I'll just clarify that when you enter your Master Password and unlock 1Password, while everything is not automatically decrypted at that time (this happens as you access each item), you should treat it as unsecured at that time since anything in it can be immediately decrypted and accessed merely by selecting an item from the list.

    3) Be careful.
    4) Making "your data secure by default, due to auto-lock" is a good practice.

    Words to live by. :) I really like just not having to worry about it.

    Thanks to all who commented.

    Likewise, thanks for bringing this up! It's a fascinating topic, and I think it benefits all of us to think hard about how we want to treat our data. Cheers! :)

This discussion has been closed.