Feature Idea: Send Password to Computer

fabx
fabx
Community Member
edited September 2018 in Lounge

Edit:

Well, sorry, the same was asked 4 days ago... Since I can't delete my thread, I'll just leave it here.


Hello,

first off: I absolutly love your product. Beforehand, I didn't image I would enjoy it that much. But I feel so much more safe now.

While using it I got an idea about a little addition (which needs a lot of work):

Next week I will attend a workshop, where I will be using a foreign computer, not my own. All my password are stored in 1PW now and - like intended - I can't remember one of them. But I will still need to log-in to some webservices (gitlab for example, password 30 mixed-characters-and-numbers-strong) on this foreign computer. Since I don't know the computer I don't want to log into 1PW there and enter my secret key and masterpassword. So I would have to access my vault via my phone and type the passwords by hand.

Long story short: what do you think about the possibility to access the vault with the phone and send the password to some safespace in the account which you can access on a possibly unsecure computer and only see the password I send there with the phone? Same would come in handy in internetcafes or if you use a friends computer and don't want to set up your account there.

This way, in the worst case, only my gitlab (or whatever account I will use) could get compromised.

I can image this has a lot of securityflaws, but wanted to share my idea nontheless.

Best regards


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni

    @fabx: I don't think this is something we'll add to 1Password since it is already possible for people to use their login credentials on untrusted computers by entering them, and it's really not something we want to encourage. It's always risky to do so. And each time you login to an account on an untrusted computer, you should really change the password for that account on your own device afterward, since it may have been compromised. Certainly some folks are in a position where they want to do that anyway, regardless of the risks involved, but it's not something we want 1Password to facilitate. We really want 1Password to make it easier for people to do the secure thing, rather than the opposite.

  • rlh
    rlh
    Community Member
    edited October 2018

    Edit: went back and looked at dates, figuring out my "advice" is too late to help @fabx but given @brenty's keen observation on not trusting a foreign computer, I'll categorize the "advice" more along the lines of thinking out loud on how I might approach this problem in the future.

    And given the advice that you should immediately change the password since you have no reason to believe it isn't compromised you might as well send it to the "foreign computer" via any (not particularly secure) electronic mechanism available (e.g., iMessage, an encrypted ZIP file in an email, etc.).

    Or have I gone off the deep end here? Maybe a better approach would be to, prior to next week, change those passwords to easy to type 1Password generated 4-word passwords, use the foreign computer for the week, fat-fingering in the passwords, and then as soon as you leave the workshop go back to 1Password and change them all to some new random strings.

  • @rlh

    I just can’t in good conscience recommend logging into any accounts that you care about from a public computer. But you have to evaluate your own threat model and decide what is appropriate for your situation. There is certainly always a balance between security and convenience that should be considered and if your situation mandates that you use public computers and taking appropriate precautions is the best you can do... then I guess that’s the best you can do, and that is still certainly better that what many/most people are doing. :)

    Ben

  • rlh
    rlh
    Community Member

    @Ben, You are 100% correct. The only times I've ever had to log on via a truly public computer was to print a boarding pass pre-iPhone boarding pass days. And I literally changed the password using my laptop the minute I was done. I rationalized that my exposure was limited to only a short amount of time.

    I do think @fabx's situation of a "foreign" computer is slightly different in that you at least want to believe the workshop IT team is neither malicious nor incompetent. However, if the workshop is a week long then the time window seems to increase the risk. I'd definitely think hard about which accounts to "share".

    But as you say, we all have to weigh risks and do the best we can. I really do appreciate these 1Password forums where problems like this help me think though my security posture. And I especially appreciate the excellent advice from across the community.

  • Thanks for the kind words @rlh. :)

    Ben

This discussion has been closed.