about 1Password browser extension

Options
[Deleted User]
[Deleted User]
Community Member
edited May 2014 in Mac

I recently read the dicussion and learned about how 1password does not require a two-factor authentication process since 1password is not an online service that holds a server but a program that decrypts the data already stored on my local hard drive using my master password.

To my own understanding, the only way for a hacker to actually get a hold of my passwords is to steal my hard drive and when the hacker does so, the hacker will use his/her own decryption program to open my passwords which is not likely going to happen at all.

The only part I'm worried about is the browser extension.

I am not entirely sure how it works and whether it is vulnerable or not. Can someone please enlighten me?

Comments

  • Megan
    Megan
    1Password Alumni
    Options

    Hi @dwkim227,

    I'm so glad to hear that you're thinking seriously about your security - that's what we like to see!

    In 1Password, your data file is encrypted with an exceedingly secure encryption algorithm called AES. Even if someone were to acquire a copy of your 1Password data file, it would be extremely difficult (approaching impossible in a human lifetime) for them to actually gain access to your passwords without your Master Password. You can see the thoughts behind our data format's design here.

    http://learn2.agilebits.com/1Password4/Security/keychain-design.html

    Both the main app and 1Password Mini (which runs the browser extensions) read data directly from your encrypted datafile, and data is only un-encrypted as needed. There is no data stored in the browser extensions.

    Now, that is the limit of my security expertise, so I'm going to ask our security guru @jpgoldberg‌ to pop in here to shed some extra light on things.

    In the meantime, do let me know if you have any further questions!

  • jpgoldberg
    jpgoldberg
    1Password Alumni
    Options

    Hi @dwkim227‌!

    I'm sorry that it has taken me so long to comment on your excellent question. First of all, let me thank you for thinking about the whole system. There is an unfortunate tendency for people to focus attention exclusively on the strongest part of a system, the encryption itself. (I love the encryption details and love talking about them, but over all that really is the strongest part of the system.)

    Browsers as hostile environments

    Browser security has developed enormously after Google Chrome first introduced internal sandboxing. Other browsers may have since surpassed what Chrome started, but thanks to that trailblazing, browsers are no longer the security nightmare that they once were. None-the-less browsers still present the biggest attack surface on your computer. Browser are what are exposed to the most data of dubious intent and origins, and browsers actually run programs from those sources with JavaScript.

    So with browsers still presenting a large attack surface, what can we do to protect things with the 1Password Browser extension. There are lots of "ordinary" things. Making use of security features within the browsers to ensure that other things in the browser don't interfere with it is one. Another is to make proper use of JavaScript scoping to keep "private" functions and variables inaccessible other things that might be going on in the browser. Keeping as few secrets decrypted at a time is another thing. (Though it is hard to force JavaScript to "forget" something, which is annoying.) Those are all normal stuff that we've always done with our extensions. But 1Password 4 goes further.

    Do in the browser only what should be done in the browser.

    The 1Password 4 browser extension does very little. We've taken almost all of the cryptography out of the extension as well as most of your secrets. In 1Password 4 your encrypted data is not stored within the extension. (In 1Password 3 a copy of your data is managed by the extension. It's encrypted of course.) Instead the 1Password browser extension talks to 1Password Mini. This way we keep both the cryptography and the data outside of the hostile environment of the browser.

    Figuring out what is going on in a web page is exactly what should be done in the browser and that is the bulk of what the 1Password 4 browser extension does. It analyzes web pages and it talks to 1Password Mini. As a consequence, we can do all of the usual things to protect whatever data might be in the extension, but we can concentrate our defenses on the communication between the extension and 1Password Mini. Those defenses go (largely) into 1Password Mini which is its own separate running process, separate from the browser.

This discussion has been closed.