Showing passwords without reentering Master

Please could you add the option to require the vault password to be entered to reveal any concealed password, even if the vault is unlocked? That's how Apple's keychain does it (as noted by the OP), and that's how it should be.

Hi @Megan, I fail to see what harm it would do to give people the option﹡ to do this. As I said, this is what the Apple Keychain does, so it’s not some unheard of batshit crazy idea. By default, the login keychain, (and, in Mavericks the “local items” keychain) unlock automatically upon login and don’t lock again until logout. Any app that has been previously granted access to an item in either of those keychains, can then access the information without you having to enter the keychain password. But, if an app (including the Keychain Access app) hasn’t been granted access before, you still have to enter the keychain password to get at the info. For example, try this:

1. Open Keychain Access and note that the login keychain is unlocked.
2. Double-click any entry whose “kind” contains the word “password”.
3. Tick the “show password” tick box.

Now, unless this is an item you have previously given “Keychain Access” the right to access, you will be presented with a dialogue saying:

“Keychain Access wants to use your confidential information stored in “[name of whatever you clicked on in step 2]” in your keychain.
To allow this, enter the “login” keychain password.

Underneath this, is a box to enter your password and three buttons: “Always Allow”, “Deny”, and “Allow”

If you enter the correct keychain password and click “Allow”, the password of the item will be revealed, but for that one time only. Unclicking and re-clicking the “show password” tick box, or quitting and relaunching Keychain Access, will result in the same dialogue appearing. If you click “Always Allow”, Keychain Access from that point forward will show the password upon ticking the “show password” checkbox, without asking for the keychain password.

This mechanism prevents apps from harvesting the keychain and several other nefarious uses of items in the keychain, even if the keychain is unlocked. It allows the convenience of having the keychain always unlocked, without risking easily giving away all the passwords contained within.

The fact that you have (IMHO, and obviously Apple’s too) implemented vault security in a lax way is one of a few things that prevents me from embracing 1Password fully (I just use it as a form filler and for non-sensitive passwords such as those for online forums).

﹡ What I envision here is a tick-box in the “Advanced” section of preferences that reads something like “Always require vault password to reveal passwords” which when ticked would do just that, but would still allow vault items to be used in web browsers etc. without re-entering the vault password. Just like the Apple keychain.

Hi @JasperP thank you for your detailed reply

Trying to "hide" your data by not allowing someone to reveal a password using the 1Password app, while still allowing them to fill it in a browser, provides little to no security

It prevents idle snooping without the inconvenience of having to unlock your vault all the time. You may have seen that I have also provided feedback about the multiple vaults feature (feedback which echoes feedback from others), and my feedback all couples together - if the multiple vaults feature was implemented better (fully independent vaults with their own auto-lock settings) then my really important stuff would be in a vault that auto-locks very quickly. The less sensitive stuff would be in vault that I would basically leave open all the time, and having the feature suggested in this thread would prevent idle snooping of all the passwords within. It’s how I have Apple keychains set up already and it works very well.