how to protect against keyloggers when using 1Password browser extensions?

rschmid
rschmid
Community Member

Hello,

am I protected against keyloggers when using 1Password browser extension?
I am using 1Password on my Mac, Windows and iPhone.

Kind regards,
Roland


1Password Version: 6.3.3
Extension Version: 4.6.1.90
OS Version: OSX 10.10.5
Sync Type: Dropbox

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni

    @rschmid: Great question! On both macOS and Windows, there are facilities in place to prevent other apps from capturing your Master Password:

    • On macOS we the Master Password field uses SecureInput, both in the app and browser extension.
    • On Windows, such a thing does not exist, but if your PC supports SecureDesktop, you can enable that feature for the browser extensions in 1Password 4 > Preferences > Browsers > Unlock on Secure Desktop. Unfortunately not all versions of Windows support this, and come system configurations will break it ("security" suites and display drivers most frequently).

    But the best defense against key loggers is to not install them — or allow someone else access to your system so that they can. I hope this helps! :)

  • rschmid
    rschmid
    Community Member

    @brenty: yes, your answers helps me a lot. Thank you.
    I will enable on my Windows SecureDesktop for my (IE) Browser Extension. Does Windows7 Pro (64-bit) support it?
    Good to know that on my Mac I can feel secure :)
    How often should I change Master Password?

    Sure best defense against key loggers is not to install them - or allow someone else to install them :) ;)

    Kind regards,
    Roland

  • AGAlumB
    AGAlumB
    1Password Alumni

    Does Windows7 Pro (64-bit) support it?

    @rschmid: SecureDesktop is supported by Windows 7 and higher, but if you encounter issues there may be some other software which is incompatible. That's why it's optional in 1Password 4, and disabled by default.

    How often should I change Master Password?

    So long as you choose a long, strong, unique Master Password, you should never* have to change it.

    *Barring future developments of super intelligent machines which can infer what we were thinking when we chose it...

    Sure best defense against key loggers is not to install them - or allow someone else to install them

    I guess that might have sounded a bit snarky, but that wasn't my intention: I was serious. It is so fun to try to new software (at least for me), and ultimately we're the weakest link in our own security. We all make mistakes, so being a little bit paranoid on the internet can go a long way. Cheers! :sunglasses:

  • rschmid
    rschmid
    Community Member

    So long as you choose a long, strong, unique Master Password, you should never* have to change it.

    @brenty: I guess my master password is secure for the moment. I created it using the English Diceware Word List (Arnold Reinhold).

    I guess that might have sounded a bit snarky, but that wasn't my intention: I was serious. It is so fun to try to new software (at least for me), and ultimately we're the weakest link in our own security. We all make mistakes, so being a little bit paranoid on the internet can go a long way. Cheers! :sunglasses:

    you are right, humans are the weakest link in our own security.
    Thanks for your kind help.

    Kind regards,
    Roland

  • AGAlumB
    AGAlumB
    1Password Alumni

    I guess my master password is secure for the moment. I created it using the English Diceware Word List (Arnold Reinhold).

    @rschmid: Awesome! I'll just add that 4 words is considered good enough, but I prefer 5-7 to give myself some "breathing room" as computing power improves.

    you are right, humans are the weakest link in our own security. Thanks for your kind help.

    Any time! Don't hesitate to reach out if you have any other questions, comments, or suggestions. Have a great weekend! :)

  • rschmid
    rschmid
    Community Member

    Awesome! I'll just add that 4 words is considered good enough, but I prefer 5-7 to give myself some "breathing room" as computing power improves.

    @brenty: I use 5 words. Those 5 words I remember very good as I type them daily into my keyboard :)

    Any time! Don't hesitate to reach out if you have any other questions, comments, or suggestions. Have a great weekend! :)

    have a nice sunday! ;)

    Kind regards,
    Roland

  • AGAlumB
    AGAlumB
    1Password Alumni

    I use 5 words. Those 5 words I remember very good as I type them daily into my keyboard :)

    Love it. :chuffed:

    have a nice sunday! ;)

    Will do! :) :+1:

  • rschmid
    rschmid
    Community Member

    @brenty: awesome, unlock on secure Desktop works on my Windows 1Password Browser Extension (IE11)
    monday morning at work and learned something new :) ;) Great :)

  • AGAlumB
    AGAlumB
    1Password Alumni

    :sunglasses: :+1:

  • pervel
    pervel
    Community Member

    A lot of extensions in Chrome require the permission "Read and change all your data on the websites that you visit." Can these extensions in principle read my Master Password and Account Key?

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited October 2016

    @pervel: That's a fantastic question! While my answers above apply primarily to the native 1Password apps, we also take some similar precautions (and many others, such as WebCrypto) with the web interface. I am not 100% clear on all of the details though, so I've asked some other folks who specialize in 1Password's browser integration, web services, and overall security if they can weigh in on the risks and the security measures in place specifically on the website. Thanks for bringing this up! :)

  • @pervel, you are indeed correct. Just as 1Password can read usernames and passwords and save them into its database when you ask it to do so, any other extension with the ability to "read and change all your data on the websites that you visit" can do the same.

    For this reason, I actually have two profiles (or "People") in Chrome. One I've named "Loose" and one "Strict":

    In the "Loose" profile I have a variety of extensions installed, but in "Strict", only 1Password is installed. I added another extension to "Loose" that blocks 1Password.com URLs, along with some other important sites:

    So I can access those sites only in the "Strict" profile where I know that 1Password is the only extension that can read the page.

    This has given me a little more peace of mind that I don't have to worry as much about one of my extensions going rogue and getting access to all my secrets – personal, work, and otherwise.

    I hope that helps!

  • pervel
    pervel
    Community Member

    @rob, thanks for the reply. That's and interesting use of profiles in Chrome. I will look more into that. Do you sign in with a different Google account for the strict profile or just use it without an account?

  • I use it without a Google account.

This discussion has been closed.