1Password and offline vault access

We have discovered a flaw in 1Password, the issue seems to be that a user can copy the contents of the 1Password app data folder in windows and paste it on another machine and effectively have access to all the vault (with the master password).

The issue here is that it skips the requirement of entering the hostname and secret key then validating it.

A user could then access all the vaults offline without knowing the secret key neither is it going to go back to the 1Password servers to validate if the user still has access or if the key/vault is still valid.


1Password Version: 7.3.712
Extension Version: Not Provided
OS Version: Windows 10
Sync Type: Not Provided

Comments

  • Hi @ibrahims,

    This was an intentional design decision, which was necessary in order to have offline access. There are a few threads on this forum discussing the cache and its role... I think the most recent one that I participated in is this one, here:
    https://discussions.agilebits.com/discussion/comment/524218/#Comment_524218

    The cache is also mentioned a number of times in our security design white paper:
    https://1pw.ca/whitepaper

    In short: it isn't something we consider to be a flaw, but rather a (documented) feature.

    Please feel free to reply here if you have any further questions or comments on the subject. Thanks!

    Ben

  • ibrahims
    ibrahims
    Community Member

    Would it be worth salting the data with a unique identifier of the PC it is installed on? So that it cannot be moved easily between PC's?

  • Lars
    Lars
    1Password Alumni
    edited September 2019

    @ibrahims - it's something we can consider, but my off-the-cuff reaction is: probably not, and the reason for that is twofold:

    1. Since the very beginning, 1Password on a user's local device has always been defended/encrypted with their Master Password. That was (obviously) true in the standalone days prior to the creation of 1password.com accounts, and it remains true today with both standalone and 1Password accounts (it's also perhaps the main reason why we evangelize constantly about the need to create a good, strong Master Password -- because your (hopefully long and strong) Master Password is literally what keeps the bad actors out of your encrypted data, should they acquire it. The Secret Key of your 1Password account protects you if WE get hacked somehow and bad actors come into possession of your encrypted data from us -- because the Secret Key is only ever on your local device and is never transmitted to us. But if someone were to come into possession of your of your devices, they would already have the Secret Key (because it's stored and retrievable on-device by a skilled adversary) and your Master Password would be your line of defense. And that leads me to the second reason, which is
    2. Any such proposed salt would be just as available to a skilled adversary who gained physical or remote access to your device enough to grab the Data folder as your Secret Key is. If they can get the Secret Key from your device (and they can, if they've compromised/accessed it remotely or directly), then they could similarly acquire any such salt. If you want, for these purposes, you can think of the Secret Key itself as a kind of very long "salt."

    Hope that helps. :)

This discussion has been closed.