Improve browser extension acces

As you know, a good master password and entering every day after each browser restart it's really frustrating.

I understand the security issues but in this scenario, my only option is to use a "master password" like "33771199" just to avoid the hassle and in process, intentionally lower the same security you tried so hard to protect.

So, something to solve both problems (because we all have passwords that are really important to us and passwords because I just need an account) would be a process like this:

  • in my vault, on every password (except the one for 1password), a check "Open with PIN", uncheck on every password, checked manually by me, on every password I need;
  • with my Master Password, I will set a PIN for fast unlock;
  • when I open my browser, the extension is locked, same as today
  • when I open a webpage in which the authentication is needed, I click on the extension icon and I enter my PIN
  • 1password will open JUST for my passwords that are marked "Open with PIN" OR JUST to offer to autocomplete the credentials for that specific website, if it's marked "Open with PIN"

This is the basic ideea and from here, other aspects can be improved:

  • click to open on icon from the password form and not from the extension bar (if it is possible)
  • not really using a check on the password but a dedicated vault that will open using the PIN
  • a forced change of the PIN in like 30 days
  • block the acces for PIN if there are like 3 errors and force authentication by master password and/or regenerate the pin

I know that there is an old extension but is not really a solution and I know that an integration between the app and the extension is on the way but keeping the app open all the time is also not a solution ( I work from home, via vpn on my computer at work and keeping an app open without me being physically present is not ok).

So .. what do you think?


1Password Version: Not Provided
Extension Version: 1.2.3.1
OS Version: Windows 10
Sync Type: Not Provided

Comments

  • Hello @Moftangiu,

    Thank you very much for your feedback. We understand that it is not ideal to require typing the master password manually. And I am happy to say that we are working hard to integrate the new 1Password in your browser with the desktop app so you can unlock 1Password with PIN and fingerprints. I can't tell you the exact date, but you can go here for more information and updates.

  • Moftangiu
    Moftangiu
    Community Member

    @Nhat_Nguyen well, so.. 33771199 it is and lesson learnt for myself and the next year subscription.

    I left Lastpass and for some weeks I used Bitwarden (which has pins without issues) but I convinced myself that 1Password is better because you had 0 leaks and an open source code is not really good for security (just my opinion),

    But.. the fact that after I just said that
    "I know that an integration between the app and the extension is on the way but keeping the app open all the time is also not a solution"
    you just drop a statement that
    "we are working hard to integrate the new 1Password in your browser with the desktop app"
    means that you just ignored everything I said in my previous post and just gave me your (1P) general assessment about how the future will be, even if the solution described by me, require no desktop app integration whatsoever.

    Than you gave me a link where there isn't anything for some months now, just some bits of frustration about how long it's going to be.

    So yes, let's use a family account and use a master password as 33771199 but hey .. it's my fault that is so simple and dumb, isn't it?

  • Moftangiu
    Moftangiu
    Community Member
    edited March 2021

    So, now you're restricting users feedback to improve security of the system, because someone didn't like the previous post.

    Great experience guys, great support, so great that I'll need to ask for a refund and cancel the account.

  • ag_yaron
    ag_yaron
    1Password Alumni
    edited March 2021

    Hey @Moftangiu ,
    I'm not sure what exactly you are describing here, we're in now way restricting users feedback - your feedback was a welcomed one.

    In addition to Nhat's reply above, I would also suggest you change your Master Password to a strong worded password, which is easier to type and remember than a long random password but still as strong: https://1password.com/password-generator/?type=memorable

    Let me know if you have further questions or require clarification on anything else.

  • Moftangiu
    Moftangiu
    Community Member

    Hi @ag_yaron !
    I wrote 2 posts (well, one and when it disappeared, I post another, identical, for which briefly, I saw a message that it's "under moderation" ) and as you can see, there is nothing here.

    Basically, I was just disappointed that my initial post wasn't read because I said that the companion app is not a solution for me and the "answer/solution" was to "use our companion app when the integration will be available".

    I mean, I understand, it's just a suggestion and it could be good or bad ( I think is good because it doesn't required any desktop app ) and more that that, you guys are doing whatever you think is necessary anyway but to answer with something that I specifically said that is not good for me, means that it's just an "default" answer, the feedback is not important, etc

    I read that suggestion with memorable words in various posts on this forum and probably it could be a solution but could you please tell me, why a simple solution like this is not something that could be used to handle easy pin logins?

    • a distinct pin dedicated vault for users to copy their credentials for sites where you just need an account for access
    • a dual password system for extension and when you unlock the extension just with the pin, you only have access to this dedicated vault? And if you want full access, only then you need the master password?

    Thank you!

  • Moftangiu
    Moftangiu
    Community Member

    @Nhat_Nguyen well, so.. 33771199 it is and lesson learnt for myself and the next year subscription.

    I left Lastpass and for some weeks I used Bitwarden (which has pins without issues) but I convinced myself that 1Password is better because you had 0 leaks and an open source code is not really good for security (just my opinion),

    But.. the fact that after I just said that
    "_ I know that an integration between the app and the extension is on the way but keeping the app open all the time is also not a solution_"
    you just drop a statement that
    "_ we are working hard to integrate the new 1Password in your browser with the desktop app_"
    means that you just ignored everything I said in my previous post and just gave me your (1P) general assessment about how the future will be, even if the solution described by me, require no desktop app integration whatsoever.

    Than you gave me a link where there isn't anything for some months now, just some bits of frustration about how long it's going to be.

    So yes, let's use a family account and use a master password as 33771199 but hey .. it's my fault that is so simple and dumb, isn't it?

  • ag_ana
    ag_ana
    1Password Alumni

    @Moftangiu:

    It looks like our spam filter caught the two messages you were referring to. They should appear once again in this conversation ;)

  • Moftangiu
    Moftangiu
    Community Member

    @ag_ana Thank you for clarifications :)

  • Nhat_Nguyen
    edited March 2021

    Hello @Moftangiu,

    Thank you for your understanding. 1Password encrypts all your data and only allows you to see what inside with a correct Master password.

    That said, thank you for your solution, but it is not feasible to create a PIN for a specific vault or a login item.

    For more details, when we set a PIN for a login item, the PIN and the item will be encrypted with military-grade encryption. Without a correct master password, 1Password will not be able to associate the PIN you any specific item.

    Let us think of it as a house with different rooms. Currently, your Master password is the key to open the house. With a correct key, you can unlock the house and use all the rooms inside. However, your solution is to give a smaller key to each room. That, in theory, can help you unlock a specific room in the house. However, you would still need the master key to unlock the house first.

    I hope this makes sense. Please let me know if you need more information.

  • ag_yaron
    ag_yaron
    1Password Alumni

    To clarify on Nhat's great example, in order to implement your suggestion here we'll need to encrypt each one of your login items with a different, simple, pin code, which is very (VERY!) easy to crack. Pin codes are not good as a security mechanism because they are easily crackable, and that is not something we will consider as a security-oriented company :)

  • Moftangiu
    Moftangiu
    Community Member

    Thank you both @Nhat_Nguyen and @ag_yaron for your detailed explications :)

    To continue on the same ideea, I thought that vaults are separated entities (a house and a garage) that with some development on your part can be accessed in different ways, with a master password and with a pin and yes I know that a pin is not very good but as I said not all the passwords are really that important.

    But, if as you said, the vaults are inside the system, then you're right, nothing else than master password will work.

  • ag_yaron
    ag_yaron
    1Password Alumni
    edited March 2021

    Indeed, our entire system's hierarchy starts at the Master Password, which unlocks your main vault, which then unlocks all other vaults with private keys that are derived from the main vault that is unlocked. You cannot unlock a specific vault.

    But even if that was possible, again, what you're thinking about is extremely unsafe because:

    • All the data of a login item will not be encrypted except for the password (e.g. people can see your username, the website's URL, any tags and notes in the item etc).
    • The password is encrypted with a simple pin code, which we have already established is not safe nor secure.

    If you're really interested in how/why we built things like we did, I suggest you take a look at our security white paper, which is a very interesting read if you're into security: https://1password.com/security/#security-white-paper

  • Moftangiu
    Moftangiu
    Community Member

    @ag_yaron thanks for the white paper, somehow I didn't see it until now :)

  • ag_ana
    ag_ana
    1Password Alumni

    On behalf of Yaron, you are very welcome :)

This discussion has been closed.