What does 1Password security team think of this?

https://lock.cmpxchg8b.com/passmgrs.html#bad-advice

This is an article from Travis Ormandy (look him up) who says using all password managers is a bad idea and likely trusting the browser built-in password manager is a better option in most cases. Although there is no reference to 1Password directly in the text, a reddit post (https://www.reddit.com/r/crypto/comments/nt7g1u/password_managers/) claims to have 0 days vulnerabilities on LastPass, 1Password and others.

Just wanted to get an opinion from 1Password. I trust 1P so far and have no reason not to.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • TooSlimSam
    TooSlimSam
    Community Member

    I appreciated jpgoldberg's response on Reddit, but have some more specific questions related to 1Password and Safari.

    My understanding is that Safari on iOS doesn't support extensions, but does provide an API that lets 3rd party password managers interact with the browser. Is that correct? And if that's the case, does the API sidestep the issues that Ormandy raises, and make 1Password on iOS essentially as secure as the built-in Safari password manager?

    And a follow up question ... Is the Safari password manager API available on MacOS? And if so, could 1Password use the API instead of an extension?

  • Hi @TooSlimSam

    My understanding is that Safari on iOS doesn't support extensions, but does provide an API that lets 3rd party password managers interact with the browser. Is that correct?

    I think you may be referring to Password AutoFill, which 1Password for iOS does offer (opt-in) integration with. Our documentation on this feature can be found here:

    Additionally Apple has (developer-focused) documentation here:

    This is not a Safari exclusive feature, but rather a system-wide feature of iOS. Also, for what it's worth, Apple announced at WWDC yesterday (Monday) that Safari on iOS will support extensions as of iOS 15, and we already have a proof-of-concept for 1Password in the Browser there:

    And if that's the case, does the API sidestep the issues that Ormandy raises, and make 1Password on iOS essentially as secure as the built-in Safari password manager?

    I would say so, yes. With Password AutoFill all interaction with web pages and apps (including Safari) is being handled by iOS itself, not 1Password. 1Password isn't 'talking' directly to or showing any UI inside any web pages with this feature.

    That said I don't think it is at all fair to characterize our browser extensions as "not secure." The browser is by default a hostile environment, which does present some unique challenges, but we've built our extensions with those challenges in mind, and mitigate risk wherever we can. I would also say that it seems the security upsides of using an extension, such as phishing protection, were not considered or elaborated on in the writeup in question. We have been through a number of successful 3rd party audits, and offer a bug bounty:

    And a follow up question ... Is the Safari password manager API available on MacOS? And if so, could 1Password use the API instead of an extension?

    There is a similar feature on macOS. In theory, we could use that feature. We do not currently due to a few technical hurdles that would need to be overcome. We'd like to revisit that in the future, but to my knowledge those hurdles still exist at present.

    Ben

This discussion has been closed.