1PasswordAgent.app wants to use your confidential information stored in "1Passwd Master Password

Okay, I have been using 1PW since 2007. One of only a limited few applications I tell people are "must have" and that once you start using it you wonder how you got along without it. I have found it easy to use, intuitive, and the developers are extremely responsive. Now that I have buttered things up a little (though totally justified), I regret I have to ask a really foolish question. I rarely shut down or restart my computer. It is either on or sleeping. However, I noticed something a while ago after appying the latest security update for Snow Leopard. Didn't give it much thought, but then it happened again the other day when I was going to be away for most of the day and decided to shut the computer down due to unsettled weather in the area. Here's the deal, on start or restart, I am presented with the msg "1PasswordAgent.app wants to use your confidential information stored in 1Passwd Master Passowrd in your keychain." I click "Always Allow" .... however, (and I checked this on multiple restarts) this dialog box is always presented on a start/restart, even though I have clicked Always Allow instead of simply clicking Allow. Is this something new programmed into 1PW? Is it something which started with some recent security update to 10.6? Has it always been like this and I have been this and it's just that I am too stupid to notice or remember it? This is not a pressing issue ..... it's just that bugging the heck out of me!! Thanks.

Comments

  • khad
    khad
    1Password Alumni
    First of all, thanks so much for your longtime support of and (kind words about) 1Password. :D

    Please see our support article regarding the message you are seeing and let me know if you have any additional questions or concerns:

    http://support.agilebits.com/kb/1password-38-for-mac-from-agilebits-website/1passwordagentapp-wants-to-use-your-confidential-information-stored-in-1passwd-master-password-in-your-keychain
  • nachalnik
    nachalnik
    Community Member
    Thanks. Understand now.
  • khad
    khad
    1Password Alumni
    Cheers! Stay safe out there. :D
  • Why does all your documentation say that the Apple login keychain "is inseure by default"?

    I also use the feature of having my 1P Master Password stored in my login keychain so that once I am logged into my computer, my 1Password is unlocked at the same time. I don't understand why Agile says the Apple keychain is insecure. In what way?

    Aside from something like a cold memory or Firewire attack (http://en.wikipedia....under-hour.html), how could someone shake anything out of an Apple login keychain? Are you saying the data held in there is not encrypted, the encryption is weak, or what?

    What if I am using Full Disk Encryption (Filevault 2) in Lion, is a keychain held in there "insecure by default" also? As far as I know (and excepting very sophsiticated attacks like the 2 above, which I don't expect to be used against me), I thought my Macbook Air was impenetrable once shutdown, the lid closed or screen locked.

    I was so sad when 1Passwod lost its ability to answer HTTP Basic Auth prompts about a year ago. Now I read that version 3.9 and the upcoming v4 will not allow me to choose this convenient configuration (use login keychain to unlock 1Password) anymore. The reason I bought 1P in the first place (for myself, my family and friends) was to avoid having to type passwords all the time.

    Can you please explain what the risk is about using the login keychain this way?
  • khad
    khad
    1Password Alumni
    edited July 2012
    Good question!

    By default the Login keychain is unlocked when you log in — even if you are using FileVault 2. And with FileVault 2, if you are logged in, the data on your drive is available. From Macworld's great article on FileVault 2:


    With FileVault active, whenever your Mac is shut down, the data on your hard drive is a mess of unintelligible bits. The data has meaning only when the Mac is booted and an authorized account logs in, which decrypts the key that in turn deciphers the drive's data.

    The "whenever your Mac is shut down" requirement is one of FileVault's usability pitfalls: While your Mac is booted, anyone with physical access to the computer—someone who sits down in front of it, breaks in remotely (however unlikely that seems at the moment with a Mac), or runs away with your laptop—could access your data. So get used to shutting down your Mac when it's not in use, or when it's out of your control, rather than putting it to sleep.


    Shutting down your Mac is key. It is not the same as "lid closed" or "screen locked".

    However, the issue is not about the security when you Mac is shut down but rather when you are logged in. In that case, unless you have specifically configured the OS X keychain beyond the defaults, your keychain data will be accessible and anyone who sits in front of your Mac will have access to all your data including the sensitive data you have stored in 1Password such as all of your passwords and credit card information if you have elected to ignore the warnings and enable the "Never prompt for master password option", thereby storing your master password in the OS X keychain.

    I hope that helps. It is great that you are thinking about these things. Please let me know if there is anything else I can help with.

    Cheers,
  • flight553
    edited July 2012
    > not about the security when you Mac is shut down but rather when you are logged in. In that case, unless you
    > have specifically configured the OS X keychain beyond the defaults, your keychain data will be accessible

    Could you be specific about what are these "defaults" on keychain that are not secure. What buttons do you need to push on keychain then, in order to makr it not insecure by default?

    I haven't done anything to my keychain, and when I call up a login from there and click the "Show Password" checkbox, first Keychain prompts me for my current login password before it will show me any password stored in keychain. (see attached screenshot)

    So far, the only attack I make myself vulnerable to when I configure 1Password to store my Master Password in the login keychain, is someone snatching the computer from me while I am using it. That likelihood is so remote, I would rather have the convenience of never having to type my Master Password while I am logged in.

    I wish you did not remove this feature in v3.9 and up.

    Is there some other attack besides that one that I make myself vulnerable to when I set 1Password to store the Master Password in Keychain? And what specific default configrations of Keychain are insecure? How do you change them?
  • jpgoldberg
    jpgoldberg
    1Password Alumni
    Hi,

    There are a number of security reasons why we killed the "Keep Master Password in your login keychain" feature. I know that the feature is missed and many people came to rely on it, but despite the obvious benefits of the feature, the risks were too great.

    Here is a sketch of some of the reasons that we needed to remove the option.

    Your OS X login keychain is unlocked as soon as you log in (unless you go into Keychain Access and set things otherwise). The way to set things otherwise is to select your login keychain in Keychain Access, right click on it, and chose "Change Settings for Keychain 'login'..."

    There, you will see, that it is never set to automatically lock. You can change it lock after a certain amount of time, but given all of the things stored in that keychain that the system uses (your iCloud password, your various Mail passwords, etc) you will find that setting it to automatically lock will make life harder for you.

    There are also unresolved issues with malicious Firewire connections that are able to extract a users OS X login password and thus all of the contents of the OS X login keychain. Some people have even built a product around this bug.

    http://www.prnewswir...-126166663.html

    Because of flaws in the original design of the Firewire protocol and how it is integrated with the kernel, it turns out that this is actually a hard bug to fix.

    There is malware that goes after the same portions of memory that the Firewire exploit goes after. If this malware is running successfully on your computer, then it too can extract the passwords stored in your OS X keychain.

    People forget their 1Password Master Passwords. I know that this may seem counter-intuitive, but if people rely on the Master Password stored in the OS X login keychain, then they can forget their 1Password Master Passwords. So if they move to a different machine, or somehow lose access to their OS X login keychain they have no way to open their 1Password data. This really did happen more frequently than I'd like to remember. We would get support queries of exactly this nature. Unless their OS X login keychain were available from some backup somewhere, there was absolutely nothing we could do to help people recover their data.

    Each one of this issues may not seem compelling in and of itself, but together the come together as a fairly strong case.

    We certainly want to make security easy for people, but we want to make it easy for people to behave securely while discourage people from behaving insecurely. Storing the 1Password Master Password in the login keychain was actually us making it too easy for people to behave insecurely.

    This may not be the answer that you wanted, but I hope that you understand our reasoning in killing that feature. Let me know if there is more I can help with.

    Cheers,

    -j
  • Thanks for clarifying what about the Keychain default settings Agile thinks is insecure. I think it would be unusable to have set any other way (with a timeout locking the keychain periodically).

    However, the only way to access the data in keychain is to either login, or crack the encryption on it. I don't think the latter is very easy. Therefore, we are still only basically talking about an attack where someone takes over your machine while you are logged in and using it. I don't think this is very likely and so I do not need a 1Password configuration that defends against that scenario.

    I also have a Macbook Air with no FIrewire hardware, so I do not need a 1Password configuration that defends against the Firewire memory attacks that discover login passwords. On the issue of malware that attacks the same area of memory looking for login passwords, if someone can fool me into installing this malware in the first place, then they can just as easily install a keylogger to record my typing the 1Password master password, so what's the difference? I do not need a more inconvenient 1Password configuration to defend against that risk, either.

    Sounds like the biggest reason to disable this feature (of saving the Master Password in the login Keychain) was because of support requests from people who forgot their 1Password password. My wife did not save her Master password in her keychain like I told her to. Then she got tired of typing her Master Password all the time, and so quit using 1Password altogether. (Yes, that makes no sense, but that's the point, isn't it.) Then she forgot her Master Password. We didn't contact Agile Support over that, though I guess we should have to cast some votes for the other side.

    Really, you should let the user decide what risks they want to guard against and not take this feature away.

    The only risk this customer cares about protecting against is theft of (turned off/lid closed) hardware like laptops and backup drives. The thief I am defending against has zero to moderate computer skillz, and maybe could mount a stolen hard drive with another device. I don't expect a team of forensic scientist thieves to be trying to penetrate my data, and so do not want my everyday usability reduced by Agile's unilateral decision that it's risk assessment of my situation is better than my own.

    I bought the software in the first place to make my life easier. Yes, typing 1 password is easier than retyping entire forms (for me, anyway, apparently not for some people), but I'll always know it could be EVEN easier.

    If you are really going to keep this feature out of future versions, you should also rename the app to "2Password," since first you need to login to your acount with one password, and then again into this app with another one (probably the same one in most cases).

    Please bring the feature back in future versions of saving the master pass in the keychain.
  • jpgoldberg
    jpgoldberg
    1Password Alumni
    edited July 2012
    Thank you very much for your detailed explanation of your circumstances.

    You are absolutely correct that there are users, like you, for whom the feature really did more good than harm. And this certainly is the kind of thing that we consider when deciding what features to include.

    It doesn't really change your point, but I do wish to make one clarification. You say

    the only way to access the data in keychain is to either login, or crack the encryption on it.

    You are absolutely correct that cracking the encryption on it is infeasible (in modern versions of OS X). But I do content that the user's login password is vulnerable through a number of mechanisms.

    You also write

    If you are really going to keep this feature out of future versions, you should also rename the app to "2Password," since first you need to login to your acount with one password, and then again into this app with another one (probably the same one in most cases).

    I really recommend that your 1Password Master Password be entirely unique to 1Password and used for absolutely nothing else.

    In addition to the obvious reason (as I said, login passwords may be more vulnerable to attack) most people will not be using login passwords that are particularly strong.

    Please take a look at

    http://blog.agilebit...ster-passwords/

    for suggestions about how to create a good, strong, and easy to type and remember Master Password for 1Password.

    I really understand your desire to have truly only one single password that you need to remember. We very much value simplicity and ease, too. But despite that I do need to encourage people to take better care of their 1Password Master Passwords than to either store them in the OS X keychain or use the same thing for some other purpose.

    Cheers,

    -j
This discussion has been closed.