Using OP and Python to autofill CLI passwords, is there a danger to passwords in memory?

tmarquard
tmarquard
Community Member
edited September 2021 in CLI

I am wanting to write a script to autofill and update passwords in Python on the CLI. It is easy enough to use subprocess and run OP to get vault items and inject them. Though I am worried that by doing this I am creating vulnerabilities with passwords in memory. Is there something I should do to keep memory cleaned up in case of core dumps? I am working on a local Windows machine, and only I have access to it, but I feel like I should be taking extra steps to be safe. Or maybe a password autofill like this is just a bad idea? I'm just tired of copying passwords and pasting them into terminals.


1Password Version:1.11.2
_Extension Version:
Not Provided
OS Version:Windows 10
_Referrer
: forum-search:passwords in memory

Comments

  • ag_ana
    ag_ana
    1Password Alumni

    Hi @tmarquard!

    I will send your question directly to our security team :+1: We will post back here as soon as we have an update for you.

  • Lars
    Lars
    1Password Alumni

    @tmarquard - I can't recommend doing this, since that's well outside the scope of what 1Password (even the CLI) helps you manage. I can really only sympathize with the undeniable fact that in some cases, following best security practices can be time-consuming and even annoying.

    It would be much easier, for example, to have a one-character Account Password. Ridiculously insecure...but unquestionably easier than typing out a long string of characters every time it's required. It would also be easier to simply paste one's Account Password into a text file or keyboard shortcut, so that it could be re-pasted whenever needed. Of course that, too, wouldn't be very secure.

    The point is not to compare what you are doing with either of those things directly, but to make the larger point that it's frequently not the greatest idea from a security perspective to create shortcuts with some of the very things that help keep you secure, in any environment, be it your OS, or 1Password.

  • Lars
    Lars
    1Password Alumni

    @tmarquard - I would be remiss if I didn't point you towards our Secrets Automation capabilities. Without knowing more about what you want to do, that sounds as if it might help you accomplish most if not all of it, and we even have a dedicated channel here for it, if you have questions. :)

  • tmarquard
    tmarquard
    Community Member

    Thanks Lars,

    What is the scope of the 1password CLI? I assumed it was exactly for something like this, to access passwords when they are needed on the CLI. I will take a look at the secrets automation to see if that is a better fit for what I'm trying to do.

    Thanks again,

    Talon

  • Lars
    Lars
    1Password Alumni

    @tmarquard - when referring to scope, I didn't mean the CLI itself, I meant any scripts you planned to use to augment or work with it. For obvious reasons, we don't evaluate scripts/code created by 3rd parties to work with our existing tools. If you're not already aware of the existing documentation for the 1Password CLI, you can find it here.

This discussion has been closed.