Documents download handling

In 1Password 7, viewing a document downloaded it to a temporary folder where it could be viewed using Quick Look in 1Password or revealed in Finder. Currently it seems that 1Password 8 only supports downloading a document to the default downloads folder. Can we have the behavior where documents get downloaded to a temporary folder and deleted when we're done interacting with it in 1Password 8? My current concern is the decrypted and downloaded file being caught in one of my regularly scheduled backups. If it were in a temporary directory I (or perhaps 1Password?) could mark that directory to be ignored for backups.

It'd be even better if there could be a proxy icon of the decrypted document displayed in 1Password so we could double click to open or drag and drop directly from the 1Password window.


1Password Version: 8
Extension Version: Not Provided
OS Version: macOS 11.5

Comments

  • austin
    austin
    Community Member

    I completely agree. While the current behaviour of Download on a document should be part of a dropdown option, this is a regression against 1Password 7. Additionally, the ability to see documents in a quick-look or preview mechanism the way that can be done in 1Password 7 is missing.

    On macOS:

    • Download should be to a temporary folder by default to enable QuickLook (missing entirely) or in-pane view (missing entirely).
    • Having a Download To… or Save As… option for the document, or a proxy icon (best idea, IMO) would make a lot of sense as well.

    I consider both of these regressions to 1Password 7.

  • Mr. K.
    Mr. K.
    Community Member

    I think we should be able to view the document inside 1Password. There's no reason not to as far as I can tell.

  • StevenBedrick
    StevenBedrick
    Community Member

    In 1Password 7, one can use QuickLook to view attached documents, which is incredibly handy.

  • cjheng
    cjheng
    Community Member

    Bump

    Any input from the 1Password team about how the 1Password 8 macOS app handles documents? Are any of the above suggestions planned? Or is document handling a non-priority?

    While I do store documents like text files and images in 1Password that I very occasionally refer to, my most common use case is storing keyfiles in 1Password. For these, all I really need is to decrypt, drag and drop to some file field (e.g. file upload in a web interface to my local NAS), then delete when done. Having to juggle 1Password, Finder, and the app where the file is needed kind of sucks and it'd be better if this could all be done while only needing to interact with 1Password (main window) and the other app.

  • cjheng
    cjheng
    Community Member

    Hello? tap tap Is this thing on?

    Sorry for the multiple comments, but this is an important use case to me and I'm not sure if this topic is just being ignored.

  • rpallred
    rpallred
    Community Member

    @Ben tagging you, because I know you respond...

    I just ran into this issue. I previously complained about not being able to preview attachments, but didn't realize that it is downloading them to my downloads folder where they can happily sit, unencrypted until my Hazel script moves them to the trash.

    This is not an acceptable flow. As mentioned above, loading into a temp folder and then deleting is what should be happening if it can't be loaded into an encrypted space.

  • Hi folks,

    I apologize for the delayed reply. We're digesting all of the feedback posted here and will try to reply to every thread we can, especially where we can add value.

    As it stands, for the initial release of 1Password 8, the current behavior is what we expect to ship. For Quick Look there are complications regarding expectations about what happens to previewed files when the app locks, as well as the possibility of data loss if one believes the files can edited on disk. To simplify the situation we settled on the "Download" behavior that you see now.

    These same questions / problems exist in 1Password 7 for Mac. We have implemented various mitigations for them there, but we decided to simplify things for the initial launch of v8 and will take another look based on feedback received and potential mitigations in the future.

    I have added this thread to our internal discussion on the subject. Thank you all for your input.

    Ben

    ref: dev/core/core#8252

  • rpallred
    rpallred
    Community Member

    @Ben

    These same questions / problems exist in 1Password 7 for Mac.

    How were attachments handled pre-version 7? I remember liking it better before...but that could be the rose-colored glasses of nostalgia.

  • austin
    austin
    Community Member

    @Ben Unfortunately, that means that I will be strongly recommending against anyone on my family group upgrading to 1Password 8 as this is a security regression. This should not be shipped with this as is, because it will leave sensitive data on my hard drive.

  • I understand the perception. I would argue that in some ways the behavior in 1Password 8 makes it more clear, particular to those less technically-savvy, that files have to be decrypted (taken outside of 1Password) in order to be viewed. That was true in previous versions as well, but that fact was obfuscated. In 1Password 7 we had automated processes to clean up decrypted files when the app locked — some of the mitigations I mentioned above — but there were opportunities for those to fail and leave decrypted data laying around essentially invisible to the end user. These would be rare edge cases, such as the app crashing before it could clean up, but still a potential for the experience to not match the expectation. It was felt that at least for this initial implementation making it clear what data is decrypted, by having it visible in the Downloads folder, was a sensible choice.

    This is something we’d like to take a closer look at after the first stable release, but at this time the plan is to proceed with the current implementation. And as always, we'd recommend enabling FileVault 2 / full disk encryption as an additional layer of protection against these types of concerns.

    Ben

  • austin
    austin
    Community Member

    My ~/Downloads folder is synced to iCloud.

    The currently implemented feature leaks sensitive data.

    This is a BAD implementation decision.

  • Lars
    Lars
    1Password Alumni

    @austin - thanks for the feedback on the changes, I'll pass it along to the development team. :+1:

  • cjheng
    cjheng
    Community Member

    There should at least be the option for users to specify a download folder rather than defaulting to the user's download folder.

  • nimvio
    nimvio
    Community Member

    +1 for this suggestion! I also submitted a request for this.

  • PeterG_1P
    edited September 2021

    Hi folks! While as @ben said, any potential changes may have to wait until after the Stable release, I have filed your requests for more download options and different download handling with our developers, so that this can be considered by the team in course. Thanks for taking the time to share with us what you think would work best. 👍

    ref: dev/projects/customer-feature-requests/#898

  • austin
    austin
    Community Member

    Until this is resolved, I will be recommending against upgrading to 1Password 8, as this is a real reduction in security.

  • iwaddo
    iwaddo
    Community Member

    I was about to start a new thread but luckily I found this one.

    As mentioned above the data security leak caused by 1PW8 is just unacceptable, I have just realised that a document I 'viewed' has been copied up to backBlaze, added to Time Machine and my regular Carbon Copy clone - I know these backup are in themselves encrypted but that is not the point. I now need to take positive action to remove the document from each of these backups. I should not have to do this.

    I already have a 'do not backup' folder on my iMac which, funnily is not backed up. It was there originally for when I have some large transient documents that just do not need to clog my backups but I do also occasionally use it for sensitive files.

    As a minimum I think 1PW8 needs an urgent patch to allow me to specify the default download folder.

    I am off to consider downgrading to 1PW7 for the time being.

    Thank you for your help.

  • PeterG_1P
    edited October 2021

    Hi @iwaddo, thank you for sharing this with us.

    While I don't have anything definite to share on this yet, we are considering how document download handling might be done in future versions of 1Password. We do take the security implications of this feature seriously, and are looking at how to implement this in a user-friendly way that mitigates security and privacy concerns under a number of different scenarios. Thanks for contributing to the discussion here!

    ref: dev/core/core#10857

  • iwaddo
    iwaddo
    Community Member

    So I do have a rather clunky workaround.

    Steps
    1. Rename all the documents in 1P with an identifier, for example add 1P- as a prefix
    2. Use a Folder Action to watch the Downloads folder and then move the downloaded document to a folder that I've excluded from all my backups

    After the move

    • I can create a Notification
    • open the folder in Finder
    • create a Saved Search Query to my Finder Sidebar to help me check whether I've still any downloaded secure documents

    The options are probably endless, you can do whatever takes your fancy.

  • Thank you, @OlivierP and @iwaddo. We appreciate your contributions here on how this might be implemented in practice. Salute from the 1Password team!

  • iwaddo
    iwaddo
    Community Member

    On my iMac it was easier to use Automator, I've pasted it below. Happy to answer any questions about it and great to hear if anyone can think of any enhancements. I did also setup a Smart Search in Finder as an easy way to check.

    To be honest this is probably overkill for a relatively minor security issue but it has been a bit of fun to do and has given me inspiration for a file based task that is a bit repetitive I can probably now automate :-)

  • austin
    austin
    Community Member

    Using a separate solution that requires that we rename our documents and configure the system differently is not a solution at all. It is incumbent on 1Password to remedy this security regression correctly. The default download should be to a temporary location (erased when 1Password locks) and there should be an option to "Save As…" to a different location. Anything else is by definition less secure. I’m not even sure why this was done this badly in the first place, given the company’s general reputation and stance on security (this never should have passed by the Dark Arts).

  • iwaddo
    iwaddo
    Community Member

    @austin

    I completely agree.

    I quite deliberately called it a workaround and it was a bit of a fun exercise.

This discussion has been closed.