Don't go to Electron unless you can promise 100% security

Thank you for your trust in us, @trinko!

I wanted to say that we did a few things to make sure the new app is more secure than 1Password 7:

• we started performing an external security review of the 1Password 8 codebase from the beginning.
• so far we had several security reviews and plan to continue them as the project develops.
• we designed a logging system to make sure none of the user information is leaked by accident.
• we designed the app architecture to separate the user interface layer from the core where the most critical operations happen. For example, the item detail view process does not even have the value of the password (it only has '*****' asterisks) until you click the Reveal button and at that moment the core send the real value of the password to the view.
• 1Password 8 for Mac is codesigned, sandboxed, and notarized.

@mitch went though some of the work we did to make it more secure in his presentation at NorthSec conference:
https://www.youtube.com/watch?v=_P6qI4ahBVk&t=5110s

Obviously, we are never happy with the current state and we will be looking for more way to make the app more secure.

Oops, I am sorry Mitch Cohen, I was lazy and didn't double check the username 🤦🏻‍♂️

Should've been @mitch, my apologies. (I updated the original post)

@m4rkw 1Password 8 is really hybrid app though. It is not a pure Electron app, there is zero NodeJS code, for example.

Don't go to Electron unless you can promise 100% security

Anyone who "promises 100% security" is selling snake oil. Security is a moving target. I would suggest how companies prevent, plan for, disclose, and resolve any security issues is more important than making grandiose promises about never having any sort of security related issue.

Nobody can guarantee 100% security in consumer applications, except perhaps nocode:

https://github.com/kelseyhightower/nocode

We have a proven track record of having independent audits, running a bug bounty program, as well as disclosing and fixing security issues when they occur.

I wish anyone, especially ourselves, were able to make such a promise. It just isn't a reasonable target I'm afraid. What we can promise is that we take security seriously and will do the things a responsible company should do to prove that.

Ben

Hey, @trinko. Electron packages up the UI for 1Password 8 for Mac. So when you're 1Password to fill forms in your browser, Electron is not involved. When you view a password in 1Password 8 for Mac, though, yes, Electron "sees" it, similar to the way that Safari or your browser of choice "sees" your password when you fill it in a website. As @dougl said above,

Any modern app uses third party libraries and are exposed to supply chain attacks. Those attack surfaces vary depending on the particular framework. Unless you're going to write low-level direct API code, there's always an intermediate code base that's at risk.

The question is how much risk, and that's worth having the conversation about.

There is a lot of other third-party code we use that has the opportunity to "see" passwords and other secrets. This is the nature of software engineering, and all third party code has to be vetted carefully.

If you haven't watched Mitch's talk, I think it would really help answer some of your questions. Unfortunately, even though Roustem linked to the correct start time for Mitch's part, it didn't show up that way for me when the forum software here embedded it, so if you want to watch it, click through to YouTube itself and go to about 1:25:10, or copy and paste this link: https://www.youtube.com/watch?v=_P6qI4ahBVk&t=5110s.