This is a staging forum for AgileBits, not an official support forum. Visit http://discussions.agilebits.com instead.
How To: Change Auto-Lock settings
I emailed to the support email address earlier in the week about a security flaw I discovered - a potentially serious one. I received automated email back but nothing else. I emailed again today along with screen shots. It appears that all my password data is available through Firefox opening of 1Password.html subsequent times on the same computer, after having been initially opened using the master password, until the computer is re-booted. This in Windows 7 Ultimate. I've confirmed this multiple times. When I initially open 1Password.html with Firefox on a freshly booted computer I get the main password window. After I've entered the password once I can continue to access all data without having to re-enter master password through the small "key" symble in the browser window so long as I don't re-boot the computer.
This is an obvsious serious security flaw. However, of more concern to me is where/how is the master password requirement being bypassed. Is this stored somewhere on the computer in memory or somewhere else where it is available to a hacker, how secure is my data on my ipad and iphone, in Dropbox, or on a thumb drive.
I spent quite a bit of time migrating from eWallet and I do love 1Password, but now I'm having very serious second thoughts after spending nearly 70.00 on a program that lets me get at my data for the rest of the day on my compuer, without challanging password entry each time.
TC Cottrell
This is an obvsious serious security flaw. However, of more concern to me is where/how is the master password requirement being bypassed. Is this stored somewhere on the computer in memory or somewhere else where it is available to a hacker, how secure is my data on my ipad and iphone, in Dropbox, or on a thumb drive.
I spent quite a bit of time migrating from eWallet and I do love 1Password, but now I'm having very serious second thoughts after spending nearly 70.00 on a program that lets me get at my data for the rest of the day on my compuer, without challanging password entry each time.
TC Cottrell
Flag
0
Comments
-
Welcome to the forums, TC! Thanks for taking the time to contact us. I deleted your other thread since it was an exact duplicate of this one. Please do not create duplicate threads.
I changed the topic of this thread to reflect the fact that there is no security issue. It is just a matter of changing your auto-lock settings to suit your needs.
I apologize that I was pulled away from the computer after changing the topic title but before I was able to post my reply. Also, I'm sorry that our email response times lately are far beyond what we would normally consider acceptable. It is frustrating both for us and our customers as we often end up answering the same question twice when people cross-post in multiple channels (i.e. email and forums). That causes us to duplicate efforts and slows down response times for everyone. We hope to have response times down to our normal levels — within 24 hours but often within minutes — as soon as possible.
Regarding the issue you first wrote to us about, there are actually a couple different things that seem to have caused you some confusion.
First, [url="http://help.agile.ws/1Password3/1passwordanywhere.html"]1PasswordAnywhere[/url] is a web interface to your 1Password data. It has a fixed auto-lock timeout of 1 minute. 1PasswordAnywhere will lock in 60 seconds no matter what you do or what settings you set anywhere. 1PasswordAnywhere is wholly unrelated to the main 1Password application and the 1Password browser extension since it can be accessed in any modern browser and does not rely on or require the installation of 1Password on the machine on which you are using it.
Second, as with all the 1Password browser extensions, the 1Password browser extension in Firefox adheres to the [b]auto-lock settings you have set in 1Password's preferences[/b]. If you unlock 1Password it will remain unlocked until you either manually lock it by clicking the padlock icon or one or more of the selected auto-lock criteria are met. The defaults are shown below in 1Password for Windows' preferences on the Browsers tab.[list]
[*]Lock after [20] minutes of inactivity
[*]Lock when your computer is locked
[*]Lock when screen saver is activated
[/list]
[img]http://cdn.agilebits.com/k/img/Preferences-20130104-140543.png[/img]
If you are using 1Password on your own machine, there is no reason to be using 1PasswordAnywhere (i.e., opening the 1Password.html file) since you have the 1Password application and browser extension installed. 1PasswordAnywhere is designed for use on a machine where you do not have 1Password installed. It is limited in capabilities (read-only, fixed auto-lock, etc.), so there is no reason to use it if you have the actual 1Password application installed.
Finally, your master password is not stored on your computer. It is stored only in your own brain (presuming you have not shared it with anyone else, and we strong recommend you never share it). When you enter your master password, 1Password attempts to decrypt the encryption key which is 1024 bytes of random data generated when the data file was created. If the master password is correct, then the key is provide. Otherwise, nothing is returned.
For more information on the security of your data, please see:[list]
[*][b][size=5][url="http://help.agilebits.com/1Password3/agile_keychain_design.html"]Agile Keychain Design[/url][/size][/b]
[*][size=5][b][url="http://blog.agilebits.com/2012/07/31/1password-is-ready-for-john-the-ripper/"]1Password is Ready for John the Ripper[/url][/b][/size]
[/list]
If we can be of further assistance, please let us know. We are always here to help!Flag 0 -
I would like to publically thank you and your team for an immediate and absolutely incredible response to my concerns. I was wrong, and am very pleased to admit my concerns were unfounded as I absolutely love this program. Your patience in multiple emails to help me figure out a personalized way to maximize the use of 1Password across what is essentially 6 platforms with multiple users was perhaps the best quality and level of technical support I've received in my years of computer use.
Keep up the great work.
TC CottrellFlag 0 -
Thanks so much for following up here, TC! I'll be sure to share your incredibly kind words with the rest of the team.
If you ever need anything else you know where to find us. <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/biggrin.png' class='bbc_emoticon' alt=':D' />Flag 0