This is a staging forum for AgileBits, not an official support forum. Visit http://discussions.agilebits.com instead.
Some of the 1Password preferences are accessible even when it is locked
<div class="IPBDescription">Preferences can be manipulated although 1Pwd is locked</div>Hello,
I prefer 1Pwd to lock whenever possible, thus have activated all the appropriate options in the preferences. Unlocking is done manually, no options activated here.
After 1Pwd obediently locks - and shows the grey lockscreen - it is still possible for me to call up the preferences - with the keyboard shortcut ( Apple+; ) as well as by using the menu - and change the settings, make backups and maybe (not tested) even restore from an earlier backup.
I do not think this exposes any data (any of my entries in 1Pwd) but it offers anybody with access to my machine the option to reconfigure 1Pwds behaviour.
I'm not worried about pranks by my co-workers, but replacing the currently used data file with an earlier version or even just moving it somewhere else would be most irritating.
And making backups in a different location - even encrypted - could provide somebody with something I'd rather not share. (Whatever military grade the encryption is, I'd rather not give them the opportunity to poke around to begin with.)
I don't know why it is possible to do something with 1Pwd while it is locked - except unlocking, that is. There might be a good reason for it, that I am not aware of.
Thus said, I rather have the option to lock 1Pwd down, so it doesn't move until the master password is entered. Would that be possible?
Best Regards.
mael
I prefer 1Pwd to lock whenever possible, thus have activated all the appropriate options in the preferences. Unlocking is done manually, no options activated here.
After 1Pwd obediently locks - and shows the grey lockscreen - it is still possible for me to call up the preferences - with the keyboard shortcut ( Apple+; ) as well as by using the menu - and change the settings, make backups and maybe (not tested) even restore from an earlier backup.
I do not think this exposes any data (any of my entries in 1Pwd) but it offers anybody with access to my machine the option to reconfigure 1Pwds behaviour.
I'm not worried about pranks by my co-workers, but replacing the currently used data file with an earlier version or even just moving it somewhere else would be most irritating.
And making backups in a different location - even encrypted - could provide somebody with something I'd rather not share. (Whatever military grade the encryption is, I'd rather not give them the opportunity to poke around to begin with.)
I don't know why it is possible to do something with 1Pwd while it is locked - except unlocking, that is. There might be a good reason for it, that I am not aware of.
Thus said, I rather have the option to lock 1Pwd down, so it doesn't move until the master password is entered. Would that be possible?
Best Regards.
mael
Flag
0
Comments
-
[quote name='maelcum' timestamp='1281949482' post='8871']
Hello,
I prefer 1Pwd to lock whenever possible, thus have activated all the appropriate options in the preferences. Unlocking is done manually, no options activated here.
After 1Pwd obediently locks - and shows the grey lockscreen - it is still possible for me to call up the preferences - with the keyboard shortcut ( Apple+; ) as well as by using the menu - and change the settings, make backups and maybe (not tested) even restore from an earlier backup.
I do not think this exposes any data (any of my entries in 1Pwd) but it offers anybody with access to my machine the option to reconfigure 1Pwds behaviour.
I'm not worried about pranks by my co-workers, but replacing the currently used data file with an earlier version or even just moving it somewhere else would be most irritating.
And making backups in a different location - even encrypted - could provide somebody with something I'd rather not share. (Whatever military grade the encryption is, I'd rather not give them the opportunity to poke around to begin with.)
I don't know why it is possible to do something with 1Pwd while it is locked - except unlocking, that is. There might be a good reason for it, that I am not aware of.
Thus said, I rather have the option to lock 1Pwd down, so it doesn't move until the master password is entered. Would that be possible?
Best Regards.
mael
[/quote]
Severe security problem....not really imho
Undesirable behavior.... I would have to agree
There really isn't anything someone could do in the preferences to get at your data other than making a copy of the keychain to have a crack at. However, I think the better course of action would be to block the app from accessing the preferences when the keychain is locked.
+1Flag 0 -
[quote name='Carl' timestamp='1282321317' post='9303']
Severe security problem....not really imho
Undesirable behavior.... I would have to agree
There really isn't anything someone could do in the preferences to get at your data other than making a copy of the keychain to have a crack at. However, I think the better course of action would be to block the app from accessing the preferences when the keychain is locked.
+1
[/quote]
Well, if somebody resets your data to some earlier stage a while (say, a month) ago, and you'll loose the newer data, I'd call this severe. My priorization, not yours.
Why is this possible at all? Why not lock down the app as long as it is locked down?
Severe oversight.
If you want to change the title, be my guest, but don't belittle my problem just because it points out a problem on agiles' side. I've bee praising 1Pwd often enough to be taken seriously.Flag 0 -
[quote name='maelcum' timestamp='1282339472' post='9342']
Well, if somebody resets your data to some earlier stage a while (say, a month) ago, and you'll loose the newer data, I'd call this severe. My priorization, not yours.
Why is this possible at all? Why not lock down the app as long as it is locked down?
Severe oversight.
If you want to change the title, be my guest, but don't belittle my problem just because it points out a problem on agiles' side. I've bee praising 1Pwd often enough to be taken seriously.
[/quote]
Yes, you can restore from backup without signing in. I was able to flip right back to my previous backup without issue though. I suppose this could be an issue if someone would restore an old backup and deletes your other backup files, but then what's to stop them from just removing your db file altogether?Flag 0 -
When locked, 1Password does not allow to modify any of the security preferences.
However the access to data file location and backups is allowed. This is needed for cases when you completely forgot the master password and need to use a different data file or restore a backup.
I understand that it is possible to do something bad with the settings. However, if someone gets physical access to your computer there is not much can be done by the application. The encrypted data will remain encrypted but the "bad guys" will have access to your files and can replace/change/delete anything. They can even replace the app itself. If you work in an environment like that then the best solution would be to lock the account automatically using System Preferences > Security options.Flag 0 -
[quote name='maelcum' timestamp='1282402351' post='9397']
Thanks Roustem.
As always, there seems to be a good reason for it...
Just one last question: When I forget the Master Password and thus am not able to access my contents of 1Pwd, how could I circumvent this by using the unlocked preferences?
[/quote]
If you forgot the master password then there is not much you can do. It won't be very secure if someone could unlock 1Password without knowing the master password.
However, if you recently changed the master password then there might be a backup file using the old master password that you still remember. In this case you can restore it and get (at least some) of your data back.Flag 0