This is a staging forum for AgileBits, not an official support forum. Visit http://discussions.agilebits.com instead.

Security problem, master password does not lock

Hello,

first of all, thank you for the great app. (And for the Mac app, and for releasing a PC version <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/wink.gif' class='bbc_emoticon' alt=';)' />

I believe I have found a security-relevant bug. When I enter 1PP (v 3.5.2) on my iPhone and open a website with a master password protected login (e.g. a banking website), I do have to enter the master password. However, when leaving the website open and putting it in standby, then turning the iPhone on, it will only ask for the regular PIN code and upon entering that will show you the website with the login details filled in. Even when hitting the reload button it will fill the details back in. Only when you hit the close button will it ask you for the password. This could potentially give someone who guesses the weaker unlock code access to a master password secured website. (Settings: I have set both codes to auto-lock after 1 minute and to lock when inactive.)

Greetings,

Tobi

Comments

  • jpgoldberg
    jpgoldberg Agile Customer Care
    Hi, Tobi. I'm sorry for not responding earlier.



    You raise a great point. On the one hand, the locking of 1Password does exactly what it says. You cannot open high security items until you have entered the master password. On the other hand, you are correct that by preserving the state in the internal browser and not requiring the master password when for that when the app is switched back to can go against users' security expectations.



    We need to think through more carefully how we (and users) expect 1Password to behave in these circumstances.



    Thank you for letting us know about this. I hope other people will join this discussion to let us know how they want 1Password to behave when "Lock when inactive" is set for the master password and one switches back to something in the internal browser.



    Cheers,



    -j
  • khad
    khad Social Choreographer
    It is important to note that even in the current state, your actual password data is not available to an attacker without re-entering your master password. While they may have access to a website left open, there is not a way for them to obtain the password for that site. They would have to be in the right place at the right time and know your 4-digit code to see one site and hope it is the one they want to access.



    I concur that this is still not ideal behavior, though.