Unlock before showing passwords

Gnarlodious

My problem is when I click the "Edit" button suddenly my passwords are all visible to anyone. How do I plug that security hole? I was unable to understand the options on the Preferences page. I want the application to lock the Edit button, while still leaving it unlocked for browsers.

khad

When 1P is unlocked, your data is accessible. There is not really a way around this. We will consider making an option to disable Edit from within the browser, but the reality is that if I am not actively using the computer, I should lock 1Password to prevent unauthorized access in the same way I lock my home even when I run to the store just a couple blocks away. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_smile.png' class='bbc_emoticon' alt=':-)' />



Please consider making use of some of the [url="http://help.agile.ws/1Password3/preferences_security.html"]security preferences[/url] 1Password offers.



If "Disable automatic unlock for 1Password" is enabled you will always be prompted to enter your master password when opening 1Password. This includes quitting the app and relaunching it along with its first launch on system startup.



Likewise, if "Disable automatic unlock for all applications" is enabled you will always be prompted to enter your master password when using one of the browser extensions after a fresh launch of your browser(s).



So any easy way to keep praying eyes at bay is to leave both of the above settings enabled and [b]quit 1Password and your browsers when you are done using them[/b]. Your data will be locked.



Otherwise, you are relying on the auto-lock settings to secure your data which will either lock your data after X minutes of inactivity, when your Mac begins to sleep, or when the screen saver is activated whichever of the selected options comes first.



To speed up the auto-lock process you might consider the following.



1. Set an Active Screen Corner for you screen saver and activate the screen saver when stepping away from your Mac (System Preferences > Exposé and Spaces > Exposé > Active Screen Corners).



2. Close the lid of your Mac laptop to put your Mac to sleep.



3. Activate the login window when stepping away from your Mac (System Preferences > Accounts > Login Options > "Show fast user switching menu as…")



The above three options will also secure your entire OS X login if you have enabled "Require password … after sleep or screen saver begins" (System Preferences > Security > General).



I hope that helps. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_bigsmile.png' class='bbc_emoticon' alt=':-D' />



Cheers!

Gnarlodious

Thanks for that, but I'm not sure you understand my problem. In the "View" menu there is an option to Conceal Passwords, which is great. However, when that feature is disabled, anyone can still view passwords by clicking the Edit button then clicking on the password field in the data display!



I am just worried this is a security hole. If passwords really are concealed, you should not be able to see it under any circumstances. And when turning on password visibility, you should have to enter your one password.

[Deleted User]

[quote name='Gnarlodious' timestamp='1292316845' post='17542']

Thanks for that, but I'm not sure you understand my problem. In the "View" menu there is an option to Conceal Passwords, which is great. However, when that feature is disabled, anyone can still view passwords by clicking the Edit button then clicking on the password field in the data display!



I am just worried this is a security hole. If passwords really are concealed, you should not be able to see it under any circumstances. And when turning on password visibility, you should have to enter your one password.

[/quote]



I'm sorry for the confusion here, Gnarlodious, I see what you mean now.



When you have the main 1Password application open, which you don't need to do for the browser integration to work, you can indeed view your passwords via editing the item. Realistically, if you're doing to leave your computer, you should quit the main 1Password application, if you have the option for 'Disable automatic unlock for 1Password' checked in 1Password > Preferences > Security then you'll need to enter your master password each time you relaunch 1Password. You can also manually lock the main application by clicking the 'Lock' icon in the toolbar or using the Control + Command + L keyboard shortcut from within 1Password.



I do see where you're coming from though, I'm just not sure that requiring the master password to view your passwords after you've already unlocked the main 1Password application is the best user experience. I think we've had some discussion about this around our virtual water-cooler, and maybe we'll come up with a solution that meets your needs but still provides the same ease of use.



Hope that makes some sense,

Gnarlodious

Thanks. When "Conceal Passwords" is in effect, maybe the displaying of passwords inside the editing field should also be disabled. When "Conceal Passwords" is turned off, you should have to enter your 1Password.



My personal computer is secure, but a hash of my Gizmodo password was posted on a hacker website. I had to change all sites using that password, so have gotten more conscious of the cross-website password problem. Fortunately, 1Password has made it a lot easier.

MartyS

[quote name='Gnarlodious' timestamp='1292343682' post='17573']

Thanks. When "Conceal Passwords" is in effect, maybe the displaying of passwords inside the editing field should also be disabled. When "Conceal Passwords" is turned off, you should have to enter your 1Password.



My personal computer is secure, but a hash of my Gizmodo password was posted on a hacker website. I had to change all sites using that password, so have gotten more conscious of the cross-website password problem. Fortunately, 1Password has made it a lot easier.

[/quote]



I think there's a balance between what can be seen just by clicking on an item, and what you see while you are actively editing an item. The Conceal Passwords keeps the really sensitive information behind a veil so "shoulder watchers" won't see it while you're showing them something in 1Password or you just happen to have it open when they walk by. But once you start editing, having to re-enter your master password (that you've already supplied) would be a bit much to ask (you might have dozens of items to edit).



I'm sorry that you were caught up in the latest network problems, but very grateful that 1Password was able to help you be able to organize an effective approach to getting things back under control for whatever data might have been exposed.

dteare

[quote name='Gnarlodious' timestamp='1292343682' post='17573']When "Conceal Passwords" is in effect, maybe the displaying of passwords inside the editing field should also be disabled. When "Conceal Passwords" is turned off, you should have to enter your 1Password.

[/quote]



I wanted to add to what Marty said about "shoulder surfers". The Conceal Passwords option is really just for these snoopers as any thief who had access to your [b]unlocked[/b] 1Password could simply copy the password and then paste it into TextEdit so they could view it. The copy-and-paste is a pretty important use case so we wanted to make it as easy as possible; all you need to do is hover over the password and a Copy button appears. I don't think we'd want to prompt for your Master Password every time you clicked Copy or Edit.

scidoc

I like the "conceal password" option alot and usually leave it unchecked.



Because of this, could I ask for a feature? - Is it possible for the 'Conceal Password' options to be (re)checked by default on every 1Password login? Even if I quit with the option unchecked?



That way, when I open 1Password with someone standing behind me, they don't automatically get to see the passwords if I quit with passwords visible.



thanks

RobYoder

[quote name='scidoc' timestamp='1293504247' post='18168']

I like the "conceal password" option alot and usually leave it unchecked.



Because of this, could I ask for a feature? - Is it possible for the 'Conceal Password' options to be (re)checked by default on every 1Password login? Even if I quit with the option unchecked?



That way, when I open 1Password with someone standing behind me, they don't automatically get to see the passwords if I quit with passwords visible.



thanks

[/quote]



If you are worried about someone standing behind you, then go ahead and leave Conceal Passwords checked, and just use the option key to temporarily view passwords. That's what I do, and it is very convenient for me. Very seldom do I actually have to have a password visible for more than a second or two, so holding down the option key works great.

[Deleted User]

[quote name='RobYoder' timestamp='1293512427' post='18169']

Very seldom do I actually have to have a password visible for more than a second or two, so holding down the option key works great.[/quote]

Same for me. I suspect a lot of people don't know about tapping/holding Option to temporarily view concealed passwords; I didn't for awhile.

RobYoder

[quote name='sjk' timestamp='1293554063' post='18186']

Same for me. I suspect a lot of people don't know about tapping/holding Option to temporarily view concealed passwords; I didn't for awhile.

[/quote]



That's true, sjk, I've heard that from users before. Where do you think we could put that gem of info? Maybe in a hot tips section somewhere.

[Deleted User]

[quote name='RobYoder' timestamp='1293555136' post='18189']

Where do you think we could put that gem of info? Maybe in a hot tips section somewhere.[/quote]

There's the Hot Tip sidebar on the [url=http://agilewebsolutions.com/support]Agile Web Solutions Support Overview[/url] page, but most of the current content is references to Facebook/Twitter/YouTube.



I've noticed clearly marked "hot tip" items in certain product manuals/documentation. Maybe do that, with a summary list and the ability to jump to any specific item within its context for a more detailed explanation? Or, add a "Tips & Tricks" subforum where AWS can post those items?

RobYoder

[quote name='sjk' timestamp='1293563741' post='18198']

There's the Hot Tip sidebar on the [url="http://agilewebsolutions.com/support"]Agile Web Solutions Support Overview[/url] page, but most of the current content is references to Facebook/Twitter/YouTube.



I've noticed clearly marked "hot tip" items in certain product manuals/documentation. Maybe do that, with a summary list and the ability to jump to any specific item within its context for a more detailed explanation? Or, add a "Tips & Tricks" subforum where AWS can post those items?

[/quote]



Looks like we already have an FAQ article on the subject: [url="http://help.agile.ws/1Password3/show_passwords.html"]http://help.agile.ws..._passwords.html[/url]

khad

Thanks for reminding me about that link, Rob. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_bigsmile.png' class='bbc_emoticon' alt=':-D' />

[Deleted User]

Ahh, earlier I'd missed that FAQ in search results for [i]option key[/i] from the [url=http://agilewebsolutions.com/support/1Password]1Password Support[/url] page. Now I see it's the last item listed. Of course you have to know that search string will find it; combinations of [i]password[/i] with words like [i]conceal[/i], [i]hide[/i], [i]reveal[/i], [i]visible[/i] don't.