Security issue: Generated passwords are automatically saved in current (possibly shared) vault

Question

Hi,

a generated passwords ist automatically saved, which is fine. But it isn't saved in private vault but in the vault which is currently selected.
This current vault can be a shared one and in that case the password is accessible by others, which the user is not aware of.

I already have https://1password.community/discussion/123274/security-issue-prevent-accidental-moving-of-items-between-vaults, for me it more and more seems like the sharing in 1Password is not well thought through.

I like the simplicity of sharing passwords by being able to share a whole vault, but behaviors like this really destruct security.

The only way to share is to share a whole vault, and it doesn't seem like you thought about the potential risks of this only way.

Also, sharing should be possible in other ways, also to be able to share the same item to multiple people without having to create an enormous number of vaults.

We just switched to 1Password, but these behaviors really make me doubt if it was the right decision.

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Referrer: forum-search:https://1password.community/search?Search=Security%20issue%3A%20Generated%20passwords%20are%20automatically%20saved%20in%20current%20(possibly%20shared)%20vault

Answer

Hi @1Adrian!

Can you please share the steps that you are following to generate a password? Are you doing it in the desktop app or in the browser extension, for example?

Answer

Hi @ag_ana, I'm doing it in the browser extension.

The vault in which the generated password will be saved is shown (see screenshot), but can been overseen. At least to me it happened multiple times.

Same as for the other issue when moving an item to a shared vault, I think there should be (the option of) a confirmation hint before the generated password is saved to a shared vault.

Answer

@1Adrian:

Thank you for the confirmation! I think storing the password in the currently selected vault is a good default choice, but I see how in certain cases you might want this not to be the default behavior. I don't know if the developers have plans to rethink this behavior (I think it would be confusing to users to be in a vault, create an item, and have it end up in a different vault by default), but I can certainly pass your feedback along for future consideration :+1:

Answer

Yes you're right, it would generally be the best default behavior, but only if there'd be a confirmation hint. Without I see the risk that the password is being saved in a wrong (shared) vault, especially since you can select a vault hours before generating a password.

I just think that the sharing of items in 1Password is too low-threshold. If a creation or move of an item affects the access of others, do you think a confirmation hint does anything bad? It's just one click, I don't see any disadvantages.

ag_chantelle · Answer

@1Adrian

What you're saying makes complete sense. It wasn't clear which version of 1Password you are using, whether this is the 1Password classic extension or the Safari App Extension.

One thing I do want to mention - the new version of 1Password for your browser handles this entirely at the browser level. That means you won't see an actual password saved to your vault(s), but to the Password Generator history directly in the browser. It will look something like this:

If you're open to taking it for a spin, I'd be interested to know if it improves your state of play a little.

Forum Discussion

Security issue: Generated passwords are automatically saved in current (possibly shared) vault

7 Replies

Recent Discussions

1Password extension always opens a login page while linked to the app

Beta Release: New MSIX Installer for 1Password for Windows

Keep 1password in the background (without dock or menu bar icon)

AutoType on Windows. Can I only type the password?

Windows App - Rejects Credentials to Connect After Regenerating Secret Key