[whelchel]

Can anyone comment on how concerning this is? It doesn’t seem good. I was considering updating from 1Password4 to 7 and biting the bullet on the subscription model. Based on this case study it seems 7 is a security regression trade for UX improvements. Now, I’m considering Keepass or at least waiting to hear some responses from providers involved.

[peterwwillis]

It's not a concern. As an average user your only consideration is "Do they keep my passwords safe on the disk?", and the answer is "yes" for all of them.

If you work for the NSA and cover yourself with a tinfoil blanket to enter your passwords, just lock and close the password manager completely after you've used it to login to a service, and you're all good.

[petee]

And if something crashes and dumps memory, you're right back to the answer being "no", your passwords are no longer protected on disk

[UnFleshedOne]

Why is having _all_ password being unencrypted available to _all_ processes running under the same user context considered an esoteric attack?

Basically we are one browser exploit away from using ad-networks to steal all your passwords (from 1Password7).

[peterwwillis]

I don't think it's an "esoteric" attack, it's just that the cost-benefit of locking things down a tiny bit more isn't significant. We're always one browser exploit away from malware that can do whatever it wants.

Ok, so say the malware couldn't access all your passwords immediately. It's just going to sit on your computer and collect them (and existing sessions) as you use them, or force you to re-auth and then collect them. And if it's highly prized info, the malware will eventually get updated with a privesc to go around the user context. This is what malware has been doing for years, and nobody notices until exfiltrated passwords start getting used.

[UnFleshedOne]

By the time I go through all my passwords at least once, browsers and OS will release multiple rounds of patches and potentially fix the exploit in question. This is still preferable to uploading whole database...

[peterwwillis]

I think the cost-benefit differs. If the whole database is leaked, you just rotate everything. Only the stuff that has been used (which tipped you to it being leaked) has a real impact. Nobody's going to compromise every single account you have all at the same time, unless they're specifically targeting you, in which case they're going to get everything anyway. So on balance, it doesn't matter if some random malware gets 1 of your passwords or all of them. The real-world impact is about the same: limited. The cost of worrying about the extra security outweighs the benefit.

Another way to go would be tiers of password managers. Even if all of their unlocked integrity sucks, you can have one manager that keeps your most sensitive accounts, and another manager for the rest. You rarely unlock the sensitive one, and after you log in, you unlock it and exit it. Now you have much better opsec with very little additional cost.

[UnFleshedOne]

Imagine a malware ad, using zero day browser exploit that is designed to dump 1password db at scale and upload it for further processing. As an attacker you can run this for a while (while exploit is valid) and then compromise thousands of bank accounts you have collected. As many as your scripts support.

[ubercow13]

No, it just has to wait until you unlock your password manager once

[UnFleshedOne]

Well yes, right now that is true. Without filesystem access, without long term persistence, just process memory access, a compromised browser can dump whole db from 1password7 at once. You only need seconds of time.

If only recently accessed passwords were unencrypted, only those would be available.

[dontbenebby]

If there's malware that can read your memory on your machine, they could also just intercept the paste buffer. Basically, this is a rather esoteric attack that if someone was in a position to perform, they could also do much simpler ones.

Keep using a password manager. Write down your 2FA codes separate in a safe place. (I recommend everyone own a safe deposit box)