Adam Caudill

Security Engineer, Researcher, & Developer

1Password 8 Early Access: Security, Comments, & FAQs

A few days ago, 1Password (my employer) released the first preview of the new application for macOS. The response has been rather dramatic. The release was followed by an excellent blog post by Michael Fey explaining the story of how we got here, and some of the decisions that were made in the process.

I’d like to now to a few minutes to answer some questions, provide some insight, and share my thoughts on this release.

This post does not reflect the opinion of anyone other than myself. I am not speaking on behalf of my employer, other employees, or anyone else. Nothing here references non-public information, nor will you find any commitments or concessions. Any errors are my own, and I apologize in advance for anything here that turns out to be incorrect. This article is provided in the hopes that it’ll help some gain understanding or insight.

Disagreeing Respectfully #

Before I continue, I would like to take a moment to comment on something I find both disappointing and disturbing. While there may be disagreements around decisions that have been made — what tech stack is used, what the app looks like, what features are or aren’t present — that doesn’t provide an excuse to be disrespectful to the people that worked hard to build this application. There’s no excuse for personal attacks.

The team at 1Password is amazing. They are deeply passionate about privacy and security (to a degree I’ve not seen anywhere else). They are warm & welcoming. They’ve built a culture where everyone is welcome just as they are. They care about users, and want to build the best software possible. While some disagree with the path taken, they are still humans, with feelings, and being disrespectful, rude, and attacking them simply isn’t appropriate. It isn’t right.

Please remember that when you’re talking to someone on social media, there’s a real person on the other side. Treat them how you would want to be treated. Be kind. It’s possible to disagree without being rude or resorting to personal attacks.

Questions & Answers #

I’ve been working to help address some of the questions coming up, and I’d like to collect some of these answers in one place. I hope this is valuable to you.

There are, of course, a lot of questions that I do not include here, as they’ve been answered elsewhere in sufficient detail.

Is storing my data on 1Password.com secure? #

Yes. All data is end-to-end encrypted, using a combination of your account password and Secret Key. The secret key contains 128-bits of entropy and is mixed with your password to create the value needed to log in, as well as the encryption key that protects your data. We never have access to your secret key, so there’s nothing we can do with your data.

If an attacker were able to get into the 1Password database, the data they get would be useless; as we don’t have the secret key, they wouldn’t be able to even attempt to brute force the key to access your data.

The security model is explained in detail in the white-paper (PDF).

Isn’t it unsafe to use Electron? #

It’s true that Electron is quite complex, as it’s built on Chromium - this creates a number of challenges for developers to use it securely. We’ve worked hard to take the proper steps to do it right.

We’ve done our due diligence to ensure that we are following all best practices, and reviewed issues found in other applications to ensure that we wouldn’t face the same problems. In addition, when possible, we work to eliminate entire classes of vulnerability instead of blocking specific vulnerabilities. This way, if new issues are found in the future, it’s less likely to impact us.

Some of the concrete steps that we’ve taken:

  • We’ve created and open-sourced a fork of the TypeScript Quick Start that our application is based on. This fork implements secure defaults based on a number of sources.
  • We’ve open-sourced the tool we use to modify the compiled binary to disable a variety of unsafe features, which prevents a number of security issues.
  • We use a strict Content Security Policy to prevent Cross-Site Scripting and other injection attacks.
  • We explicitly block the creation of WebViews and Windows, and never load content from the web.
  • No web requests are issued from Electron; any content that needs to be requested (such as favicons) is handled by the Rust Core.
  • All content is carefully sanitized, and our Markdown renderer is strongly-typed to ensure that there’s no possibility of it being abused (as an aside, we’ve built what I think is the most secure Markdown rendering system I’ve ever seen).
  • Node.JS integration is disabled, along with other features, which dramatically reduces the ability of an attack against the frontend from being to impact the system.
  • We closely monitor Electron for new issues, and keep the application on the latest version.
  • Most importantly, the Rust Core performs all cryptography, file system access, network access, and all the heavy lifting. This minimizes both the attack surface, and the ability of a successful attack impacting the frontend from being able to access sensitive data such as encryption keys.

While it’s impossible to eliminate every risk, the architecture used here has greatly reduced the risk of anything going wrong.

I should also note that in addition to our own efforts to secure the application, we conduct frequent third-party penetration tests of our applications. While we don’t publish penetration test reports for products or services that are still in initial development, this application has already been subjected to multiple penetration tests.

Should I stop updating if I don’t want v8? #

No, 1Password 8 will be a separate download, and will not be pushed to users of v7. Switching to v8 will be a decision you have to make yourself; we won’t make it for you.

In addition, we push important improvements and security fixes via the update mechanism. If you stop installing updates, you could miss out on updates that help keep you safe.

Why not use Tauri since you’re a Rust shop? #

We’ve been watching Tauri closely, and in fact, we are a Premium Sponsor providing financial support to help them mature. While we believe that Electron is the best option for the needs of this application at the moment, that could change as Tauri continues to improve.

We will continue to watch their progress closely, and have high hopes for their future.

Are you cutting costs or getting rid of developers? #

Far from it, development teams are bigger than they’ve ever been, and there are many open positions - including several new developer positions.

My internet connection isn’t stable, so I need my data to be local. #

When you are using 1Password.com (or 1Password.ca or 1Password.eu), the internet connection is used to sync your data, but it is still accessible even when you’re offline. Data is stored on your device, and changes will sync again once your connection is restored.

Having access to your data is critical, and the system is designed to ensure you can.

Why can’t I change the default keyboard shortcut? #

We know you’re used to the old one, and there will be the ability to change it in the future.

Please remember that this is the first preview release, meant for people who like the bleeding edge. It allows us to collect feedback, identify issues, and make sure we are building the right features. There are a number of things on the roadmap that aren’t in place yet.

What happens if my subscription expires? #

We don’t just start deleting data — it’s still there, and you can still get to it. But there are some things you can’t do until you renew your subscription.

How do I know you won’t just shut down, and I’ll lose my data? #

There are a few good things:

  • 1Password is a profitable company.
  • Raised $200M from investors in 2019.
  • Raised another $100M from investors in 2021.
  • Has great uptime.

Systems are reliable, data is backed up, and you can easily export it.

What about local vaults & standalone licenses? #

1Password co-founder Dave Teare covers this in a forum post. I’ll let his words speak for themselves.

I will point to one specific comment that’s quite important (at least to me):

We also had pushed standalone vaults (the underlying data format used by licenses) to their limit and couldn’t push them any further. Features like 2FA, secure remote password, account recovery, and many others weren’t feasible without connecting to a server to perform the heavy lifting.

There are issues that are challenging to solve with local vaults, and features that just can’t be added.

My Thoughts #

I’ve been happy to see how passionate users are about great software. I’ve been encouraged by the feedback we’ve received about new features being better than expected. I’ve been excited to hear from those that gave the application a fair chance. I’ve been disappointed by a vocal minority that resorted to personal attacks against my colleagues.

I’ve been using the new 1Password for Mac for some time, and I know what we can do with it in the future. I know what it’s capable of, and how good my own experience has been — and I’ve been a loyal 1Password user for a number of years. But speaking of what we can do in the future, I’m going back to working on building that future.

Adam Caudill


Related Posts

  • Declaring War on Ransomware

    It’s time for everyone from the industry, developers, and the government to declare war on ransomware and make it as hard as possible for them to ply their insidious trade. There have been false starts and baby steps, diligent fighters without enough resources, and vendors that have only given a nod to the issue. It’s time to use every tool reasonably available to stop this scourge. For so many in the industry that have dedicated so much of their time and effort to this fight, this statement may seem to diminish their efforts, but that is not my intent.

  • Developers, Developers, Developers

    Note: This was written in 2012, but not published at the time. The point is still valid, perhaps moreso than ever and deserves to be made publicly. The content has been updated as appropriate, though the core of this article remains intact from the 2012 draft. I would like to note that this doesn’t apply to every environment, there are some where developers are very knowledgeable about security, and write code with minimal issues – my current employer happens to be one of those rare & exciting places.

  • Developers: Placing Trust in Strangers

    Much has been said, especially recently, about that mess of dependencies that modern applications have – and for those of us working in application security, there is good reason to be concerned about how these dependencies are being handled. While working on YAWAST, I was adding a new feature, and as a result, I needed a new dependency – ssllabs.rb. While most Ruby dependencies are delivered via Gems, ssllabs.rb is a little different – it pulls directly from Github:

  • Threat Modeling for Applications

    Whether you are running a bug bounty, or just want a useful way to classify the severity of security issues, it’s important to have a threat-model for your application. There are many different types of attackers, with different capabilities. If you haven’t defined the attackers you are concerned about, and how you deal with them – you can’t accurately define just how critical an issue is. There are many different views on threat models; I’m going to talk about a simple form that’s quick and easy to define.

  • PL/SQL Developer: Nonexistent Encryption

    (See here for another issue discovered during this research; Updates over HTTP & Command Execution.) PL/SQL Developer by Allround Automations has an option to store the user’s logon history with passwords – the passwords are encrypted with a proprietary algorithm. At this point, you should know how this is going to go. For those that don’t know, PL/SQL Developer is a tool for developers and database administrators to access Oracle – an essential tool in many enterprise environments.