Tell HN: 1Password shares passwords you don't want shared

192 points by drcongo ↗ HN
I mentioned this in a comment [0], but given how serious this potentially is I thought it might warrant a Tell HN.

Only tested on a Mac with 1Password 7 using Agile Bits' sync.

If you have shared and private vaults on 1Password, using the Generate Password button in 1Password Mini doesn't let you select which vault that password should be saved in until it becomes a login, however, at that point it has already saved the password you generated in your shared vault, and anyone who you share that vault with can see both the password, and the site that it was generated for. This has obvious security implications but also, maybe less obviously, privacy implications as you may not want your entire company to know that you just generated a password for a jobs site.

[0] https://news.ycombinator.com/item?id=30370947

104 comments

[ 0.27 ms ] story [ 155 ms ] thread
(comment deleted)
KeePassXC.
Exactly. I never understood why tech-savvy people pay for some private closed-source password-manager while there are some great free and open source alternatives.

I also heard good things about Pass "the standard unix password manager". Great for those wanting to use the command line and git to manage their passwords.

A more accessible solution is Firefox password manager : it works rather nicely and at least it's not owned by a company trying to make money on password management.

Seems like the responsible move would be for you to submit this to their bug bounty before disclosing to the community? https://bugcrowd.com/agilebits
I think they think it's a feature.
This seems like a baseless assumption. Unless you have evidence actually suggesting otherwise, try assuming good faith. 1Pass isn’t incentivized to make decisions that compromise security.
Why is that more responsible than telling users?
Making it public before there's been a chance to fix it gives attackers a chance to exploit it.

Now, those so inclined know to monitor shared vaults.

Attackers don’t have to wait til it’s public to exploit it.
There's a whole concept of responsible disclosure[1] in white-hat security research that involves notifying the company and then notifying the public after giving the company a chance to fix the bug.

It's generally understood to be the most ethical approach.

[1] https://en.wikipedia.org/wiki/Coordinated_vulnerability_disc...

Even that page points out that “coordinated disclosure” is a more accurate term for what you’re describing.

There are a wide variety of opinions in the industry about the merits of coordinated vs full disclosure. Calling one option “responsible disclosure”, or suggesting that it’s generally understood to be the most ethical, is outlandish.

(comment deleted)
You can still specify your default vault, though, to be your private one, right?

(I say this as somebody who is looking to get off of 1P.)

how come you're looking to get off? I have been looking to get ON!
Subscription fees / rent seeking?
Can you expand on what you mean by "rent seeking" in this context?

Regarding subscription fees, there's nothing wrong with paying for software.

Especially that one pays for a service in case of 1P.
I _bought_ 1P way before it was a service. I continued to pay for upgrades. I don't want a subscription, and I don't want to be forced into their black-box syncing. I've been migrating to the free software pass [0].

[0] https://www.passwordstore.org/

I see, I wasn't aware that they are / were doing a standalone software version too. I always knew about them as a web service.
There is no reason for it to be a web service. Why should I pay for their cloud when I already have access to storage on three clouds, two of which they used to support, but have now removed from their software, just so they can force me to pay them every month? Oh man, it makes me mad.
No, it’s a well understood concept. giyf.

I did pay for their software. Then they decided to try to exploit their position in a way favorable to them, and unfavorable to me. Nope.

They are making the app worse (removing local vaults, making their mac app and iOS app crappy) so that they can force me to pay them more. Why would I agree to that? I resent it, and I'm leaving.
I know this is a tired trope on HN, but I love my bitwarden. I switched from lastpass and the transition was mostly seamless. There's some hiccups with the transfer but it's all worked out now.

The biggest difficulty I had is that bitwarden doesn't have a lot of "equivalent domains" to map web urls to android app namespaces, but that's a one time fix.

Sometimes bitwarden takes two tries to input a password on my phone, but lastpass broke it's support for firefox on android over a year ago and hasn't bothered to fix it.

Tropes exist for a reason. Bitwarden is perfectly fine and functional and does its job very well. As you mentioned, there's some hiccups but for the most part it seems like a much better alternative to LastPass
Bitwarden has finally added support for multiple accounts on desktop. Presumably mobile will follow. That will probably make it usable for me.

As it is, I have tons of organization accounts and personal accounts and Bitwarden offers me no way to efficiently switch/filter between those groups of accounts.

I have a problem with it showing my passwords in plain text. So when I'm doing a demo where I share my screen everyone can see my passwords. I absolutely hate 1password.
don't you have to click "reveal" to show the plaintext password? Oh, you mean for new generated passwords
where does it show passwords in plain text? Mine has never done that on any version of 1password (ios, mac, multiple versions).
when I'm using a new user on a web site. This is a problem for me everyday. I searched through every setting.
Check this setting (in the Desktop App): Settings > Security > Display > Always show password and full credit card numbers
Use Bitwarden instead. fixed.

https://bitwarden.com/

(comment deleted)
Still has a yearly fee for needed features.
May I ask what premium features you feel are needed? I feel like Bitwarden is extremely generous with its free tier.
I believe it was the browser extension to copy passwords irrc.
Like copy the password from your vault? Because that is a free feature haha
Not as a browser extension.
I've been able to do that with the BitWarden browser extension and I don't have premium... Was it a bug for you perhaps?
You're right that you can't change the default vault for Generate Password but you _can_ set the default in the Preferences pane. My default, for instance, is my private vault. Anything I create goes there and if it warrants sharing to other vaults, I do that manually.
Upvoting because you're correct, changing this does change the save location, so thanks. Seems mad that it defaults to the shared vault though.
It presumably defaults to whatever first vault that code path sees, so because of a race condition the shared vault could appear before the private one and thus becomes the default.
Mine defaulted to private vault, which is a little frustrating because I'd like it to share everything by default (only other person on my account is my wife). Glad to hear it can be changed.
I use 1password, and I have always had a mild distaste for its 'vaults' UX. I live with it though, and since I'm only creating logins every once in a while I just leave it be, and shake my head every time do use it. On the whole, the service could be better, but for the price it's not too bad :)
The multiple vaults are extremely useful to me since I only have to sync my work passwords with my work computer, not my entire password collection. There’s no reason for my HN, Reddit, TeslaFi or PlugShare account details to be on the work computer regardless how supposedly secure 1Password might be (I don’t own the hardware and I know it has surveillance software installed).
Tangentially, I seem to recall recently (2020 sometime) where someone made custom firmware for a laptop's wifi card that, since the computer was set up with a central hub for most of its peripherals, could sniff data flowing from things like USB stuff and, more interestingly, its keyboard.

It ended up as an extremely elegant keylogger. Cool stuff.

It'd be worthwhile to create a fresh account and screenshot the defaults. Maybe you set your default manually at some point and weren't aware, or there's an easy way to slip up?

Nice catch, though!

It has to be a private vault by default, unless we have a bug in 1Password 7. There were years of internal discussions about how and where the new items should be saved.

When it comes to generated passwords, we had this implementations since 1Passwd 1.0 and it was always a bit kludgey. I believe the redesign in 1Password 8 completely solves this problem by using a special system vault to store the generated values.

-- Roustem 1Password Founder

Unfortunately you alienated a significant portion of your userbase who will not be moving to 8. That said, because my breakpoint was 'i don't trust your fucking cloud with my passwords and i won't be forced to use it', this particular bug does not affect me.
I'm stuck with 1Password because the alternatives, if they meet our company requirements, are so much worse. But the web app is unusably slow and every release is worse than the last - eventually I expect 1Password to sink to being even worse than the competition.
I have it running on many computers and have never seen it default to a shared vault.
The people you are sharing vaults with a going to be trusted people. Where tus factor for and individual's life is going to be low, having passwords shared, whether they're for Netflix or bitcoin private keys and such is simply more convenient and in some cases, desirable, eg a married couple with finances mingled together.
One of that married couple might not want their Tinder password popping up in the shared vault.
I just checked, running the latest version, which I just signed up for, and the default vault is Private. I have never touched that setting and it was always set to Private. So either the behavior has changed or it is incorrect that it ever defaulted to Shared (which wouldn't make any sense whatsoever for a company this focused on privacy).
That's not at all what's described in the OP.

> If you have shared and private vaults on 1Password

That’s right, I have a shared and private vault on 1Password. The default is the private vault, not the shared vault. Appears a few sibling replies are noting a similar understanding, so I’m not sure where the confusion is.
I am using 1PW on iOS (1PW latest) & Windows (1PW 8) & Mac (1PW 7)

I have shared and private vault (the default Private + other new shared)

I have checked on Windows & MacOS again and I remember that option has always been set to the default private vault.

if I’m not mistaken, the default setting is to save it to your private vault. This doesn’t sound like a bug, but rather an error in user behavior.
I'd never change that setting, so mine definitely defaulted to the shared vault. There could be any number of possible reasons it set that as the default, but my guess would be the order I migrated vaults over from the good old days where we could choose how we shared and synced. The fact that it is even possible still seems like a bug to me.
I'm absolutely glad that the Shared vault can be set as the default one; it's great to be able to troubleshoot family members, check if 2FA is on, etc. without having to visit them in person and use their laptop.

Doesn't seem like a bug at all, and in fact I would likely switch to iCloud Keychain if this behavior went away (which doesn't support default-shared but is free).

There seem to be 2 problems here: Generate Password not telling you which vault it will be saved in, and the Shared vault being set as default (presumably) without user input.

It warrants extra care -- every time you save a password to Shared, it should give an explicit visible warning.
In a tool like 1Password, they need to do enough to avoid user errors (I'm sure they are). That is the responsibility of these tools. In other words - there is no such thing as user errors for these tools.
I have different experience with v 7.

Vault for Saving in preferences is set to Primary.

If I select a specific vault to view in 1 password, then end up on a website and create a password, 1Password mini has the viewed vault as selected when it asks to save the password, not the vault I've specified as where to save new passwords.

This has been long standing behavior in 1 Password.

Still on 7 because I'm using a mix of vault locations and while I'm using both teams and personal 1password, I have other vaults in other locations.

Loved 1password. It was my first password manager and for years I've bought it, and was happy to pay for such a great app. However they've recently switched to subscription. They've done it gradually to not let people run away. Ty 1password for all ur help in these years, but I will not use u anymore. I sincerely cannot accept these kind of things. I've bought an app, and the developer turned it to subscription based. Ok. It's your choice. But you've lost me. :)
This is a weird hill to die on.

Yes, you "bought" the app, but it gets constant updates. It's not like 1990s desktop software, where version X was some static thing that didn't require maintenance as long as it worked.

1Password needs constant, expensive maintenance even if it has zero bugs because they have to keep pace with potential attackers.

They're spending a stream of money to keep the app updated and secure, so why shouldn't they ask for a stream of money from users?

Also, comparing to Dashlane and LastPass (both of which are train wrecks), I would pay a lot more for 1Password. It's one of the best-designed, best-UX apps I've used in years. I'm kicking myself for only switching from LastPass a few weeks ago.

Speaking for myself, not parent, but one of their key justifications for the subscription was their cloud storage, which is a feature I do not want for my personal password store. I would actually be okay with a subscription (as long as I didn't lose read access on cancellation), if it didn't have that forced misfeature.
As I said, they can do what they want, and I'm not asking for a refund. But I can (also) choose. And I can choose if to continue to buy their service or not. I will not. :)
I don't care what you do. I'm obviously not saying you should be forced to use it. I was just disputing this sentence:

> I've bought an app, and the developer turned it to subscription based.

A one-time payment usually doesn't cover on-going costs, to "bought an app" is a concept that doesn't apply neatly to security-related software.

Not really. Offer me a way to pay for 1p 8.0 and keep local storage.
I'm genuinely curious why. 1Password, to me, is one of the few software subscriptions that pays for itself. I used to use my own vaults locally and sync via Dropbox but needing to buy Windows and Mac licenses for me and my spouse ended up being much more expensive in the long run than a family plan. We always have the latest versions of the apps, they're constantly adding features, and they always use all the cool little bells and whistles in each OS.

I don't take this position with most other apps as they don't really need a subscription to function but 1Password is a notable exception for me.

I'm not who you are responding to, but I will comment on this:

> but needing to buy Windows and Mac licenses for me and my spouse ended up being much more expensive in the long run than a family plan

For me as well, paying for actual licenses will be more expensive out-of-wallet, but that in itself has a value to me as I now know I own a license that will not be revoked for whatever reason. It also means I am more in control over when and how to upgrade to new major version. The subscription model is also tied to a cloud syncing service which is also a _negative_ in my experience. And due to regulations it is even not allowed be used at my place of work. Having control over the license and therefore vault sync/no sync is also valuable.

That said, I _totally_ understand that the value proposition that Agile Bits give you and others is nice. It's just that for me, the value proposition has gotten significantly worse, so any amount of "it can be cheaper" does not really help here.

This makes sense but, knowing that these won't be supported started with v8, it doesn't really matter if the license is not revoked. If I want to continue using the system, and all the benefits and value that come with it, I need to use v8. SSH Keys and Git support alone makes that more valuable than maintaining a local license version.
I'm in no way affiliated with them, but as a very happy user I can recommend you to try BitWarden [0] instead of 1Password. It doesn't have the bug you have described, nor it shows passwords in plain text by default (you can also copy a hidden password to clipboard - useful when you share a screen with someone).

[0] https://bitwarden.com/

Does 1Password show the password in plain text by default somewhere? I haven't noticed.
You can make them appear with View>Conceal passwords, but I'm fairly sure it hides them by default.
No, passwords are concealed by default.

Options include: Copy, Reveal, Large Type, Type in window >

Been using Bitwarden ever since LastPass imploded themselves with their idiotic policy of no Destkop + Mobile for free users.

Very happy with Bitwarden. Has a self-hosting option, too, which I like. been debating setting up a self-hosted server here at home for storing my passwords.

I was actually looking for a password manager around the time LastPass introduced that policy. I was considering it but when I saw that I was like, "Okay, looks like LastPass is off the table."

I ended up going with Bitwarden and I am very happy with it. Actually, 4 days ago was my official one-year anniversary with them!

1p does not show passwords in plaintext by default.
What if https://bitwarden.com/ gets hacked? Please don't say self-host cause that's not an option for most regular people. At least with KeePassX/KeePassXC you can use that own its own without an online account.

The fact that I have to create an account and an online vault with a master password is the biggest turnoff for me. https://vault.bitwarden.com/#/register

> What if https://bitwarden.com/ gets hacked

They only store the encrypted vaults, which is useless without your master password. So even if it is hacked, the only thing the hackers get is an encrypted blob.

> you can use that own its own without an online account.

That is because KeePassX/KeePassXC is an offline app that reads a database (.kdbx file) you have on your computer. Bitwarden is for people who want to use their password manager on multiple devices. So an account is necessary.

How do you use Keepass across multiple devices. Please don't say Syncthing cause that's not an option for most regular people. And if you use something like Dropbox, what if https://dropbox.com gets hacked?

> The fact that I have to create an account

This is for authentication (needed it for syncing it across multiple devices).

i am fully aware i wear tin foil, but my passwords will never be online.

simply collecting them makes them a potentially valuable target, and even though encrypted, it cam be cracked with enough time and money.

edit: KeepassXC user here too.

(comment deleted)
I would assume that the most likely issue you would face is malware running on your own computer that captures the master key or sends passwords back to an attacker. Not someone gaining access to the encrypted password vault and then cracking it - unless you have a very week key.
No weak key here, and you may be right, but my main concern is that encryption is only strong in a given time period.

If someone could gain a copy of a known high-value ciphertext, they may not be able to crack it now, but time is on their side, and I can't recover the file once it is out there. My only recourse is to speculatively rotate passwords inside the file.

> What if https://bitwarden.com/ gets hacked?

Bitwarden is self-hostable FOSS. You can easily run your own server instance, if you are, wisely, concerned about the security risks inherent in SaaS.

...but not wisely concerned about the security risks of running your own SaaS on your own server, and have enough spare time and energy to meticulously implement proper security procedures, and keep it up to date, safe and secure, 24/7.

He said "Please don't say self-host" for a good reason. Do you really believe that most regular people have the free time and technical skills and security chops to "easily run your own server instance" safely and securely?

If you think that's "easy", then you're doing it wrong.

Linux is only free if your time is worthless. ;)

> ...but not wisely concerned about the security risks of running your own SaaS on your own server, and have enough spare time and energy to meticulously implement proper security procedures, and keep it up to date, safe and secure, 24/7.

Run it behind a VPN? Use a properly secured containerized image? Implementing good security is much easier at small scales than at large scales.

> Do you really believe that most regular people have the free time and technical skills and security chops to "easily run your own server instance" safely and securely?

Who's talking about "regular people"? We're discussing what solutions we -- users of HN -- find most effective for our own use.

> Linux is only free if your time is worthless. ;)

My experience, especially in a business context, has been quite the the opposite. Implementing complex projects with proprietary vendor solutions involves a vastly greater amount of time dealing with requirements analysis, project scoping, contract negotiations, support escalations, etc., only to be locked into something proprietary and idiosyncratic, a sealed black box where even trivial modifications require another round of analysis, project scoping, etc. usually with a heft cash payout.

Conversely, the time we spend setting up and maintaining self-hosted FOSS solutions improves our own knowledge and skills such that every subsequent project becomes incrementally easier, and therefore much faster to implement.

1pass has excellent support so if it’s a real issue just bring it up with them. They seem to be one of the few companies that’s exploded in growth but managed to keep support quality up.
I would see it more as an issue that secrets are potentially shared with departments that shouldn’t have access to it.

> you may not want your entire company to know that you just generated a password for a jobs site.

I would not put any personal (as in not work related) passwords and secrets in a 1password account controlled by my employer, on principle.

Switch to bitwarden and you could have been just the one who fixed it
If I understand the problem correctly, the generated passwords are being saved in the vault that is set as a default vault for new items. It is possible to change it to a different vault and 1Password 7 uses the private vault in the beginning. Still, this is certainly not ideal.

This feature is based on something that was in the app from version 1.0. It was important for the app to save all generated passwords so that you never lose them by accident.

We had a chance to rethink it in 1Password 8 and build it from scratch. The history of generated passwords is implemented version 8 in a better way.

— Roustem

1Password Founder

I'm curious about what's changed in 1P8. Can you elaborate?
Sure! In 1Password 8 we added system vaults that are only visible to the app. One of them is used to store the generated passwords. This vault is synced across all your devices and you always have access to the previously generated passwords.

The app no longer shows the generated passwords in the item list. Instead, they are available in the browser extension: https://cln.sh/YtKtAq

Systems vaults can also used to sync other data like certain user settings, search history, etc.

(comment deleted)
This is a good spot, It would definitely help the future users.
1Password has become fundamentally insecure since about a year ago. You used to be able to run multiple instances of it and log into them separately. You could also run the browser plugin in multiple Chrome profiles and they were fully independent. This is the only sensible, secure way to manage something as sensitive as passwords.

Now they have intentionally crippled your ability to maintain isolation. They want you to go to "one place" to manage all your passwords, across accounts, and muddle through their clunky UI to change vaults. It's not obvious which vault new credentials are saved in. It will pull credentials from all vaults when you go to fill out forms, so now when I log into the different Google accounts I have to use (various clients), even though I'm using separate Chrome profiles, it's all a single 1Password behind the scenes, so I'm prompted to pick from a list of many accounts. I constantly use the wrong credentials to log into things and have to log out and start over. I'm constantly worried that I'm going to leak client credentials into another client's system. It's a huge anti-security pattern, and they did it on purpose. I went to the 1Password forums to learn more about this, and a representative from 1Password stated this was intentional and was proud of it, stating something to the effect "it wouldn't be 1 password otherwise".

I won't use 1Password if I can avoid it, but I'm often required to due to clients using it. I switched to Bitwarden with a self-hosted server for all my personal credentials.

The browser plugins can filter to different accounts. So if you have a work profile and and a work 1password account - you can set the plugin to match. You can then set the plugin on your personal chrome profile to match your personal account.

I used to work across multiple customers. One chrome profile for each (so gmail or o365 didn't collide), one 1password account for each. Works really well.

They also broke the browser extension so it can longer read your personal vault in Dropbox / iCloud, in an apparent attempt to force you to move your passwords onto their servers. Literally removing functionality for the sake of... money I guess. So now I'm stuck copy / pasting all my usernames and passwords. Thanks 1Password.

Unfortunately I still haven't found an alternative that works as well, otherwise I'd have switched a while ago.

The browser extensions still work for me with 1Password 7 and iCloud vault.

I would ensure you have the correct version installed, because they have released newer extensions that only work with the hosted version.