Managing 1Password secrets in memory

Published:

Updated April 2020

Update highlights

As of 1Password 7.4.750 for Windows, released on March 6, 2020, process memory is cleared much faster than in previous versions. This was the result of what has been a long-term and ongoing project to rewrite 1Password for Windows in Rust.

Earlier report

External security evaluations are important and make 1Password a better, safer product. In addition to the third-party security audits that we specifically request, many security professionals evaluate 1Password independently. One such evaluation in 2019 brought renewed attention to the memory management of password managers like 1Password, which has presented us with an opportunity to discuss memory management and memory safety.

The most important thing to know is that the issue described in the report is only a threat to a computer that is already compromised. If your computer is not compromised, you aren’t affected by the issue.

About the issue

When you view an item in 1Password, the information must be decrypted for you to see it. 1Password temporarily stores this information in your computer’s memory while 1Password is open.

This means that while 1Password is open, it’s possible for someone who has access to your computer to read that information from your computer’s memory. Under normal circumstances, only you have access to that information. This is how all software works and was not the issue raised in the report.

The 2019 report described a specific and unlikely attack. An attacker must be able to read memory when 1Password for Windows is locked without being able to read it when it is unlocked. If someone has this level of access to your computer, there are many simpler ways they can steal secrets.

What you can do

Even though the concern raised by the 2019 report has been mitigated by the changes we’ve made, the advice we offered earlier is still valid.

The best defense against this specific issue is to avoid having your computer be compromised in the first place. The good news is that you may already be following best practices:

  1. Only install apps and updates from the official app store for your operating system or the publisher’s website.
  2. Keep your operating system up to date.
  3. Keep your apps up to date, including and especially 1Password.
  4. Use Windows Defender on your Windows PCs.
  5. Lock your computer when you’re not using it.

Doing these things will help keep your computer secure, whether you use 1Password or not.

What we’ve been doing

As we mentioned in 2014, neither 1Password nor any app can provide complete protection against a compromised computer. However, that doesn’t mean that 1Password provides no protection in these situations. For example:

  • 1Password only decrypts your secrets in memory and never writes decrypted secrets to disk.
  • 1Password is developed using memory-safe programming languages.

According to Microsoft, 70 percent of all security bugs are memory safety issues.  We continue to improve memory management in 1Password in a way that doesn’t introduce more substantial security concerns. With the changes we’ve made in recent years, which will continue, we have both improved memory safety while enjoying prompter clearing of process memory.

Additionally, improvements in the operating system itself may provide further memory protections to consumer apps in the future.