Managing 1Password secrets in memory

Published:

External security evaluations are important and make 1Password a better, safer product. In addition to the third-party security audits that we specifically request, many security professionals evaluate 1Password independently. One such recent evaluation has brought renewed attention to the memory management of password managers like 1Password, which has presented us with an opportunity to discuss memory management and memory safety.

The most important thing to know is that the issue described in the report is only a threat to a computer that is already compromised. If your computer is not compromised, you aren’t affected by the issue.

About the issue

When you view an item in 1Password, the information must be decrypted for you to see it. 1Password temporarily stores this information in your computer’s memory while 1Password is open.

This means that while 1Password is open, it’s possible for someone who has access to your computer to read that information from your computer’s memory. Under normal circumstances, only you have access to that information. This is how all software works and was not the issue raised in the report.

The report describes a specific and unlikely attack. An attacker must be able to read memory when 1Password for Windows is locked without being able to read it when it is unlocked. If someone has this level of access to your computer, there are many simpler ways they can steal secrets.

What you can do

The best defense against this specific issue is to avoid having your computer be compromised in the first place. The good news is that you may already be following best practices:

  1. Only install apps and updates from the official app store for your operating system or the publisher’s website.
  2. Keep your operating system up to date.
  3. Keep your apps up to date, including and especially 1Password.
  4. Use Windows Defender on your Windows PCs.
  5. Lock your computer when you’re not using it.

Doing these things will help keep your computer secure, whether you use 1Password or not.

What we’re doing

As we mentioned in 2014, neither 1Password nor any app can provide complete protection against a compromised computer. However, that doesn’t mean that 1Password provides no protection in these situations. For example:

  • 1Password only decrypts your secrets in memory and never writes decrypted secrets to disk.
  • 1Password is developed using memory-safe programming languages.

One proposed solution to the specific issue raised in the report would involve using a low-level programming language, also known as a “memory-unsafe” language. However, that would introduce new categories of security vulnerabilities. According to Microsoft, 70 percent of all security bugs are memory safety issues.  We continue to improve memory management in 1Password, and it has to be done in a way that doesn’t introduce more substantial security concerns.

Additionally, improvements in the operating system itself may provide further memory protections to consumer apps in the future.