I'll never understand why "don't put nonpublic stuff in argv" is such a hard concept. I especially don't get why 1Password knew about this vulnerability and chose not to care about it.
I don’t understand why argv of other users’ processes needs to be public to non-root users in the first place, other than “that’s how it’s always been” - it’s clearly non-intuitive, so the mistake will naturally happen over and over again.
I don't know what's going on over at 1Password, but some of their decisions/statements are really questionable. A month ago they dropped this[1] in response to the 1PW 8 beta feedback:
> I also wanted to respond to a specific part of @ShakataGaNai's original post about the multiple passwords. We've actually been recommending folks use the same password for each of their 1Password accounts. This might sound ironic given that the typical advice w.r.t. passwords is to use a unique password for everything. The difference is that your 1Password account password is intended to be the one password you remember, and so in theory, if you can only dedicate so much brain space to passwords, if you use only one password for all of your 1Password accounts, you'll be able to make that password stronger than if you have to remember multiple account passwords. So part of the new behavior encourages folks that direction.
This comment is pretty misleading. You're making it sound like they advocated for using the same master password for all accounts, while the post you linked (#2) is about changing 1P (since 8.x) to NOT unlock all accounts with one master password/biometric. (1P<=7.x behavior)
The OP in that thread is complaining that he has to unlock each account separately with its own password. That response is a suggestion to mitigate password fatigue with multiple accounts and restore the same functionality as 1P7.
And as @gmemstr said, each 1Password Account also has a randomized "account key" mixed with your master password, making password stuffing attacks impossible. Your account key is given at signup and manually saved by the user. If you want to add a new device, you need to pull the key from an enrolled device or wherever you wrote it down.
To be fair to 1Pass, accounts also have a unique random account ID that is used in combination with email + password. But it does still kind of make you wonder...
That's... insane. So many breaches come from password stuffing attacks from leaked data. It doesn't matter how strong your password is if it's been compromised on another site.
Well, that's a bit amateur hour. You either care about security or you don't. And here they clearly don't...which doesn't mean their products aren't otherwise secure, but does mean they're being created by a team that views security as, you know, one of several use cases.
Just got to hope they decided to prioritise the security use case for the things you care about, I guess?
[+] [-] josephcsible|4 years ago|reply
[+] [-] gumby|4 years ago|reply
Of course under Unix and Linux even a single person machine can be running a lot of processes, including nefarious ones…
[+] [-] p49k|4 years ago|reply
[+] [-] nifoc|4 years ago|reply
> I also wanted to respond to a specific part of @ShakataGaNai's original post about the multiple passwords. We've actually been recommending folks use the same password for each of their 1Password accounts. This might sound ironic given that the typical advice w.r.t. passwords is to use a unique password for everything. The difference is that your 1Password account password is intended to be the one password you remember, and so in theory, if you can only dedicate so much brain space to passwords, if you use only one password for all of your 1Password accounts, you'll be able to make that password stronger than if you have to remember multiple account passwords. So part of the new behavior encourages folks that direction.
More context can be found here[2].
[1] https://1password.community/discussion/comment/609753/#Comme...
[2] https://1password.community/discussion/122614/two-accounts-n...
[+] [-] smileybarry|4 years ago|reply
The OP in that thread is complaining that he has to unlock each account separately with its own password. That response is a suggestion to mitigate password fatigue with multiple accounts and restore the same functionality as 1P7.
And as @gmemstr said, each 1Password Account also has a randomized "account key" mixed with your master password, making password stuffing attacks impossible. Your account key is given at signup and manually saved by the user. If you want to add a new device, you need to pull the key from an enrolled device or wherever you wrote it down.
[+] [-] gmemstr|4 years ago|reply
[+] [-] hnzix|4 years ago|reply
[+] [-] flxfxp|4 years ago|reply
[+] [-] cantbetaken|4 years ago|reply
[+] [-] Lazare|4 years ago|reply
Just got to hope they decided to prioritise the security use case for the things you care about, I guess?
[+] [-] MiscIdeaMaker99|4 years ago|reply
(( hangs head in shame ))
[+] [-] nikolay|4 years ago|reply
[+] [-] Hackbraten|4 years ago|reply