secret key compromised

I have reason to believe rogue third parties have had access to my secret key. Now what do I do?

Best,

Zip


1Password Version: 7.2.5
Extension Version: ?
OS Version: OSX10.13.1
Sync Type: ?
Referrer: forum-search:secret code stolen

«1

Comments

  • ag_anaag_ana

    Team Member

    Hi @zipb!

    If you think your Secret Key was compromised, you should regenerate it as soon as you can. Here is how to do it:

    1. Sign in to your account on 1Password.com.
    2. Click on your name in the top right corner of the page and select “My Profile”.
    3. Select “Regenerate Secret Key” from the menu on the left side of the page, below your name and surname.

    Once you have regenerated your Secret Key, you will also be prompted to download a new copy of the Emergency Kit with the updated login information.

    I hope this helps!

  • Thanks for your reply.

    And I will not lose my current data/vaults/what have you?
    Best,

    Zip

  • brentybrenty

    Team Member

    @zipb: Absolutely. As long as you have your current 1Password account credentials, your data will be accessible to you just by signing in. :)

  • You mean absolutely not? Lets's not have any ambiguity here: regenerating my secret key will not touch my data and I will still be able to access my account and see everything/

  • ag_anaag_ana

    Team Member

    @zipb
    That's absolutely right. Regenerating your secret key will not touch your data, but please make sure to download your Emergency Kit with your new Secret Key. :)

  • Right. Thanks. Will do this now.

  • ag_anaag_ana

    Team Member

    @zipb
    Great!
    Let us know if you need anything else. Have a nice day! ;)

  • I get an error, and a new secret key? Argh.

  • ag_anaag_ana

    Team Member

    @zipb What is the error message exactly and at what point of process did you receive it?

  • Now I get an error starting the 1Password app on my iPhone. How do I get this new secret key active? Where's the scan new secret key button?

    1. Dialog box: Something wrong with my password and/or secret key
      Later, another dialog box with new secret key & download button?
  • I have been able to login on my computer with the new secret code. and the complaining has stopped on my iPhone while I haven't even copied the new secret code? Do I have to restart my iPhone?

  • ag_anaag_ana

    Team Member

    @zipb So you have now managed to regenerate the Secret Key from the website, correct?

    What is the exact error message you see in your iOS app? In the popup you received on your iPhone, are you allowed to enter your new Secret Key?

  • So you have now managed to regenerate the Secret Key from the website, correct?

    yes.

    In the iOS app, I can just get in without retyping my secret key.

  • Error when in Brave browser on iMac too. What a mess.

  • Actually, it's the Chrome helper using the old secret key. How do I change this?

  • Chrome helper fixed.

  • I am all for safety first, but using 1password is a very user unfriendly experience. Is there a help page for people who have reset their secret key to get everything going again?

  • It's nearly impossible to get the new secret key typed or pasted in on an iPhone8... Just not enough space on the screen.

  • Now whenever I access the iOS 1password app on my iPhone, it shows part of my secret key in the login screen?

  • Reinstalling the app on my iPhone doesn't fix the partial secret key problem.

  • brentybrenty

    Team Member

    @zipb: Just to clarify for you or anyone else, the question you asked was,

    And I will not lose my current data/vaults/what have you?

    Emphasis added. To which I replied,

    Absolutely. As long as you have your current 1Password account credentials, your data will be accessible to you just by signing in.

    In affirmation of the question you asked. Regenerating the Secret Key (or changing the Master Password) does not delete the account or the data in it.

    Actually, it's the Chrome helper using the old secret key. How do I change this?

    I'm not certain what you're referring to here, but if you mean that you've already signed into the account in your browser and saved your old Secret Key there, you just need to click the "Sign into another account" option at the bottom and enter all of your current account credentials (not the old ones), including your new Secret Key.

    It's nearly impossible to get the new secret key typed or pasted in on an iPhone8... Just not enough space on the screen.

    While phone screens are fairly narrow, text fields can accept all of it regardless. Just enter the whole thing there and you should be good to go. Alternatively you can use the Setup Code or its QR code in your Emergency Kit:

    https://support.1password.com/secret-key/

    Again, just make sure you're using the new one and not the one from the old Secret Key. Let me know how it goes. :)

  • While phone screens are fairly narrow,

    That's not what I mean. The iphone screenkeyboard totally covers the space that one is supposed to type/paste in the secret key. So you're typing in the blind. No way I can type such a long sentence without errors.

    Not happy with 1password at all. In practice 90% of the times I need to change a password of something, be it a login or an email pwd or what have you, I end up with several old fashioned copy/paste actions. or even using the Safari suggestion and copying that back to 1password. Automatic filling in/changing just doesn't work well at all. Replacing say 50 logins takes days, and is a nerve-wrecking experience for the casual user. The chance of an error is high, 1pasword slightly different behaviour in several browsers/devices is enough to make working with it very stressful.
    Also, some things take place on the 1password website, some in the app/program, and some in the helper plug ins. Confusing.

  • ag_anaag_ana

    Team Member

    @zipb

    That's not what I mean. The iphone screenkeyboard totally covers the space that one is supposed to type/paste in the secret key. So you're typing in the blind. No way I can type such a long sentence without errors.

    On an iPhone you can temporary hide the keyboard. If you then select the text field you want to edit, the window should be positioned in a way that allows you to see the whole field.

    Also, thank you so much for the feedback, I will make sure I pass it on internally. But in the meantime, just to make sure, is everything working fine now with regards to your Secret Key?

  • In Safari, 1password is unable to retrieve my login name and password for even this forum? I have to use Chrome? Why?

    I think I have managed to update my secret key on all my devices(4). I guess. This is such a hassle that it's hard to keep track of what was updated and what not. Even now, after almost a week, I still have trouble with some of my changed logins that I thought were fine.

    This must happen all the time, 1password users that have a bunch of suddenly compromised logins that they want to change quickly? As it is now, 1password is of very little help in these cases. The update process is one by one and really demanding a lot of attention from the user. is it pasting my password in the right field? Why don't I see the 1password badge in this field? Oh no, the generated new password isn't accepted as the website has special rules. Argh, I have to type my Master Password again. Oh. Can't do this action with the1password version in the menubar, I need to launch the whole program?! etc.

  • brentybrenty

    Team Member

    In Safari, 1password is unable to retrieve my login name and password for even this forum? I have to use Chrome? Why?

    @zipb: It sounds like you need to install and/or enable the 1Password extension in Safari. What do you see in Safari Preferences > Extensions?

    I think I have managed to update my secret key on all my devices(4). I guess. This is such a hassle that it's hard to keep track of what was updated and what not. Even now, after almost a week, I still have trouble with some of my changed logins that I thought were fine.

    Can you clarify? What exactly are you having difficulty doing?

    This must happen all the time, 1password users that have a bunch of suddenly compromised logins that they want to change quickly?

    Certainly it comes up occasionally, but not often at all, even with thousands of messages per day.

    As it is now, 1password is of very little help in these cases. The update process is one by one and really demanding a lot of attention from the user. is it pasting my password in the right field? Why don't I see the 1password badge in this field? Oh no, the generated new password isn't accepted as the website has special rules.

    I hear you. I wish it were easier. But websites all have different password change processes, and many do not even adhere to web standards (which not only impacts 1Password but also accessibility). It is not possible for 1Password to magically understand all of these -- especially when I myself often find website password change procedures confusing; just navigating that can be difficult for a human, much less a bit of code written by humans to interact with a wide variety of websites. If you can share the specifics though, we're always happy to test ourselves to see what we can do to make 1Password smarter. It's not possible for us to offer solutions, workarounds, or improvements for a specific case without being able to investigate it ourselves though.

    Argh, I have to type my Master Password again. Oh. Can't do this action with the1password version in the menubar, I need to launch the whole program?! etc.

    I'm not sure what you're describing here, but if you can let me know what you're referring to maybe I can suggest something.

  • It's not just that 1password often has no idea what to do where, the whole thing feels half-baked. The iPhone keyboard hiding the input field, for starters.
    Safari and Google Chrome are more often suggesting passwords and auto-filling them in the right field, at the right moment. These are both free. 1password often has no clue.
    Why does a search term as 'my secret number has been stolen' on the 1password site not lead to a proper remedy? Why does a polite email asking for help([email protected]) never gets answered?
    Using 1Password is not very intuitive, and part of it is clearly aimed at the USA.
    Bank accounts, driver licenses and social security numbers are not very useful even as templates for someone living in The Netherlands. These only add to the confusion.
    Because its non-intuitive nature, people(my wife, for example) will give up after a couple of tries and continue using a little book with handwritten passwords on her desk. Or rely on me to get stuff organized.
    I do enough messy IT already in my day job, and I don't want to deal with this in my spare time. I love smart tools to get organized, but 1password is not one of them.

  • brentybrenty

    Team Member

    @zipb: I'm sorry to hear that you feel that way. Millions of people find 1Password very useful, but it isn't going to be a perfect fit for everyone. If you're primarily interested in a personal organizer, it's probably not going to be the best fit, because our focus is on security.

    As far as item categories and their templates though, you are not required to use all of them. Those that you find useful are there for the taking, and all of them can be customized if you want to ignore some of the default fields and make your own -- only fields with data in them will display when you save it.

    Regarding browser integration, if you prefer browser autofill, that's fine. There are some advantages to that from some peoples' perspectives. It's a matter of using the right tool for what you're trying to accomplish. I use 1Password because I like having my data be secure and maintaining control over it. If you've ever tried to get data out of the browser, you'll know that it's hard to deal with; but at the same time it's much easier for an attacker to steal data from the browser (albeit not in a nice format!) Your needs and preferences may be different than mine though.

    Many people like when browser autofill requires no interaction from them. That's horrible from a security and privacy perspective, and there have been plenty of bad actors who take advantage of that; but for those who value convenience at the expense of security, certainly that may be a preferable option.

    Browser autofill also has the benefit of being able to do whatever the vendor wants, in the sense that by contrast 1Password and other 3rd parties need to use the provided extension APIs. This means we don't have the level of access that the built-in stuff does, so there are certainly cases where we're at a disadvantage there with regard to saving and filling. But the flip side of that is that there's a huge security and stability benefit to having 3rd party extensions be sandboxed, both for us and for the browser vendor. So I think it's a reasonable tradeoff.

    A decade in the past, before extension APIs existed, when we injected 1Password into the browser directly to integrate with it, we did our best to do right by the browser and the user and not cause problems, but any time something changed there were usually issues until we were able to fix them, push and update, and get users to install and restart.

    In some cases, 1Password was better at filling then, but we're in a different world now, with browser vulnerabilities being exploited immediately by the bad guys (if not before they're even discovered by the good guys); so while there are some real limitations, on balance, that's better for all of us in most ways -- especially from a security perspective, which is ostensibly why you'd use 1Password in the first place.

    That's not to say we can't and shouldn't do better. We'll continue to improve 1Password in every way we can. But the only way we can do that is through continuous development and testing with actual issues. So if you'd care to share the specifics of the problem you're having, we'll be happy to look into it. :)

    Regarding your comment about your Secret key being stolen, it doesn't come up very often, and it's important to note that your Master Password would also be needed; the Secret Key alone would not be useful without the rest of your account credentials. It can easily be changed in your account profile:

    https://start.1password.com/profile

    And, as you've seen, we're available to answer questions about this and pretty much anything else regarding 1Password -- which is how we've been helping you here already. But I apologize if you contacted us via email and didn't get a response as quickly as desired. We reply to all emails we receive (except spam), but we get a lot of them and try to reply on a first-come-first-served basis, but we aren't always able to get back to everyone as efficiently as we'd like. Sorry about that. :(

    Anyway, I think you make a good point about not having a helpful result for this on our support site:

    https://support.1password.com/search/?q=secret+key+stolen

    We don't have anything specifically about the Secret Key getting stolen, because, like I mentioned, it's not something we hear a lot. This is covered in this more general article:

    If your device was lost or stolen, and it has your 1Password data on it

    But it would be good to add more keywords and other touches that make it easier to find this information. I'll bring it up with the team to see where we should add it. Thank you!

    ref: web/support.1password.com#1891

  • I understand what you are saying. But as a customer, I just want something that makes remembering/changing passwords 1. safe 2. easy.
    1password may be safe, but easy it ain't. Which means my family membership is not going to work/is an actual waste of money. Might as well have used Evernote, which I already owned.

  • BTW, I got an email from 1Password support. After a week...

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file