New user simple security questions

As a new user I have still have some computer dummy questions -

If someone has access to my master password, what is stopping them getting the secret key as this comes up on my account profile information?

The safe to travel option doesn't make sense to me as how is anyone going to access the computer without the master password and if they have this they can turn the vaults back on.

If I am travelling with only one device and lose it or have it stolen - what do I do? No access to another device I own to deactivate or change the account.

Should I be syncing to my cloud based storage? Is this safer?

Clearly I'm missing something but I would appreciate a simple explanation.
Many Thanks


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • GregGreg

    Team Member

    Hello @Shirl36,

    Please see the answers to your questions below, but please let me know if I missed anything.

    If someone has access to my master password, what is stopping them getting the secret key as this comes up on my account profile information?

    It is not possible to sign in to your 1Password account knowing only your Master Password. Your 1Password account is protected with another layer of security that you mentioned – Secret Key, which is generated on your own device. However, if a bad actor get access to your Master Password or Secret Key, you should consider your account compromised and change your Master Password and Secret Key. You can learn more about the security of Secret Key here:

    About your Secret Key

    Moreover, if you worry about it, you can turn on two-factor authentication for your 1Password account, which will add another layer of security to your account.

    The safe to travel option doesn't make sense to me as how is anyone going to access the computer without the master password and if they have this they can turn the vaults back on.

    When you enable Travel Mode, the vaults are completely removed from your devices as long as Travel Mode is on. That includes every item and all your encryption keys. There are no traces left for anyone to find. So even if you’re asked to unlock 1Password by someone at the border, there’s no way for them to tell that Travel Mode is even enabled. Please let me know if it clarifies the situation.

    If I am travelling with only one device and lose it or have it stolen - what do I do? No access to another device I own to deactivate or change the account.

    If you have 1Password account, we recommend you to print out your Emergency Kit and store it in a safe place. Your Emergency Kit contains the important data about your 1Password account, so if you lose your only device where you have 1Password, you still should be able to sign in to your account on 1Password.com. After that, you should follow the steps in this guide on our website:

    If your device was lost or stolen, and it has your 1Password data on it

    Should I be syncing to my cloud based storage? Is this safer?

    The security and the safety of your data in 1Password.com account is our top-priority. No matter which setup you use, your 1Password data is end-to-end encrypted. With 1Password accounts, we've taken it even a bit further, since three things are needed to do anything useful with your data:

    1) The encrypted data.
    2) The Secret Key.
    3) The Master Password.

    Without each of these, it's impossible to access anything you have stored in 1Password.com. You can learn more about the 1Password security model here. In addition to that, you might find the following article quite helpful:

    How to keep your 1Password account secure

    I hope it helps and answers your questions. Thank you!

    ++
    Greg

  • Thanks so much for that - so it would be a good idea to have access to your secret key while travelling in case your authorised device is stolen or lost?
    I have had a practice with regenerating the secret key and changing the password and it works well.

  • brentybrenty

    Team Member

    @Shirl36: Really that's a decision only you can make. Personally, I don't expressly take my Secret Key with me, and have someone I trust who is not traveling with me hang onto it in case of a true emergency...but I would literally need to have all of my devices lost, stolen, or destroyed in order to need that; otherwise I have it in the app on my (many, many...) devices:

    https://support.1password.com/secret-key/

    And we don't recommend changing the Secret Key or Master Password without good reason: compromise, reuse, weak, etc. Otherwise you're just kind of making more work for yourself, and potentially increasing the odds that you get locked out, if you lapse and don't save the new one.

    I hope this helps. Cheers! :)

  • Thanks for the advice. Shouldn't have to change the password and secret key again - just didn't want to have to do it for the first time after I've lost my phone in a foreign country.

    Given that I am confident about the safety of the password, would I be better not to authorise a public or unknown computer (if that is the only option) in order to deauthorise the device?

  • brentybrenty

    Team Member

    @Shirl36: Absolutely, if you're in a situation (or anticipate being in one) where it makes sense for you to change it, I don't want to discourage that. I just want to keep in mind all of the people who may read this discussion and make it clear that it isn't necessary to put ourselves through the paces for no reason. But if you have a reason, go for it. it's your data, and you're the one doing the work after all.

    Regarding untrusted computers, we cannot ever recommend using those to access any sensitive information, in 1Password or otherwise. Again, it's a judgement call on your part if the significant risks are outweighed by an urgent need, but we don't want to give you or anyone else the impression that it's a safe thing to do. If you do choose to do that, then it's important to change your account credentials from a trusted device as soon as possible, in case they were captured.

    However, I don't think it would be worth signing in on an untrusted computer in your example just to deauthorize a device at all, because you'd effectively be authorizing that untrusted computer in the process. Sure, you can check the box to not save your account there, and then technically it won't be authorized in your account on an ongoing basis...but if the "owner" of that computer captures your account credentials as you enter them then they can just use them to sign in as you. So I don't think it's a good deal.

    Add to that that deauthorizing does not get you much benefit: if the device you're trying to deauthorize is offline (battery dead, powered down, or simply put in airplane mode by whomever has it), it will not even be able to receive the command to remove the account. At the end of the day, your data is still protected by your Master Password and cannot be decrypted without it, so using a long, strong, unique Master Password is going to be your best defense against any attacks against your data. And that's one thing you do have control over. :)

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file