I followed the command line getting started guide and specifically did the following:
op signin example.1password.com [email protected]
and was prompted with this:
Enter the Secret Key for [email protected] at example.1password.com:
I foolishly entered in my passphrase - not realising the secret key isn't the password. I never enter the secret key since it's usually stored in the emergency kit or my vault. I want to know: did I put my passphrase at risk -- does 1Password potential have a log of my passphrase since it was a failed authentication attempt which could've been logged on their server.
I later realised that the sign-in address is my.1password.com and the secret key is different to the password.
I think I wouldn't have accidentally done this if there was an example transcript of the
op signin example.1password.com [email protected], showing what is prompted next and example inputs for each. Furthermore, it might be a good idea to explicitly state on the prompts when specifying the secret key that it isn't your password. Maybe that's going a bit too far, but I think if there is possibility of your passphrase being received by a server in cleartext, it should be made evident to the user.
I know, I dun goofed.
1Password Version: 0.5.5
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided