Did I just compromise the security of my account?

snappysnappy
in CLI

I followed the command line getting started guide and specifically did the following:

op signin example.1password.com [email protected]

and was prompted with this:

Enter the Secret Key for [email protected] at example.1password.com:

I foolishly entered in my passphrase - not realising the secret key isn't the password. I never enter the secret key since it's usually stored in the emergency kit or my vault. I want to know: did I put my passphrase at risk -- does 1Password potential have a log of my passphrase since it was a failed authentication attempt which could've been logged on their server.

I later realised that the sign-in address is my.1password.com and the secret key is different to the password.

I think I wouldn't have accidentally done this if there was an example transcript of the op signin example.1password.com [email protected], showing what is prompted next and example inputs for each. Furthermore, it might be a good idea to explicitly state on the prompts when specifying the secret key that it isn't your password. Maybe that's going a bit too far, but I think if there is possibility of your passphrase being received by a server in cleartext, it should be made evident to the user.

I know, I dun goofed.


1Password Version: 0.5.5
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • cohixcohix

    Team Member

    @snappy That's a very good question to raise, but thankfully the answer is no, there's no chance of compromise for you.

    Let me explain: We use a system known as SRP (secure remote password) to authenticate you with 1Password. This process involves some "big math" that I do not understand (we leave that to the cryptographers :P ) which takes your secret key and master password, puts them through the "crypto meat grinder" locally on your machine and generates a verifier value. This is something that cannot be reversed to find the secrets that went into it, but is mathematically equivalent to your secrets. That verifier is sent to the server and verified against the saved value, which indicates to the server that you do indeed have valid credentials.

    All that to say that your secret key and master password are never transmitted from your device in any way whatsoever!

    Please let me know if you have any further questions!

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file