CLI on Linux signin secret visible

gkarag
gkarag
Community Member

I am trying to use op utility on Linux, but what bothers me from the start is that when I try to sign in, the characters of the secret I enter are visible on the terminal. This doesn't look secure to me. Is there a way to hide them or do I miss something in the CLI concept?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • felix_1p
    felix_1p
    1Password Alumni

    I assume you mean that the Secret Key is visible? Because the Master Password shouldn't be (and isn't for me). If it is then op doesn't work properly on your system for some reason and we would need more information to find out what's going on.

    As for the Secret Key: You usually type it only once the first time you log into an account. It's then stored in op's configuration file. Because it is long, random and infrequently used, making it visible seems to be better from a UX perspective.

  • gkarag
    gkarag
    Community Member

    It is the secret key, yes. The password indeed is not visible. But it bothers me that its name contains "secret" and in the profile it is treated as a secret - it requires an extra step to become completely visible and on the terminal it is displayed completely and it can be read from the terminal or the session history. I would kindly suggest for the future version of op to hide it when entered and show it only an extra flag is used, something like --showsecret

  • felix_1p
    felix_1p
    1Password Alumni

    I'll pass this along to the team, thank you!

  • gkarag
    gkarag
    Community Member

    The secret key still shows when I use 1.6 of the command line tool. Now there is a new functionality that would allow me to use a session ID instead when I sign in. Is there a way to obtain the session ID from the desktop app or some other way than the command line tool?

  • felix_1p
    felix_1p
    1Password Alumni

    Is there a way to obtain the session ID from the desktop app or some other way than the command line tool?

    There isn't. The session token is something that's specific to the command line tool.

  • gkarag
    gkarag
    Community Member
    edited September 2020

    Thanks. For what is worth I managed to make a workaround by creating a bash function and an alias:
    function oplogin() { test -z "$1" && echo "USAGE: opsignin <email>" && return; read -p "Enter 1Password secret: " -sre p && echo "" && eval $(op signin mydomain.1password.com "$1" "$p"); }
    alias oplogout='op signout && unset OP_SESSION_mydomain'

  • ag_yaron
    ag_yaron
    1Password Alumni

    Thanks for sharing that @gkarag !
    Much appreciated :+1:

This discussion has been closed.