To protect your privacy: email us with billing or account questions instead of posting here.

Balancing protection and convenience with my secret key

bkocik
bkocik
Community Member

Hi everyone. New guy here.

When I was choosing a password manager not so long ago (and eventually settled on Dashlane), at least one person recommended 1Password to me. I dismissed it based on the simple fact that it didn't support MFA (Dashlane accepts my Yubikey, which was what I wanted). I'm not here to rehash the MFA argument; I've read the blog posts and forum discussions, and I get it, but at the time that was why I didn't choose 1P. Then AgileBits went and created Travel Mode, and as a bit of a subversive sort that made me grin. I started doing some research and reading blog posts and forum posts, and the decorum of the AB staff - along with their clearly formidable knowledge of security and encryption and the sheer thoughtfulness that's clearly been put into the product - convinced me that it's time to give 1P an actual try. So I am.

My question for the group is around securing the secret key, while keeping it available in the case where I'm on some machine that isn't mine, don't have my phone, and I need to get into my account via 1password.com. Example scenario: I'm traveling, as I do, and my phone is lost or stolen. I know, I'll go to iCloud and wipe it! Except...1Password knows my iCloud password and I don't, and I don't know my secret key in order to retrieve it from 1password.com. Uh-oh.

What I'm thinking is that the secret key is sort of like a 1st auth factor, while my master password is kind of a 2nd auth factor (and I get that it's about encryption, not auth, but that's sort of a convenient-if-lazy way to think about it for purposes of this scenario). As such, I'm kind of thinking that maybe it's okay to just throw it in a plain text file on a USB key that I keep on my keyring - next to my Yubikey. After all, I'm not worried about losing my Yubikey because without my passphrase it's not usable, and really that's the same story with the secret key. The difference, though, is that my lost or stolen Yubikey could be replaced deactivated, rendering it harmless. The secret key, though, is immutable. If someone gets hold of it they can't use it without my master password, but one of the two parts to the security of my vault is now and forever compromised. Or is it not? Maybe there's some way to swap out your secret key that I don't know about yet?

So that's giving me pause about carrying it around so cavalierly, and thinking that maybe it's not such a hot idea. I did store my emergency kit in an encrypted DMG file that I've stashed in my Dropbox account, and the passphrase to unlock that disk image is one of only three passwords I currently know, along with my 1P master password and the long passphrase I've put on my Dropbox account (because if I need my emergency kit and the only way into Dropbox is through 1P, I'll have painted myself thoroughly into a very sad and dark corner). I could spring for one of those fancy locking USB devices with a numeric keypad and built-in encryption and keep it there, I suppose. Or I could just write the thing down and stick it in my wallet, except that I hate carrying a wallet and rarely do.

That was a really long way of getting around to asking: What's everyone else doing to ensure access to their 1P vault in the scenario that it's needed while away from all of your primary devices? Or are you just not needlessly wringing your hands about it like I am?

Thanks...


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • Hi @bkocik

    Thanks for giving 1Password a second look!

    Or is it not? Maybe there's some way to swap out your secret key that I don't know about yet?

    It is indeed possible to change your Secret Key. You don't get to pick it -- it is always generated, but it can be changed.

    As such, I'm kind of thinking that maybe it's okay to just throw it in a plain text file on a USB key that I keep on my keyring - next to my Yubikey.

    I think that could very well be a reasonable approach. You could even put a PDF copy of your Emergency Kit there. Someone would still need your Master Password to access your account.

    That was a really long way of getting around to asking: What's everyone else doing to ensure access to their 1P vault in the scenario that it's needed while away from all of your primary devices? Or are you just not needlessly wringing your hands about it like I am?

    I'll give you my perspective. I'm not a traveler so I don't worry much about that aspect. What I've done is stored all of my Emergency Kits along with Master Passwords in two separate 1Password accounts, so as long as I have access to one of them I have all of my Emergency Kits. I also printed and stored my Emergency Kits in a fire safe that I keep off-site (at a friend/relative's house). And lastly I keep a printed copy in a lockable closet. The printed versions do not contain Master Passwords.

    If I were to travel -- I'd mail a copy of my primary Emergency Kit, sans-Master Password, to my destination prior to leaving.

    I hope that helps. Should you have any other questions or concerns, please feel free to ask.

    Ben

  • bkocik
    bkocik
    Community Member

    @Ben - Thanks so much for the quick reply.

    It is indeed possible to change your Secret Key. You don't get to pick it -- it is always generated, but it can be changed.

    That actually alleviates the entire problem - great to hear. Out of curiosity, is that something I would be able to do on my own or would I have to contact support? I've been poking around in the web app and local macOS app and haven't spotted a way to do it.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @bkocik: You can do that on your own at any time from your Profile page on 1Password.com. Just click the "pencil" edit button to regenerate the Secret Key. Cheers! :)

  • bkocik
    bkocik
    Community Member

    Thank you!

  • You're most welcome. :) If there is anything else we can do, please don't hesitate to contact us.

    Ben

  • mikebore
    mikebore
    Community Member
    edited May 2017

    Useful thread.....I have been having same thoughts although not as well expressed as OP.

    My current solution is to have my emergency kit (without 1P master password) in an encrypted diskimage stored in my iCloud Documents folder. My iCloud account is protected by two factor authorisation.

    My Apple ID and 1P master password and the disk image unlock key are three of the very few passwords I carry in my head.

    I think (hope) I will be able to access my 1P data from anywhere in the world, without needing my phone, USB dongle or a piece of paper, without it being at risk.

    EDIT 1. Bother....writing this out has just made me realise that my method is flawed because without my phone I would not be able to receive the 2FA code needed to access my iCloud account on a strange computer. Same thing would be true with Dropbox using 2FA. Back to the drawing board...

    The OP's solution works but I would prefer not to have another thing on my keyring, which I might have lost along with my phone.

    EDIT 2. I think my best alternative is to keep the encrypted disk image on OneDrive which does not have 2FA, and which is a password I remember. Although I have lost one level of protection (2FA), in order to steal my data, a bad guy has to:-

    -hack my OneDrive account
    -recognise that the anonymous named disk image file even contains my 1P data.
    -unlock the disk image, which would give him my secret code
    -obtain my master password which is only stored in my head and in 1P itself.

  • mikebore
    mikebore
    Community Member
    edited May 2017

    I wrote a long post to this thread, which has disappeared after making a third edit....is there a limit?

    I am not going to try and rewrite it but the executive summary was:

    I am very interested in the same problem as the OP.

    The $64,000 question is how do you access your 1P data on a strange computer from anywhere in the world without your phone, pieces of paper or keyring dongles? The issue being the secret code, assuming you know your master password.

    My solution after a few false starts is to keep my emergency kit (without master password) in an encrypted disk image on OneDrive, which I can access on a strange computer anywhere.

    My OneDrive password and 1P master are two of the handful of passwords I keep in my head.

    In order to access my 1P data a bad guy has to:

    1. Hack my OneDrive account
    2. Recognise that the innocent named disk image even contains my 1P code.
    3. Crack the encrypted disk image to get my secret code.
    4. Separetly discover my master password which is only in my head and 1P itself

    I originally thought I could put the encrypted disk image in my iCloud Documents folder, as my iCloud is protected by two factor authentication. But if I have lost my phone I won't be able to receive the 2FA code needed to access my iCloud on a strange computer.

    PS I put other key docs like passports, travel insurance etc in the encrypted disk image as well.

    EDIT....see my first reply has reappeared!

  • mikebore
    mikebore
    Community Member

    Correction .....the data needs to be in an encrypted zip file on OneDrive, because Windows can't open encrypted disk image files without third party software.

  • AGAlumB
    AGAlumB
    1Password Alumni

    I wrote a long post to this thread, which has disappeared after making a third edit....is there a limit?

    @mikebore: I see two posts above. Were there others? The forum software's filter will sometimes flag things as spam, but also throttle if you make many posts and/or edits in a short period of time.

    The $64,000 question is how do you access your 1P data on a strange computer from anywhere in the world without your phone, pieces of paper or keyring dongles? The issue being the secret code, assuming you know your master password.

    Definitely some interesting ideas. I'd like to mention a few things though:

    1. This whole thing is predicated on the assumption that accessing sensitive data from a untrusted/unknown computer is a good idea. It's certainly a matter of personal choice if one wants to do this, but it's really just a bad idea. Personally, I'd rather make do without than take that sort of risk, but your mileage may vary.
    2. The additional limitations (without your phone, pieces of paper or keyring dongles) seem unnecessary and arbitrary. I understand that the idea is that you may not have these things available to you, but placing these restrictions has the effect of weakening security (unable to use two-factor authentication, additional — likely weaker — passwords to memorize, etc.)
    3. Adding layers increases complexity an opportunities for failure (two-factor code, OneDrive account, etc.), so it may be best to simplify things a bit to use a much stronger password

    My thinking is that, unless you're in the jungle or something, you can probably get to a phone if needed. We can use that to our advantage. After all, you probably have less need for 1Password in the jungle! If you leave a two-factor capable device with someone you trust, you can give them a call and get the one-time code if needed. They don't even need to have your static login credentials. And if you absolutely do need to use an untrusted computer to access your 1Password.com account, definitely regenerate your Secret Key (and consider changing your Master Password) from a trusted device as soon as you're able.

    I realize that this may not solve all of the problems you're creating in this hypothetical scenario, but I think we need to focus on practical considerations...and chances are that if you lose all of your devices accessing 1Password will be the least of your concerns. Being able to reach out to someone you trust for help (send money, access information for you, etc.) can help you in this regard and also in others where 1Password can't help. Just a thought. :)

  • mikebore
    mikebore
    Community Member
    edited May 2017

    Thanks, yes I understand and generally agree, although not sure how a stronger password is going to enable simplification, and isn't going to help much if you don't know your secret code. (My password is already 17 characters of gobbledygook)

    I didn't make very clear that the scenario I am imagining is an emergency one where I have been mugged in a foreign country and have had my phone, wallet, ID and keyring stolen.

    Maybe I am being overly cautious and paranoid, and in reality phonecalls would solve the emergency problems.

  • mikebore
    mikebore
    Community Member

    Just to paint the scenario a bit sharper... I have been mugged in a foreign country, have no ID, no phone. I am in a police station with access to a computer. In a few minutes I could open the encrypted zip in OneDrive and produce a photocopy of my passport.

    I carry very few phone numbers or email addresses in my head and couldn't access my Contacts in iCloud because 2FA would stop me, but I would have a few key ones in the encrypted zip in OneDrive.

  • AGAlumB
    AGAlumB
    1Password Alumni

    Thanks, yes I understand and generally agree, although not sure how a stronger password is going to enable simplification, and isn't going to help much if you don't know your secret code. (My password is already 17 characters of gobbledygook)

    @mikebore: It sounds like you already have a good password. I'm just saying that memorizing multiple passwords is more difficult than one, and one long, strong, unique Master Password will be harder to crack than a bunch of weaker ones.

    I didn't make very clear that the scenario I am imagining is an emergency one where I have been mugged in a foreign country and have had my phone, wallet, ID and keyring stolen.
    Maybe I am being overly cautious and paranoid, and in reality phonecalls would solve the emergency problems.

    I dont mean to discourage you. I think it's great (and important) that you're thinking about these things and planning ahead for an emergency. But I do think that having a "lifeline" you can call really helps, and is important when traveling even if we remove 1Password from the equation. So in that sense, while it isn't 1Password-specific advice, I think it can cover a lot more ground than 1Password alone, and also help with that as well.

    Just to paint the scenario a bit sharper... I have been mugged in a foreign country, have no ID, no phone. I am in a police station with access to a computer. In a few minutes I could open the encrypted zip in OneDrive and produce a photocopy of my passport.

    That makes sense. My concern when we talk about digital passport images is that those are, as far as I know, not accepted anywhere. It's great for you, for reference, once you're back in your own country and can apply for a replacement (in the sense that they'll want the passport number and probably some other details from it), but I don't think it's going to get you on a plane or through customs afterward.

    I carry very few phone numbers or email addresses in my head and couldn't access my Contacts in iCloud because 2FA would stop me, but I would have a few key ones in the encrypted zip in OneDrive.

    I'll admit that this is a weaker point in my logic: memorizing a phone number is sort of like memorizing another weak password. It's probably easier, but it is one more thing to keep track of. Ultimately it's a very personal decision, and we wouldn't want to proscribe how you manage this. But I find discussions like this very helpful when it comes to working through these problems and hopefully you can take something useful from it as well. :)

  • mikebore
    mikebore
    Community Member

    Thanks for the inputs.

    I guess one day bio recognition (finger print, iris recognition, or who knows what in the future) will be so universal that all the password hoops we currently jump through will seem comical.

    (BTW, I wasn't thinking I could turn up at an airport with a digital or printed copy of my passport....only that any photo ID might be useful to prove who I was in the absence of any ID).

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    I'm sorry to rain on your parade, @mikebore, but I need to say a few words about

    I guess one day bio recognition (finger print, iris recognition, or who knows what in the future) will be so universal that all the password hoops we currently jump through will seem comical.

    Biometrics are like "security questions". They

    1. aren't really secret
    2. they are really hard to change if you need to.

    Things that aren't secrets really shouldn't be used to prove identity. It is unreasonable to expect people to keep their first pet's name secret, so it is a very bad idea to build a security system that depends on the secrecy of the name of someone's first pet. Well, your face, fingerprints, retinal patterns, gait, etc aren't really secret. They can be measures by anyone with the right equipment. Hollywood script writers have known about this problem for ages. "From chopped off hands for handprints in James Bond movies, to voice recordings for voice recognition, to copying fingerprints in the old (TV) Mission Impossible series.

    Do you really want to spend the rest of your life making sure that you never leave fingerprints anywhere, or that nobody gets a good enough photo of your face to see the retina, or that nobody records enough of your voice?

    And on to the second point. Do you want to have to change your fingerprints when there has been a breach of some service or database? I don't think so.

    The problem with truth

    I am going to get a bit abstract here, but please bear with me (or stop reading, or whatever). The "good" things about your first pet's name and your fingerprint is that you don't have to spend extra effort trying to remember them. One you carry with you and can be retried at the touch of a scanner. The other is something that you already know and remember. That is their appeal over passwords. This is the logic behind the line, "tell the truth, that way you don't have to remember as much."

    In their own ways your fingerprints and your first pet's name are empirical facts about the universe. And facts about the universe are, in a certain philosophical sense, accessible to anyone (under an appropriate definition of "accessible"). They are true. My father's middle name really was Walter and my fingers really do have certain configurations on them. Those truths are discoverable without me having to reveal them.

    The truth is also more guessable. If you had to guess at my father's middle name, you would guess "Walter" long before you would guess "fEsMaWhPQhikyPqHDU". There are far fewer ways for something to be true than to be a lie. So true things (like pet's names) and variates of fingerprints are far more limited than arbitrary lies that make no attempt at plausibility. This makes them more guessable even if not discovered.

    Finally, it is hard to change the truth. I cannot easily change my father's middle name. I cannot easily change the way the ridges on my fingers happen to swirl about. But arbitrary falsehoods are easier to change.

    So I'm sorry, but the same things that make biometrics or "security questions" attractive are the same things that make them unsuitable as replacements for passwords. The truth hurts.

  • mikebore
    mikebore
    Community Member

    Thanks for those thoughts....I can see and understand the logic. I suppose I am hoping there will be ways in the future of identifying ourselves to devices in an uncopyable way...... methods that are well beyond current technology?

  • AGAlumB
    AGAlumB
    1Password Alumni

    @mikebore: Ultimately the best ways of doing that will involve things that are unobservable. For example, the long, strong, unique but memorable Master Password I store only in my brain is more secure than writing down a much stronger, randomly generated one on a Post-It™ note stuck to my screen. Passwords can be a pain, but they are an incredibly versatile as secrets if they are handled properly. And even better, there's an app for that. ;)

    I have no idea what the next thing might be, but it's interesting to think about the ideas we find in movies and books. Having an implanted chip might be a cool compromise in light of Goldberg's comments above, as that could be changed if necessary. But at the same time if it can be read by a good guy, it can also be read by a bad guy. And something like that brings a lot of privacy baggage with it. We may end up there anyway (if there are cameras all over, having a chip won't make things worse, I guess), so only time will tell.

    I feel like the core of what you're getting at is something we can all relate to: we want things to be more convenient without sacrificing security. It's definitely a tall order, but a worthy cause. It's what we've tried to do with 1Password and we'll continue to pursue that. Cheers! :)

  • AskAli
    AskAli
    Community Member
    edited September 2017

    @brenty: I know this is an old thread but I was just perusing through and found some interesting tidbits.

    And if you absolutely do need to use an untrusted computer to access your 1Password.com account, definitely regenerate your Secret Key (and consider changing your Master Password) from a trusted device as soon as you're able.

    I'm curious of the implications of using an untrusted computer, is it really that bad? I honestly don't think someone is stalking my friends computer or has some sort of key logger software on there but maybe it's bad to assume this because I don't really know so who knows? If I were to sign in from a friend's computer at his home such as his laptop should I be regenerating my secret key and changing my master password afterwards?

    Or how about a university computer?

    Also, I have my secret key memorized but if I ever do need to regenerate it that's a pain to memorize a new one altogether so I need a good way to store my secret key.

    Would you happen to have any recommendations to where I could store my secret key or emergency kit besides bank vaults etc or someone else's house, somewhere where I can be easily access it? Would it be ok to write my secret key on a slip of paper and put that in my wallet? It doesn't even have the words secret key on it or anything, so if someone were to dig through my wallet it's just a random assortment of characters really. My wallet goes everywhere with me so it's pretty readily available.

    Should I be storing my master password anywhere? That's much easier to memorize. When I first created it I would practice on paper and then I threw it away and I have it set it to where I have to re-enter it at least once a day so I'm still in the habit.

  • I'm curious of the implications of using an untrusted computer, is it really that bad?

    Yes. :)

    Heh, but seriously, the potential is there.

    I honestly don't think someone is stalking my friends computer or has some sort of key logger software on there but maybe it's bad to assume this because I don't really know so who knows?

    The threat isn't that someone is stalking your friend (though the prospect of a targeted attack is also possible), but perhaps they have visited an unsavory website (intentionally or unintentionally) that was able to infect their computer with malware. Or maybe they are less vigilant about computer security/hygiene than you. Maybe they don't install OS or browser updates frequently, or they open emails from unknown sources.

    Or how about a university computer?

    The same challenges, likely. While a university may have more protections (such as patch policies that automatically make sure all machines on the network are updated) there are probably a multitude more users using each of those machines, again which may not have the best habits.

    Also, I have my secret key memorized but if I ever do need to regenerate it that's a pain to memorize a new one altogether so I need a good way to store my secret key.

    The Secret Key isn't intended to be memorized, though I give you kudos for being able to do so. The 1Password app on your devices remember the Secret Key, and it is available on your Emergency Kit.

    Would you happen to have any recommendations to where I could store my secret key or emergency kit besides bank vaults etc or someone else's house, somewhere where I can be easily access it?

    A fire safe is an inexpensive and convenient solution, and can also be used to protect other important documents or small items.

    Would it be ok to write my secret key on a slip of paper and put that in my wallet?

    I can't tell you it is "ok." Everything is a trade off between security and convenience and only you can make the determination of what the right balance for you is. Doing this wouldn't be so insecure that I'd say "no, don't do that."

    Since you aren't carrying the whole Emergency Kit, and there is no context for what the Secret Key is, this is probably a risk I'd be willing to take if I felt it would be helpful. I generally just carry my iPhone with me though, and 1Password for iOS has the Secret Key saved in it.

    Should I be storing my master password anywhere?

    The only place I'd recommend storing that would be on an Emergency Kit that has the level of protection associated with a bank vault, etc as you mentioned. Otherwise it should be committed to memory.

    When I first created it I would practice on paper and then I threw it away and I have it set it to where I have to re-enter it at least once a day so I'm still in the habit.

    That seems like a very reasonable approach. :)

    Ben

  • AskAli
    AskAli
    Community Member

    @Ben So long story short if I sign into an unauthorized computer which shouldn't be happening anyway I should probably regenerate my secret key as well as select a new master password? I usually use your word generator for that and choose a bunch of words, like 7 or so and pick whatever sounds cool.

  • Yep. :)

    Ben

This discussion has been closed.