Questions about secret key security

LemimouthLemimouth
edited June 2017 in Memberships

Hi,

I read the information on this page : https://support.1password.com/secret-key/ and have some questions:

  • When login in from a web browser that was previousely used to login, I don't need to re enter my secret key. Does it mean that the key is stored somewhere locally ? In a cookie ? Is it in plain text ?

  • How is the emergency kit PDF generated ? I believe it's generated on the server side, right ? If yes, does it mean that the key is sent to your server to be included in the PDF ? I read somewhere that the secret key is NEVER sent to you. Then how do you print it on the PDF ?

  • For some reason I uninstalled and reinstalled 1Password on my iPhone. During the reinstallation, it "rememered" that I was previousely signed and automatically proposed my account. How / where is this information stored ? Is there some leftover in iOS when uninstalling the app ?

Thanks


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • PilarPilar

    Team Member
    edited June 2017

    Hi @Lemimouth

    Thank yo for getting in touch with us, I'll be glad to tell you a bit more about 1Password and how it handles your Secret Key :chuffed:

    When login in from a web browser that was previousely used to login, I don't need to re enter my secret key. Does it mean that the key is stored somewhere locally ? In a cookie ? Is it in plain text ?

    Yes, your Secret Key is stored locally in a couple of places. For example, for 1Password for Mac and 1Password for iOS it will be stored in the iOS and macOS keychains respectively. When 1Password has been used from a web browser, the Secret Key is stored in the browser’s local data. The Secret Key is stored lightly obfuscated, but stored on the local device unencrypted.

    How is the emergency kit PDF generated ? I believe it's generated on the server side, right ? If yes, does it mean that the key is sent to your server to be included in the PDF ? I read somewhere that the secret key is NEVER sent to you. Then how do you print it on the PDF ?

    Your Secret Key, as well as your Emergency Kit are generated directly on your device. The PDF is built directly in your own browser. The Secret Key is never sent to us, not even at this stage :chuffed:

    For some reason I uninstalled and reinstalled 1Password on my iPhone. During the reinstallation, it "rememered" that I was previousely signed and automatically proposed my account. How / where is this information stored ? Is there some leftover in iOS when uninstalling the app ?

    When an account is added to your iOS device we add the URL, the email address and the secret key in the iOS keychain. Then, when you go through the setup process we search for these items in the iOS keychain and present them as you've seen them.

    If you'd like to know more about the trickier details about 1Password's security the White Paper is a great read. And if you have any questions about any of this please let us know! We'll always here for you.

  • @Pilar As usual here (in the forum in general) you provided a detailed and open answer (especially regarding the browser local data thing) which is greatly appreciated ;)

    I wish Apple provide a a way to manage what is stored in the iOS keystore, as in macOS.

    The only thing I'm not happy with is that after creating a 1Password account, I found a new entry with both my secret key AND my master password. Until now the only storage device, as I know of, that stored my master password was my brain. You should really make this optional (an option enabled by default but deactivatable during the account creation wizard). I know that it is encrypted by some Jedis of the Galaxy algorithms, but anyway.

    I'll definitely check the white paper.

    Cheers

  • Drew_AGDrew_AG 1Password Alumni

    Hi @Lemimouth,

    I'm glad Pilar's answer was so helpful for you! I'll be sure to forward your kind words to her. :)

    The only thing I'm not happy with is that after creating a 1Password account, I found a new entry with both my secret key AND my master password. Until now the only storage device, as I know of, that stored my master password was my brain. You should really make this optional (an option enabled by default but deactivatable during the account creation wizard). I know that it is encrypted by some Jedis of the Galaxy algorithms, but anyway.

    Thank you for your feedback about that, and I'm sorry it was an unwelcome surprise for you! That Login item is part of what we call the "Starter Kit", which is a small group of items added to your Personal / Private vault when creating a new 1Password.com account. The reason for those items in general is to help a new 1Password user understand and learn about the app. The other Starter Kit items are a Secure Note ("Welcome to 1Password!") and an Identity item.

    There are additional reasons for the Login item, and one of those is that it allows you to use the 1Password browser extension to sign into your account on 1Password.com. After all, filling sign-in forms on websites is one of the biggest (and coolest) features of 1Password! :) If you've been using 1Password for a while then you already know how that works, but it's really helpful for brand new customers who aren't familiar with it yet. That Login item also has the special ability to automatically update itself if you change your master password or regenerate your Secret Key.

    A more important reason for that Login item is that we noticed a lot of customers who mainly use 1Password on iOS devices would use Touch ID to unlock the app and eventually forget their master password. If they can still unlock the app with Touch ID, they can check that Login item to remember their master password. Otherwise, they would need to create a brand new account with a new master password and migrate all their data from the old account to the new one. Because Touch ID is also starting to be included with Macs, and many Android devices also have a fingerprint scanner, having this Login item should help many customers avoid this problem in the future.

    Of course, if you don't want to have your 1Password.com account credentials stored in a Login item, you're more than welcome to delete it. I can understand why it might seem strange to have it stored somewhere other than your brain since that's what you're used to - but keep in mind that unless someone knows your master password and Secret Key, they won't be able to access that data in the first place. ;)

    We're here for you if you have more questions. Have a great weekend! :)

  • brentybrenty

    Team Member

    @Lemimouth: I just wanted to follow up to clarify a few things here:

    The only thing I'm not happy with is that after creating a 1Password account, I found a new entry with both my secret key AND my master password. Until now the only storage device, as I know of, that stored my master password was my brain. You should really make this optional (an option enabled by default but deactivatable during the account creation wizard). I know that it is encrypted by some Jedis of the Galaxy algorithms, but anyway.

    It's important to keep a few things in mind:

    1. What's the threat you're concerned about? For someone to access your Master Password in the login item in your account, they already have to have access to your account; and unless you gave them access to it, that means they already know at least your Master Password (for unlocking an already-authorized app or browser). This is no worse an idea than locking the combination to the safe inside the safe: you still effectively only have it in your brain, and if you don't having it in the safe won't help you. While in fact your Master Password may be stored in your vault, in practice that is of no benefit to you or an attacker.
    2. The only time your Master Password is stored outside of your vault (in the Keychain, and not in plaintext) is if you enable Touch ID for 1Password.
    3. You can always delete this login item from your vault; but again, it's encrypted using both your Secret Key and Master Password, so saving it there does not present a security risk. But it's your choice. As Drew mentioned, there are situations where it could be useful to you, and at the very least it's a good way to give a new user a sense of what 1Password is for. And after all, if your Master Password is strong enough to protect the rest of your data, by extension it is to protect your 1Password.com login credentials, which are also protected by the 128-bit, randomly-generated Secret Key.

    It's definitely a lot to consider, but I hope that helps put things in perspective. Please let us know if you have any questions at all! :)

This discussion has been closed.