Why is my master password stored as an item in my vault

Hi,

I'm puzzled as to why my master password is stored in my vault?

I thought the whole point was that it only exists in my memory and on out of band media like a piece of paper?

Accepting that compromise of my laptop with a key logger could break anything anyway, it still feels unsettling compared to the standlone 1password where you NEVER reveal my master password in plain text.

Worse, if I go on online wallet, the master password is embedded in plain text in the html!

As we all know and as you state in your security section and whitepaper, the browser is the least secure environment, so again it seems a bit odd to have my master password in there.

Maybe I missed some instructions about deleting that entry once I have my emergency kit sorted out?

I can see the point in saving all the emergency kit stuff but maybe just not store the actual password?

Did I miss something?

thanks

Jim


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:Why is my master password stored as an item in my vault

Comments

  • brentybrenty

    Team Member

    I'm puzzled as to why my master password is stored in my vault? I thought the whole point was that it only exists in my memory and on out of band media like a piece of paper?

    @jimbarritt: Good point! It's not obvious, but the reality is that the only way someone could get into your vault would be using the Master Password...so, since they know it anyway at that point, having it stored inside does not help them at all. It's like keeping a spare key to the safe in the safe: you may want to have one on hand to give to your spouse if they lose theirs, but you wouldn't want to keep it out in the open. You still need your key to get to it. It's just there for safekeeping.

    Accepting that compromise of my laptop with a key logger could break anything anyway, it still feels unsettling compared to the standlone 1password where you NEVER reveal my master password in plain text. Worse, if I go on online wallet, the master password is embedded in plain text in the html!

    Only you can reveal your Master Password. 1Password doesn't store your Master Password in plaintext, but in order for you to view it, it does need to be decrypted. It's inside your vault, encrypted with both your Master Password and Secret Key. The only way it would be stored in plaintext is if you exported that item to a 1PIF or CSV file; and if you don't view it, it will remain encrypted.

    As we all know and as you state in your security section and whitepaper, the browser is the least secure environment, so again it seems a bit odd to have my master password in there.

    So don't use the web interface to access your data. There's an app for that! ;)

    Maybe I missed some instructions about deleting that entry once I have my emergency kit sorted out?

    You can delete it if you want to. And you can also change your Master Password and/or Secret Key at any time as well if you wish.

    I can see the point in saving all the emergency kit stuff but maybe just not store the actual password? Did I miss something?

    Ultimately, it's your data so it's totally your call. But saving your Emergency Kit — with your Master Password — in a safe deposit box can be incredibly helpful in an emergency — not only to you, but to your family if something happens to you. Having the account credentials stored in your vault is helpful if you forget your Master Password and/or lose your other account credentials, but you can still access 1Password with, say, Touch ID on an iPhone. Some things to consider.

  • mathieu_gmathieu_g

    Team Member

    I would also like to say that with your master password stored in your vault, you can quickly access to your 1Password account without having to type it (by pressing ctrl + backslash).

  • JacobJacob

    Team Member

    Indeed, two keys instead of your lengthy Master Password! :)

  • I was not too happy about this either. I noticed that it was set to auto fill in my master password when I went to logon to the 1Password site. If I then went to look at the 1Password entry in my vault and pressed Revel, there was my password. So anyone on my laptop can easily get my master password. Is that really how you think it should work? What is the point in logging me off the 1Password site after 10 minutes if it is going to basically auto-log me back in.

  • BenBen AWS Team

    Team Member

    Hi @karenApp

    I'm not sure I follow the concern. If you leave 1Password unlocked then anyone using your laptop is going to be able to access all of your accounts anyway. If 1Password is locked then they are going to need your Master Password / Touch ID (if enabled) to access anything. This is true whether you have a record of your Master Password stored within your vault.

    If it makes you feel better you can delete the item, but there isn't any security risk I can think of that wouldn't otherwise exist by having it there.

    Ben

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file