App seems to remember master password - security flaw? [master password not stored]
Hello,
that is somehow strange and might have possible security problems. I use the Beta with 1 family account and I added also 1 older agilekeychain vault to it.
Both vaults have different master passwords but after starting the app I with the family account passphrase I am also able to see all my agilekeychain passwords that should be encrypted with another passphrase. The app isn't prompting me anymore for that passphrase also should it be saved somewhere within. In my opinion that shouldn't be the case.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
@dahanbn all data on your device is encrypted with the Master Key (MK). It's generated randomly when you start app for the first time. Master Key is stored inside local app settings as Encrypted Master Key (EMK). EMK is encrypted with Derived Key, which is derived from your Master Password. Master Password itself is never stored anywhere on disk or network. Same stands true for Master Key. The only thing that is stored is EMK and to decrypt it attacker need to know your Master Password.
Now, when you first time opened a legacy vault or signed in to your family account - the password you used to open vault or sign in to your Family account is used as Master Password, that is used to derive Derived Key, that is used to encrypt MK into EMK. When you open more vaults or sign in to more teams or families - you still can use same one password to return to your data, as all keys from other sources are re-encrypted with EMK on your device.
It's a bit new concept to Windows, as previously 1Password 4 Windows required to unlock each vault separately, this time we are closer to how Mac/iOS app works, we safely store (in encrypted form) decryption keys we need to show you your data.
0
