Secret key pop up to save

prime
prime
Community Member
edited December 2018 in 1Password in the Browser

So today I was setting up a new computer and using 1Password X and I wanted to add a new login. I click on add, it logined me in, and I got this pop up to save my secret key! My only option was to save. Now this is a guess Vault I am using and it’s for work. Is there a way around this? I do not want at all for any reason my secret key to be downloaded on a work computer (even if this new one, I have full control, it’s mine).

So now when I am on my actual work computer at work (that I do not have control), I can’t put in new logins or updates with out this. Every time I sign in, I get the pop up, and my only option is to download.

Am I missing something and there is a work around to exit it out and not download?


1Password Version: 1Password X
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • blaxxz
    blaxxz
    Community Member

    Try to download it on your private pc.
    Maybe then the message disappears after it has been downloaded once.

  • ag_sebastian
    ag_sebastian
    1Password Alumni

    Hi there @prime!

    Thanks for your report, and sorry for the hassle. As @blaxxz suggested, you shouldn't be getting the message after the emergency kit has been downloaded once.

    The reason you're seeing the prompt to download your Emergency Kit is because you've been using 1Password for a long time, and you haven't downloaded it yet (or you've downloaded it before we started keeping track). We've made this decision in an effort to prevent people from losing their Secret Key. Having said that, I see how this wasn't a great experience in your case, and I'm sorry for the interruption. If you're still seeing the prompt after the initial download, please let us know and we'll look further into it. :smile:

  • prime
    prime
    Community Member
    edited December 2018

    @ag_sebastian this account is a guest account, not even a real account. I am the family organizer as well, so I can always reset the password if needed. This guest account has a shared Vault and my personal account has access to that Vault as well.

    Isn’t one of the rules of online security is never have passwords in plain text on a computer? How about an “X” saying “I know the risks, I know Agilebits cannot help me if I don’t know this info, blah blah, blah” and be done with it? I have my account set up so I don’t need the emergency kit printed out. My wife is a family organizer as well and we have each other’s login info saved in each other’s 1Password.

    The guest account is for work. Yes, the one computer I do own, but I do not have 100% control anymore over it due to all the stuff I just added for work. I am not comfortable doing this at all. In theory, they can have something to save my master password (again, work), but I didn’t care because the secret key is a back up security (I added 1Password X to this computer before I added all the work stuff to be safe). Now they would have access to my secret key due to the file sitting on the computer they potentially have access too. So you’re telling me I have to go on another computer, log into this account (manually typing all the info again) just to clear this? Now I can’t add anything to that account ever again (because 1Password X has to log on the add info to an account) until I clear this? Thanks (sarcasm).

    I do not like this at all. So I either:
    Dig my old MacBook out (which is packed because we moved and I knew I wouldn’t need it right away... also which lost support for security in August) and do this.
    Take my chances on a computer I do not have 100% control over.
    Do this on my iPad... again manually type everything.

    Seriously, horrible idea.

    I’m not the only one who has 1Password on a work computer. Imagine a customer who logs into 1Password from a family computer (something I do not recommend) to add or get something, and gets this? Then what? They can’t get access to their own vault at all unless this is downloaded. Or even worse, the customer hits download without thinking to get into their account... now this info is on a friends, family, or even worse... a public computer (again, something you should never do, but people do... I see it on here a lot “can I log into a library computer to access my account?”).

    If you guys truly value my workflow, you wouldn’t be doing this... (screen shot from the Apple iTunes Store):

  • AGAlumB
    AGAlumB
    1Password Alumni

    Isn’t one of the rules of online security is never have passwords in plain text on a computer?

    @prime: I think that's a pretty good rule. Just keep in mind that the Secret Key isn't really a password, and is almost always going to be stored on a device where you've signed into your account (unless you explicitly select the option not to).

    How about an “X” saying “I know the risks, I know Agilebits cannot help me if I don’t know this info, blah blah, blah” and be done with it? I have my account set up so I don’t need the emergency kit printed out. My wife is a family organizer as well and we have each other’s login info saved in each other’s 1Password.

    I know you're on top of it and that works for you, but we tried what you're suggesting for a long time and a lot of people dismissed it and got locked out of their accounts -- and therefore their data -- as a result. The irony(?) is that you wouldn't have gotten this prompt now if we'd made the decision to require the Emergency Kit download from the beginning, instead of having it be optional at first. The good news is that, as Sebastian mentioned, you shouldn't have this happen again. I get where you're coming from, and I'm sorry for the hassle; but I do think that, in the end, it's better for us to temporarily inconvenience a few long-time users who can manage this than have others get locked out of their accounts forever. :blush:

    Again, I don't disagree with you in principle that this was a bad experience for you, and I'm sorry about that; but on balance we know the alternative is much worse for others -- intractably. We value your workflow, but you have options. Someone who is already locked out of their accounts permanently does not, so we want to to whatever we can to avoid that.

  • prime
    prime
    Community Member

    @brenty what about this:

    I’m not the only one who has 1Password on a work computer. Imagine a customer who logs into 1Password from a family computer (something I do not recommend) to add or get something, and gets this? Then what? They can’t get access to their own vault at all unless this is downloaded. Or even worse, the customer hits download without thinking to get into their account... now this info is on a friends, family, or even worse... a public computer (again, something you should never do, but people do... I see it on here a lot “can I log into a library computer to access my account?”).

    This can be a serious issue here. Forcing someone to do this on a public computer.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @prime: If the concern is that the Secret Key would be on the public computer, you'd have entered it anyway. Someone with the ability to grab the PDF could grab your account credentials as you entered them, regardless of the Emergency Kit. The Secret Key can be changed. Account data cannot be recovered if that is lost. So I do think this is important, even if it is not ideal. We just don't live in an ideal world. :blush:

  • prime
    prime
    Community Member

    @brenty but now the file is on the computer for anyone to see, not just the person who owns the computer.

    I am fusterated because it’s a guest account. Guest accounts do not get a welcome kit. I made one before for this guest account, but I had issues and started over. So when I logged into 1Password X, I read the info off of the work phone that it connects too. Guess what, I now have to do that yet again to get rid of the pop up so I can do it from a device that is safe. Again, it’s a guest account and if I got locked out, I can reset it from the primary account. It took me 3 tries to do this reading it off of the work phone to get into 1Passqord X (on the app from the settings in the phone). I no longer can add to this account unless I do this again on my iPad. It’s something I do not need right now and the account is 100% useless. And I have to work today and tomorrow and deal with it.

  • prime
    prime
    Community Member

    @brenty
    The main issue is, you cannot so anything at all unless you download it at that point. I rather have the ability to exit out, do what I need to, and have it appear again when I log in.
    As in using other computers, I do have control over my my moms computer. I could easily log into it and be forced to do this at that point. Yes, I can delete it, but people are in a rush at times and forget.

  • thightower
    thightower
    Community Member

    @Prime

    Just one user to another here,

    Not that I face this particular issue, but seems you bring up some great points. If I were in the same situation, I would feel the same as you do. I like the idea of a dismissal, but I can also see people would just dismiss it all the time.

    I think an option to dismiss it say 2 times before you have to print it. A compromise of sorts ensuring it gets printed.

    Then on the other hand, people will forget it, if they don't back it up, aka print it out. I understand you're in a different situation.

    Occasionally, I have to login into one of my email accounts, while traveling (non secure computer aka. not mine) I am super paranoid, even with just a potential trow away email account from google.
    I have opened google/gmail and found other users currently logged in, and I could do anything I wanted with their email account. Ive found billing statements in the downloads folder for those individuals. Full name address, and access to email. That all equates to a not so good situation for them if I were not a good guy. I simply logged out of their account, and deleted the files, and purged the cache for their safety as well as mine.
    Who knows whom else accessed that data before I sat down. Its one of the reasons I never travel without my Phone and my iPad to access all of my data, and services. But as I said occasionally its still a necessity due to work. One of the pitfalls for me traveling so much.

  • AGAlumB
    AGAlumB
    1Password Alumni

    but now the file is on the computer for anyone to see, not just the person who owns the computer.

    @prime: I understand. But the Master Password is not included in the Emergency Kit, and the Secret Key can be changed. So while saving it on an untrusted machine may be a problem, it's not an intractable one. Frankly, I'd be more concerned about accessing sensitive information on an untrusted machine, since that cannot be taken back or obsoleted with just a few clicks the way the Secret Key can.

    I am fusterated because it’s a guest account. Guest accounts do not get a welcome kit. I made one before for this guest account, but I had issues and started over. So when I logged into 1Password X, I read the info off of the work phone that it connects too. Guess what, I now have to do that yet again to get rid of the pop up so I can do it from a device that is safe. Again, it’s a guest account and if I got locked out, I can reset it from the primary account. It took me 3 tries to do this reading it off of the work phone to get into 1Passqord X (on the app from the settings in the phone). I no longer can add to this account unless I do this again on my iPad. It’s something I do not need right now and the account is 100% useless. And I have to work today and tomorrow and deal with it.

    As you mentioned, a guest can get their account recovered if needed, since they'd inherently be part of a team/family. I agree it would be nice to add a Welcome Kit for those though, even if it's less critical.

    But the last part concerns me. Are you saying that you're being prompted to save the Emergency Kit again now, after saving it within the past week? Let me know the specifics so we can investigate.

    The main issue is, you cannot so anything at all unless you download it at that point. I rather have the ability to exit out, do what I need to, and have it appear again when I log in. As in using other computers, I do have control over my my moms computer. I could easily log into it and be forced to do this at that point. Yes, I can delete it, but people are in a rush at times and forget.

    Totally. I just don't think this is something we're going to change again because people getting locked out of their accounts forever is a very real problem that has serious consequences for them. However inconvenient, annoying, and even downright infuriating it is to have to download the Emergency Kit the first time, I'm very sorry, but I know that the alternative is much worse; we talk to these people every day. :(

  • AGAlumB
    AGAlumB
    1Password Alumni

    Just one user to another here, Not that I face this particular issue, but seems you bring up some great points. If I were in the same situation, I would feel the same as you do. I like the idea of a dismissal, but I can also see people would just dismiss it all the time.

    @thightower: Similarly, I don't disagree with anything that you folks are saying. You're right. The problem is that people do dismiss stuff like this, and, as we found, did just that with the Emergency Kit when it was optional. I hate that 1Password is annoying anyone because of this, but I hate people losing their data much, much more. I have, and it isn't something I'd wish on anyone.

    I think an option to dismiss it say 2 times before you have to print it. A compromise of sorts ensuring it gets printed.

    I think that's reasonable. But the reality is that most people only sign into their accounts on the website once, if ever: immediately after creating the account. So our window of opportunity to get people to save the Emergency Kit is very limited.

    Then on the other hand, people will forget it, if they don't back it up, aka print it out. I understand you're in a different situation. Occasionally, I have to login into one of my email accounts, while traveling (non secure computer aka. not mine) I am super paranoid, even with just a potential trow away email account from google. I have opened google/gmail and found other users currently logged in, and I could do anything I wanted with their email account. Ive found billing statements in the downloads folder for those individuals. Full name address, and access to email. That all equates to a not so good situation for them if I were not a good guy. I simply logged out of their account, and deleted the files, and purged the cache for their safety as well as mine. Who knows whom else accessed that data before I sat down. Its one of the reasons I never travel without my Phone and my iPad to access all of my data, and services. But as I said occasionally its still a necessity due to work. One of the pitfalls for me traveling so much.

    All of this is true. Fortunately the Emergency Kit PDF alone is insufficient to do that kind of damage to a 1Password account. However, unfortunately, not having the Emergency Kit is sufficient to get someone locked out of their own data for all time. :(

  • thightower
    thightower
    Community Member

    @brenty

    I do not disagree with your points either. It is a conundrum for sure. :(
    I do agree 100% it needs to be printed out no questions asked.

  • AGAlumB
    AGAlumB
    1Password Alumni

    I think questions are important, and so are discussions like this. I just have to come down against data loss, and that's proven to be the end result of not requiring the Emergency Kit be saved, unfortunately. :blush:

  • thightower
    thightower
    Community Member

    @brenty

    No disagreement with you on that, 1 million percent always prevent data loss. :chuffed:

  • AGAlumB
    AGAlumB
    1Password Alumni

    @prime, @thightower: I just wanted to add, I really appreciate both of your feedback on this. It's a really important topic for all of us here at 1Password, and also to me personally. Thanks for your passion for what we do, and your participation here in the forums. I hope you and your families all have a merry Christmas and new year! :chuffed:

This discussion has been closed.