1Password X: browser auto-filling secret key looks like a potential security flaw

I just installed 1password X on a Chromebook. On the login in form, I clicked on the secret-key field and was presented with the option to auto-fill that field with my secret key. Now, I am trying to understand how the web browser was able to offer to auto-fill my secret key. The web browser must have stored my secret key somewhere. This seems to be a serious security flaw. The secret key field should be treated like a password field so that web browser auto-fill capabilities do not remember that information.

Now my secret key is available if someone manages to hack into my account on this chromebook. They will be able to discover my secret-key stored in the web browsers (unencrypted) auto-fill storage - providing them with a large portion of the secret information required to access my 1password vault.

Can someone explain to me what is going on here? I have been using 1password for years. I just recently installed 1password X on this chromebook and this auto-fill behavior surprised me. It doesn't seem like a security best practice to enable auto-fill for the secret key form field. It seems like it should instead be coded to be a password field.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni

    @jmmaloney3: Thanks for reaching out. I’m sorry for the confusion!

    I just installed 1password X on a Chromebook. On the login in form, I clicked on the secret-key field and was presented with the option to auto-fill that field with my secret key. Now, I am trying to understand how the web browser was able to offer to auto-fill my secret key.

    Indeed, that sounds like Chrome's built-in password autofill feature. We always recommend disabling that, for a number of reasons:

    Turn off the built-in password manager in your browser

    If you keep it enabled, save sensitive information with it, and sync that data to other devices through your Google Account, it can squirt information into websites without any interaction from you.

    The web browser must have stored my secret key somewhere. This seems to be a serious security flaw. The secret key field should be treated like a password field so that web browser auto-fill capabilities do not remember that information.

    Given that the purpose of browser autofill feature is to save and fill passwords and personal information, I'm not sure how having it "be treated like a password field" would help. And, of course, we don't have any control over other companies' software. You can, however, disable that feature if you wish, as it sounds like you want to.

    Now my secret key is available if someone manages to hack into my account on this chromebook. They will be able to discover my secret-key stored in the web browsers (unencrypted) auto-fill storage - providing them with a large portion of the secret information required to access my 1password vault.

    That's correct, which is why we recommend using 1Password to save and fill sensitive information instead, since there it is encrypted using your Master Password, and only gets filled when and where you tell it to.

    Can someone explain to me what is going on here? I have been using 1password for years. I just recently installed 1password X on this chromebook and this auto-fill behavior surprised me. It doesn't seem like a security best practice to enable auto-fill for the secret key form field. It seems like it should instead be coded to be a password field.

    We don't have control over that. Only you do. This article from Google will help you remove information you've already saved there:

    https://support.google.com/chrome/answer/95606?co=GENIE.Platform=Desktop&hl=en

    I hope this helps!

  • Thanks for bringing this up, jmmaloney3.

    In addition to what Brenty mentioned I wanted to say that the Secret Key is indeed stored unencrypted on your devices. The reason for this is it's next to impossible to memorize and even if you did, it would be incredibly annoying to manually type it each time.

    The role of the Secret Key is to protect your data while it's stored on our servers. If anyone were to steal your data from our servers they would not be able to brute force your Master Password as they wouldn't have the Secret Key. If someone were to steal your device, then the only thing that protects you is your Master Password.

    You can read more about this in our white paper that's included on our security page.

    I hope that helps clear things up. Please let me know. 🙂

    Thanks!

    ++dave;

This discussion has been closed.