Puzzled by (location of) Secret Key

Hi @fdebruin

While 1Password.com may look like a traditional website it doesn't work like a traditional website. We've tried to bring some level of clarity about this by referring to it as a 'web application' instead of a website. The servers that serve your web browser the 1Password.com web app do not have and never receive your Secret Key. The real simplified version of what happens is that your browser downloads the web app and runs it locally on your computer. The Secret Key is stored in your browser's local storage (sort of like a 'cookie', except cookies usually are transmitted to a server). Likewise the Emergency Kit is generated by the web app (running on your computer, not on the server) using data on your computer (not on the server).

So there is a record of the Secret Key... it is kept in every web browser and 1Password app that you sign in using. It may also be kept in iCloud Keychain if so configured. But it isn't kept on our servers.

Does that help make sense of it?

Ben

@fdebruin

The intention of the Secret Key is not for it to be secret within your device. If it were encrypted then your browser wouldn't be able to read it. The "Locally exposed Secret Keys" section (pg. 57) of our security design white paper talks about this:

1Password Security Design White Paper

Recall that the Secret Key is designed so that an attacker will not be in a position to launch an offline password guessing attack if she captures data from the server alone. It does succeed at that goal, but in the current version, our ability to protect the Secret Key on your computer is limited by the tools available to that particular client.

Ben

Great. :) Please let us know if you have further questions.

Ben