1Password - should my secret key be inside the app?
March 19, 2023 1:44 PM Subscribe
1Password - should me secret key be showing inside the app?
I switched from LastPass to 1Password earlier this year and I have loved every aspect of the change, but there is one thing that I am confused about. When I am in the 1Password app, and I look under logins, there is an entry for “1Password Account (Our Family).” I did not create this entry. The entry has my password (i.e., the phrase I used to sign into the app) stored in the usual way that the app shows stored passwords for other sites/apps. Then, below that, it has an entry for “Secret Key,” and this has the 35-digit secret key that I understand is the most important difference between LastPass and 1Password — i.e., a second secret password/passcode that is not known to 1Password. Here is my question - why is the secret key being stored inside of the app like any other password? Doesn’t this mean that the secret key is being stored on 1P’s severs, even if in encrypted form? I thought the big deal was that 1P had no idea what anyone’s secret key is. Should I delete this entry? Or is this only a “local” entry or something?
I switched from LastPass to 1Password earlier this year and I have loved every aspect of the change, but there is one thing that I am confused about. When I am in the 1Password app, and I look under logins, there is an entry for “1Password Account (Our Family).” I did not create this entry. The entry has my password (i.e., the phrase I used to sign into the app) stored in the usual way that the app shows stored passwords for other sites/apps. Then, below that, it has an entry for “Secret Key,” and this has the 35-digit secret key that I understand is the most important difference between LastPass and 1Password — i.e., a second secret password/passcode that is not known to 1Password. Here is my question - why is the secret key being stored inside of the app like any other password? Doesn’t this mean that the secret key is being stored on 1P’s severs, even if in encrypted form? I thought the big deal was that 1P had no idea what anyone’s secret key is. Should I delete this entry? Or is this only a “local” entry or something?
My 1password vault does have an entry referring to itself, and containing the secret key. It is tagged with "starter kit", and to my recollection was created automatically when I made the account.
It's important to note that everything inside the vault is unknown to the 1password service,as the entire vault is encrypted.
posted by june_dodecahedron at 1:59 PM on March 19, 2023 [1 favorite]
It's important to note that everything inside the vault is unknown to the 1password service,as the entire vault is encrypted.
posted by june_dodecahedron at 1:59 PM on March 19, 2023 [1 favorite]
Best answer: This is intended, and the secret key is definitely supposed to be stored -- you *really* do not want to lose access to it! You can't add new devices without entering the secret key in some form. My understanding is that it is stored somehow (encrypted?) locally per app and used in the login / local vault decryption, and stored (encrypted) inside the vault, but not stored by 1password aside from the first 8 chars, used for account id. If someone stole vaults (a la the lastpass hack) they'd need the vault master passwords + secret keys to decrypt, and the secret key being inside of the encrypted vault doesn't help them with that.
Possibly useful links: secret key security, starter kit items explained. The latter also specifically addresses why they auto-create the starter kit login item for 1password itself and why you probably shouldn't delete it:
Possibly useful links: secret key security, starter kit items explained. The latter also specifically addresses why they auto-create the starter kit login item for 1password itself and why you probably shouldn't delete it:
Thankfully, you do have a Login item for the one-and-only 1Password.com. If you were to follow the link in the same phishing email, your login details wouldn’t be autofilled. And if you attempt to fill them, 1Password wouldn’t immediately oblige. Instead, you’d be notified that something is amiss, and given a gentle reminder to verify the website and form before you fill and transmit any information.posted by advil at 2:48 PM on March 19, 2023 [3 favorites]
Mine definitely has this; it came about when I finally (had to) switched over to their sync service rather than using I think Dropbox or whatever (ancient history from someone who's used 1P since before they had sync at all).
I left mine alone - the entire vault is encrypted using that secret key, including the secret that has the key itself in it, so they still don't know what the key is because it is also encrypted. On their end they basically just have a blob of indecipherable data and that seemed like enough trust for me. (More importantly, I left mine alone because I have my vault password memorized but not the secret key because I hardly ever have to use it, so it's just more convenient to have it readily available in 1Password.) You can delete it if you want but you'll want to make very sure you have a copy of that secret key somewhere safe, because if you lose it you too will have a blob of indecipherable data.
posted by mrg at 2:50 PM on March 19, 2023 [2 favorites]
I left mine alone - the entire vault is encrypted using that secret key, including the secret that has the key itself in it, so they still don't know what the key is because it is also encrypted. On their end they basically just have a blob of indecipherable data and that seemed like enough trust for me. (More importantly, I left mine alone because I have my vault password memorized but not the secret key because I hardly ever have to use it, so it's just more convenient to have it readily available in 1Password.) You can delete it if you want but you'll want to make very sure you have a copy of that secret key somewhere safe, because if you lose it you too will have a blob of indecipherable data.
posted by mrg at 2:50 PM on March 19, 2023 [2 favorites]
Yes, you definitely want to store your Secret Key somewhere -- mine just isn't stored in 1Pass. Interesting that this isn't universal, but I'll defer to others who know more!
posted by cnidaria at 3:52 PM on March 19, 2023
posted by cnidaria at 3:52 PM on March 19, 2023
In principle you should be safe keeping it in your vault. If the firm doesn't have access to the encrypted contents of your vault in general, they also don't have access to your secret key (and password) if it's encrypted in there.
The additional vulnerability introduced by doing things this way seems de minimis to me. It means that if someone gets access to the plaintext of your vault, they'll be able to decrypt your vault themselves in the future. But the plaintext of your vault is only ever present on devices you control, and only fleetingly, when you look up a password. Someone who can get your secret key this way has all of your stored passwords with or without the secret, and in addition has a lot of access to one of your devices. So the presence of the secret key is really the least of your problems, in any scenario where it's a problem at all.
So I think you may as well keep things the way they are. The convenience of having access to your secret key on trusted devices seems worth it. As a moderately paranoid measure, if you are confident in your ability to remember or store elsewhere your 1Password password, you could delete that from the entry but leave the secret key.
posted by grobstein at 4:33 PM on March 19, 2023
The additional vulnerability introduced by doing things this way seems de minimis to me. It means that if someone gets access to the plaintext of your vault, they'll be able to decrypt your vault themselves in the future. But the plaintext of your vault is only ever present on devices you control, and only fleetingly, when you look up a password. Someone who can get your secret key this way has all of your stored passwords with or without the secret, and in addition has a lot of access to one of your devices. So the presence of the secret key is really the least of your problems, in any scenario where it's a problem at all.
So I think you may as well keep things the way they are. The convenience of having access to your secret key on trusted devices seems worth it. As a moderately paranoid measure, if you are confident in your ability to remember or store elsewhere your 1Password password, you could delete that from the entry but leave the secret key.
posted by grobstein at 4:33 PM on March 19, 2023
1Password support is excellent and if you are ever concerned about anything like this you should contact them for a definitive answer.
For what it's worth, I believe having your account key viewable in the vault is normal and good, it's part of how 1Password is intended to work. You should never store your master password in your vault though.
posted by riddley at 4:55 PM on March 19, 2023
For what it's worth, I believe having your account key viewable in the vault is normal and good, it's part of how 1Password is intended to work. You should never store your master password in your vault though.
posted by riddley at 4:55 PM on March 19, 2023
> You should never store your master password in your vault though.
This is not correct, or at least not an absolute. As others have explained above, storing a secret (whether it's the Secret Key or the Master Password) inside the vault helps nobody who doesn't already have access to your unencrypted vault. And if they have access to your unencrypted vault, they have access to every password you have stored in there, and the Master Password/Secret Key doesn't give them anything extra at that point.
And if they don't have access to your unencrypted vault (because they don't have the Secret Key, Master Password, or both), having that information stored inside the vault also doesn't help them because to break into the vault, they need the Secret Key and the Master Password...and they can't see inside the vault without breaking into first...and they can't break into it without those key bits of info...do you see the circle forming here?
I have stored my 1Password login info--email, Secret Key, Master Password--inside a 1Password vault since long before they generated an item with it for you automatically. (Do they still give you the PDF with the place to write in your Master Password?)
posted by tubedogg at 7:12 PM on March 19, 2023
This is not correct, or at least not an absolute. As others have explained above, storing a secret (whether it's the Secret Key or the Master Password) inside the vault helps nobody who doesn't already have access to your unencrypted vault. And if they have access to your unencrypted vault, they have access to every password you have stored in there, and the Master Password/Secret Key doesn't give them anything extra at that point.
And if they don't have access to your unencrypted vault (because they don't have the Secret Key, Master Password, or both), having that information stored inside the vault also doesn't help them because to break into the vault, they need the Secret Key and the Master Password...and they can't see inside the vault without breaking into first...and they can't break into it without those key bits of info...do you see the circle forming here?
I have stored my 1Password login info--email, Secret Key, Master Password--inside a 1Password vault since long before they generated an item with it for you automatically. (Do they still give you the PDF with the place to write in your Master Password?)
posted by tubedogg at 7:12 PM on March 19, 2023
Do they still give you the PDF with the place to write in your Master Password?
Yes.
I think it's worth pointing out that what you shouldn't store in your 1password vault is the 2FA codes and backup codes. That was encouraged by Lastpass and they made it easy to do from the Lastpass authenticator. The results is, not only did I have to change all my passwords but my 2FA as well. I'm still figuring out this part. ATM my 2FA is with Authy, who have a backup service. and I've created a deadman's vault on a USB stick for my wife with the main passwords and all the backup codes.
posted by gible at 10:29 PM on March 19, 2023
Yes.
I think it's worth pointing out that what you shouldn't store in your 1password vault is the 2FA codes and backup codes. That was encouraged by Lastpass and they made it easy to do from the Lastpass authenticator. The results is, not only did I have to change all my passwords but my 2FA as well. I'm still figuring out this part. ATM my 2FA is with Authy, who have a backup service. and I've created a deadman's vault on a USB stick for my wife with the main passwords and all the backup codes.
posted by gible at 10:29 PM on March 19, 2023
« Older Computer recommendations - simple and fast | How to find a tear-down property to briefly rent... Newer »
This thread is closed to new comments.
posted by cnidaria at 1:53 PM on March 19, 2023