Changed Secret Key, still able to access vault?

Seattle2000
Seattle2000
Community Member

I lost my iPhone which has the app on it, so I logged in the web portal and changed my Secret Key. I found my iPhone shortly after and when I opened the app it said my Secret Key was wrong, or something to that affect and had a dialog to change it. I didn't have the key on me, so I selected "not now". I was still able to see all my vault items.

How is this possible? And why? To me I shouldn't have been able to proceed further in the app.

Am I misunderstanding something?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • KayJay
    KayJay
    Community Member

    Hi,

    The only thing I can think of that it might be is that you didn't actually deauthorize your lost iPhone when regenerating your new Secret Key. The article below discusses the steps involved and the process to follow for a lost/stolen device:

    https://support.1password.com/lost-device/

    I hope that helps!

    Thanks,
    KayJay

  • Seattle2000
    Seattle2000
    Community Member

    I will look at the article. Thank you very much.

  • Hi @Seattle2000

    Every installation of 1Password has a local cache. That cache is accessible without authenticating with the 1Password.com service. This enables things like:

    • Offline access
    • Continued use in the event of downtime with the 1Password service
    • Quicker access and less bandwidth usage (only changes have to be synced when you unlock instead of the full data set)

    And I’m sure some others that I’m not coming up with off-hand. It is really a core part of how 1Password works, and I don’t foresee us changing that. But that does mean there is a trade-off. We could likely make it such that the apps won’t allow you access to your cached data unless you authenticate with the current Secret Key but this eliminates many of the benefits of having a local cache without providing much if any real benefit. The difficulty is that doing this could arguably be considered “security through obscurity” or “security theater.” Even if the 1Password client refuses to read the data there is nothing stopping a 3rd party client from doing so. There is also nothing stopping someone from copying that cache off to another device where they can work on it later. The only real option would be to not have a local cache, so that any time someone wanted to access data it had to be downloaded from the server. Again this likely isn’t a realistic option for the reasons mentioned above.

    Ben

  • [Deleted User]
    [Deleted User]
    Community Member
    edited February 2019

    I hope you'll clarify some things for me, @ben

    We could likely make it such that the apps won’t allow you access to your cached data unless you authenticate with the current Secret Key but this eliminates many of the benefits of having a local cache without providing much if any real benefit.

    But the product page says that the decryption key is generated using the secret key and master password. How can a vault be viewed without both factors in place?

    Even if the 1Password client refuses to read the data there is nothing stopping a 3rd party client from doing so.

    How does the 128-bit encryption not stop (or slow) this?

    There is also nothing stopping someone from copying that cache off to another device where they can work on it later.

    Just because someone may be able to crack a password in a day or two doesn't mean we don't still use passwords.

    What am I missing here?

    e: To be specific, this instance of 1P had already phoned home to the server because it knew the secret key stored on the phone was wrong, so it's not an issue of offline access. If this vault was encrypted and stored directly on the phone for offline access, it should not have opened up without the correct secret key.

  • I think the piece that you're missing is that the data cached on your device at that point is encrypted with the old Secret Key. Until you authenticate with the server using the new Secret Key you can't download the changes.

    Ben

  • peacekeeper
    peacekeeper
    Community Member
    edited February 2019

    Hi @Ben
    I think what @arabbit expected was that when the iPhone App realizes that the Secret-Key changed (since it has an internet connection), it should have no option to just continue without sync. Instead it should discard the local data and redownload if you provide the new correct secret key. This would be more secure in my opinion. However it could also lead to unwanted data loss but I think it would be better in a security sense, since changing the secret key is usually what you do when you are afraid one of your devices has been compromised. This should lead to all devices discarding their local cache if the new secret key is not provided.

  • Hi, @peacekeeper.

    This goes back to what Ben said earlier. We could do this, but it would be "security theater" since an attacker could simply avoid connecting the device to the Internet and be able to access the offline cache indefinitely.

  • peacekeeper
    peacekeeper
    Community Member

    Hi @rob,

    I totally see your point. Still, even though it's not perfect, it is quite easy to implement in my opinion and would still be more secure, especially facing a not so sophisticated attacker, or someone who may be just opportunistic to make profit with a stolen device by any means possible. Still chances are very slim that a case where a non-sophisticated attacker knows the Masterpassword but not the secret key (assuming someone who uses your app does not use pin code instead of biometrics and there picks 1234.)

    Have a nice day and thanks for your reply!

  • Yeah, we debate things like that a lot. In the end, we usually decide to make it very clear what kinds of measures we can enforce, and anything that happens only when there's an Internet connection is not enforceable. That said, we may revisit this in the future. Thanks for the feedback, @peacekeeper! :)

  • peacekeeper
    peacekeeper
    Community Member

    Hi @rob,

    that's great to hear. Especially since the "iPhone X" class phones it is a lot harder for a thief to take the devices of the internet. I use an eSim and disabled lock-screen-access to the control center so if my iPhone gets stolen, as long as the thief does not put it in a radio-isolated environment everything that is internet-dependant is more enforcable than it used to be. :)

  • Note that even if your iPhone is connected to the Internet, 1Password isn't constantly making this request, so it would only be made when someone opens the app and tries to enter the Master Password. An attacker, on the other hand, would be more likely to simply copy the data off the phone and work on it using a different device and not a 1Password app.

  • PratoN
    PratoN
    Community Member

    Personally, I'd vote in favor of keeping the offline cache after the Secret Key has changed.

    My reasoning is that, in the unlikely event that my 1Password account is compromised, a hacker could change my Secret Key and I'd lose access to all of my passwords/documents unless I kept my own up-to-date and encrypted backup... which is essentially what the cache is.

    If I were worried about someone wanting to brute force my phone encryption AND my Master Password, then I would change all of my important passwords after my phone was stolen. I can live with the thief stealing my free Panera Bread pastry. :p

    The situation where I can see this behavior being preferable is if you have sensitive information in which the access can't really be revoked, e.g., documents, passports, social security numbers. This would be a reason to have the option to disable persistent cache by item or by vault as mentioned here. For example, locking 1Password would result in clearing the cache of that particular item/vault.

    Thought Experiment:
    I see that 1Password keeps automatic backups for our accounts - can a Team Member confirm if there's a way for 1Password to access (encrypted) account backups in the event that an unauthorized user has changed your Secret Key? Or are the old backups also somehow encrypted with the new Secret Key? The ability to "roll back" the account after it is compromised would solve my issue of losing complete access to all of my accounts but it feels less secure than just having an option to disable persistent cache.

  • ag_ana
    ag_ana
    1Password Alumni

    @PratoN:

    First of all, thank you for taking the time to share your thoughts!

    I see that 1Password keeps automatic backups for our accounts - can a Team Member confirm if there's a way for 1Password to access (encrypted) account backups in the event that an unauthorized user has changed your Secret Key?

    I am not sure I understood your question correctly. Can I please ask you to elaborate on this a little bit?

  • PratoN
    PratoN
    Community Member
    edited January 2020

    @ag_ana:

    I'm playing Devil's advocate here about the idea proposed by @peacekeeper and @Seattle2000 for devices to clear cache if a Secret Key has changed. I understand this is not how 1Password currently works. If it were how it worked and my my account were somehow compromised, the Secret Key could be changed and I'd lose access to all of my accounts as my cache would be cleared and I could no longer access the 1Password server.

    My hypothetical question was: Is there any way to recover the information from the 1Password server backups before the account was compromised using an old Secret Key / Master Password combo?

    I feel like the answer is "no" so I just wanted to voice my concerns that keeping (some) items in cache is a good idea from a data loss perspective.

  • @PratoN

    Without the current Secret Key and Master Password you wouldn't be able to access any information from the server.

    Ben

  • PratoN
    PratoN
    Community Member

    Thank you, @Ben !

  • You're welcome. :)

    Ben

This discussion has been closed.