macOS keychain is holding secret key?
I was reading something related to 1password about how you should be sure to keep your password information out of keychain access for security reasons, however, when digging around in there I saw that keychain was in fact logging my secret key when using 1password? Doesn't this provide a security backdoor? I thought this secret key was supposed to be kept somewhere safe...
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
Hi @mjodotcom
I don't believe we have any such recommendation about keeping the Master Password out of Keychain Access (where did you see that?), but even so, the Secret Key is not the same as the Master Password. Understanding the difference between them may help to better understand why they are handled differently.
The Secret Key's purpose is to authorize your device. The intention isn't for it to be secret within your device. Here is how we describe it in our About your Secret Key guide:
- Your Master Password protects your data on your devices. Someone who has access to your devices or backups won’t be able to unlock 1Password without your Master Password, which only you know.
- Your Secret Key protects your data off your devices. Someone who attempts a brute-force attack on our servers won’t be able to decrypt your data without your Secret Key, which we never have.
The Secret Key is likely to be stored in a few places on your system. That's not a cause for concern. :) In short...
Doesn't this provide a security backdoor?
No. :) It is working as intended.
Ben
0 -
Ok, it may have been some other tech blog that was talking about password managers in general and good practices. If it is working as intended then I guess I'm ok :)
0 -
I'm glad to hear Ben's reply helped you out. Should you need further assistance, please let us know.
0