1Password Chrome Secret Key Storage
After reading through the design doc. I notice that the Secret Key is kept in the Chrome data store.
I would imagine that anyone with terminal access to a machine, and the ability to install a keylogger and capture the Master Password would be able to pull the Secret Key from the Chrome data store, yes? With root access to the machine, all bets are off? Or am I missing something?
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
Hey @gmcinnes. Kudos to you for reading through the white paper. Indeed, as the saying goes, once your computer is compromised, it's not really your machine anymore. The Secret Key is meant to protect your data against brute force attempts against our servers, whereas your Master Password is what protects you locally (and thus why your Master Password isn't stored anywhere on disk). The Secret Key is stored lightly obfuscated, but you're right that it is stored on the local device unencrypted.
https://support.1password.com/secret-key-security/#how-your-secret-key-protects-you
1Password does use secure input fields to prevent other tools from knowing what you type in it, including your Master Password.
https://support.1password.com/1password-security/#features
But still, it's best to protect your machine with a strong password and not leave it unlocked for others to install software on without your knowledge. :smile:
0