Best way to regenerate secret key and keyset if I haven't put any data into 1Password Families yet

If I have just started setting up 1Password Families and haven't put any password/other data into my account yet, but I think my secret key (but not my master password) might have been compromised/disclosed from my emergency kit PDF, what — if anything — should I do?

I've read the section "Master Password changes don't change keysets" in the 1Password Security Design paper where it says "A change of Master Password or Secret Key does not create a new personal keyset".

I'd like to keep my existing master password if possible, but regenerate my secret key and everything else like my personal keyset, to remove the possibility that someone could theoretically use the old secret key (if they somehow also found out the master password) to decrypt an old personal keyset and hence my data.

Does this mean I need to do the account recovery process within 1Password Families? Would it be OK to keep the same master password if I do this? (At the moment I don't have any other family members set up, so I'd have to add one to do the recovery for me, I suppose)

If I don't actually have any data in 1Password yet, is there a simpler/quicker way to achieve this?


1Password Version: 7.8.7
Extension Version: Not Provided
OS Version: macOS 11.5.1

Comments

  • ag_anaag_ana

    Team Member

    Hi @nettle!

    If I have just started setting up 1Password Families and haven't put any password/other data into my account yet, but I think my secret key (but not my master password) might have been compromised/disclosed from my emergency kit PDF, what — if anything — should I do?

    If you think your Secret Key was exposed, we recommend generating a new one:

    Regenerate your Secret Key

    Does this mean I need to do the account recovery process within 1Password Families?

    No need to go through the recovery process if you have the credentials to login: in this case, regenerating the Secret Key will be enough :+1:

  • Thanks, @ag_ana! Please could I check why there is no need to go through the recovery process? If — out of an abundance of caution — I want to be sure that my personal keyset is also regenerated and not just the secret key, would the recovery process be the correct way to do it?

    From what I read, I got the impression that if I only regenerate the secret key, someone could in principle still use the old secret key, if they also had access to the encrypted keyset and somehow figured out my master password, to get access to the keyset. As this keyset would not have changed, it would then still give access to my data. Am I misunderstanding that?

  • ag_anaag_ana

    Team Member

    @nettle:

    Please could I check why there is no need to go through the recovery process?

    The recovery process is for when you need to help another user in your account who forgot their credentials. In this case, since it sounds like you have all your credentials, you can simply regenerate the Secret Key after logging in.

    With regards to your other questions, I have sent them to our security team for the details :+1:

  • Thanks, @ag_ana. The reason I mentioned the recovery process was indeed not because I can't log in (I can!) but because in the white paper it says under "Master Password changes don't change keysets":

    A change of Master Password or Secret Key does not create a new personal keyset; it only changes the Master Unlock Key (MUK) with which the personal keyset is encrypted. Thus an attacker who gains access to a victim’s old personal keyset can decrypt it with an old Master Password and old Secret Key and use that to decrypt data that has been created by the victim after the change of the Master Password.

    I wanted to avoid this potential risk if I only change the secret key. Since I've just started setting up the account, I wanted to get everything set up as cleanly as possible, and not have the (small) risk of the old secret key and/or old personal keyset floating around. I therefore wanted to start 'from scratch' with fresh keys for everything. I then read:

    Your mitigations
    A user’s personal keyset may be replaced by voluntarily requesting that their account be recovered. This will create a new personal keyset which will be used to re-encrypt all of the vault keys and other items which were encrypted with the previous personal keyset.

    So I figured this might be a way to achieve what I wanted to do (regenerate/re-encrypt everything from scratch). Is that right?

    In that case I presume I'd first have to create another family organizer in the account to do the recovery.

    Given that I have set up my 1Password Families subscription but haven't put any actual data into my 1Password account yet, I'd also be happy to do it another way if that's quicker and/or simpler (for example if it would be simpler to completely erase and create a fresh account, under the same subscription).

  • ag_anaag_ana

    Team Member

    Understood @nettle, thank you for the clarification! I have already sent your questions to our security team, so now they will also see your additional information. We will post back here as soon as possible :+1:

  • rootzerorootzero
    edited August 26

    @nettle Your personal keyset is used to encrypt your password database before upload to 1Password. Your master password and secret key are used to encrypt your personal keyset before upload to 1Password and to control access to your online vault.
    Knowledge of your secret key is not sufficient to gain access to your personal keyset. An attacker would also need your master password and access to one of your devices or to add a new device using your email address, master password, secret key and, if enabled, access to your 2FA. Addition of a new device triggers an email notification.
    If you regenerate your secret key then the old secret key will not provide any access to your account. Your master password and the new secret key are used to encrypt your keyset and control access to your online vault.
    However, if someone who knows your master password gets hold of your 1Password database at any point then you should assume they have your keyset. You can prevent them from decrypting future copies of your database by creating another family organizer and having them recover your account. You should also change your master password.

  • LarsLars Junior Member

    Team Member

    Hi @nettle, it's Lars from the Security team here. You're quite correct that changing the Account Password or the Secret Key does not regenerate your keyset. Currently, going through the recovery process will do that. I would agree with ag_ana's suggestion that simply regenerating your Secret Key would probably be sufficient, presuming you've chosen a strong Account Password. After all, on your local devices, it is your Account Password alone (essentially) that protects your 1Password data, since Secret Keys are stored locally.

    However, if you'd like to be absolutely sure, you can certainly go through recovery. That would involve inviting other family members to the account and granting one or more of them Family Organizer status. This gives them recovery powers, and you can then safely have them help you through the recovery process. This generates a new keyset, and you will have a new Secret Key as well, but be able to still use the Account Password you originally chose. It is always a very good idea to have more than one Family Organizer in any 1Password Families account. With only one, if a family member forgets their Account Password, or loses their Secret Key, you can put them through recovery. But if you forget/lose your credentials...the entire account is essentially on borrowed time, since you can no longer sign in on new devices or the web app and therefore cannot update payment methods, invite new people, etc. Just a best-practices tip. :)

  • Thank you @Lars! Just to check:
    1) Is "Account Password" in your reply the same as a "master password"?
    2) If my actual family members aren't quite ready to set their accounts up yet, would there be any problem if I just create an 'temporary' person as an Organizer in the family account, do the recovery, and then delete that temporary person? We would, as you suggest, put a real second Family Organizer on the account as soon as possible, but my actual family members aren't quite ready yet!

  • LarsLars Junior Member

    Team Member

    @nettle -

    1. Yes. We've moved toward the use of Account Password instead primarily because 1Password 8 will only work with 1password.com accounts, but also because of some unfortunate associations with the term "Master" Password.
    2. For the first part of your question, none at all. Your 1Password Families account has a 5-person limit (without paying for more users), but that's current members, not entire count from the beginning including deleted members. If you're going to go that route, make sure you delete the temporary organizer when you're finished instead of suspend, because suspended users still count towards the total. In regard to adding a "real" second organizer, yes, that's generally what we'd suggest. In my family, it is (naturally) myself and my wife. The children are just members, and I have also added my brother who is a regular member. But if I were to forget my password or lose access to the Secret Key on all my devices, my wife could recover me, and I her -- and either of us can do so for any of the other members. It's the way to ensure that no single point of failure causes the entire account to be at risk.
  • Thank you very much again @Lars! To be sure I understand correctly, although the recovery process refers to "Then they’ll get a new Secret Key and create a new Master Password" and "After your family or team member has created their new Master Password", am I right that there's no problem if I actually choose to input the same Account Password that I used originally? Then I would end up with the same old Account Password, but a new Secret Key (which I would print in my new recovery kit) and a new keyset?

  • BenBen AWS Team

    Team Member

    That is correct, @nettle. :)

    Ben

  • @nettle Regarding "am I right that there's no problem if I actually choose to input the same Account Password that I used originally?". Someone could only have gained access to the old keyset with knowledge of your old Account Password. So, while its not necessary to change your Account Password, you should change it if your reason for generating a new keyset is that you think someone has accessed the old keyset.

  • ag_anaag_ana

    Team Member

    Indeed :+1:

  • Thank you, @Ben, @rootzero, and @ag_ana! I do not think anyone has accessed the old keyset, and I am also confident that the account password has remained secure. It's only the secret key that might have been disclosed (from an emergency kit PDF that did not have the account password written on it). The secret key is actually probably fine (i.e. there is only a very small chance that it was compromised), but since I'm setting up everything for the first time I'd feel more secure if I regenerated the secret key (and also keyset).

    My understanding is that if the original account password is still secure and nobody has actually accessed the old keyset, then if I get a new secret key and keyset through the recovery process, but keep the original account password, then I'm back to the same level of security that I had at the start (before my original secret key might have leaked). I think @rootzero's scenario ("while its not necessary to change your Account Password, you should change it if your reason for generating a new keyset is that you think someone has accessed the old keyset") doesn't apply in this case. But, if I'm missing something, please let me know!

  • @nettle In that case, there's no need to change the Account Password. I don't think you're missing anything :+1:

  • ag_anaag_ana

    Team Member

    @nettle:

    My understanding is that if the original account password is still secure and nobody has actually accessed the old keyset, then if I get a new secret key and keyset through the recovery process, but keep the original account password, then I'm back to the same level of security that I had at the start (before my original secret key might have leaked).

    That is my understanding as well :+1:

  • Thank you very much everyone, it seems to have worked smoothly!

  • ag_tommyag_tommy

    Team Member

    Excellent! I am happy to hear that.

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file