Why was I asked for only my master password (and not my secret key)?

ThomasK
ThomasK
Community Member

I've just installed 1PW on a new (well, old-but-scrubbed) Mac and am puzzled by a couple of aspects of how that went -- security-wise.

So, I've been using 1PW for years now, and keep my vaults on 1password.com. So once the main install was done, and 1PW asked me what to do about vaults, I chose the option to have it look on 1password.com. It did that, quickly found my account, and let me subscribe. That all went fine. Except...

  1. Why, when I was subscribing, was I asked to provide only my 1password.com Master Password and not my Secret Key as well? 1Password makes a big deal about the fact that both are in use, and yet in this particular operation I got access to my stuff with only one of them. In addition, one of the results of subscribing (using only my password) appears to be that my secret key was downloaded. That all seems...well, a tad worrying. No?
  2. And how did the 1Password program find my particular account on 1password.com in the first place? I merely told it to look there -- I didn't tell it my account name (i.e. the SOMEPLACE in SOMEPLACE.1password.com), nor my username. In fact, I didn't (knowingly) tell it any details about myself. Now as I said this is a new Mac, and 1Password is one of the first things I've installed, but one thing I did get set up prior to 1PW was my AppleID and related services (like Messages). So did 1PW perhaps get my details from my AppleID? And if so, should I be concerned about that?

thanks for any insight (especially of the reassuring kind!)


1Password Version: 7.8.7
Extension Version: Not Provided
OS Version: macOS 11.2.3

Comments

  • Hello @ThomasK! 👋

    The account suggestion that you're seeing in the 1Password app on your Mac is being shown because the 1Password app has found a 1Password account in your iCloud Keychain. In order to make it easier to sign into your 1Password account on your Apple devices 1Password will store an encrypted copy of the equivalent of your Emergency Kit in the iCloud Keychain.

    If you have ever used 1Password on another Apple device where you're using the same Apple ID then the email address associated with your account and your Secret Key were stored in the iCloud Keychain so that you can more easily add your 1Password account to your other Apple devices.

    There's nothing to worry about here since this information is encrypted and can only be accessed by you. And to complete the sign in process you still need to provide your 1Password account password.

    Let me know if that helps. :)

  • @ThomasK

    Please update macOS as soon as possible. 11.5.2 is out and you'll want to make use of the security enhancements it provides.

This discussion has been closed.