Why my Secret Key is stored in plaintext?
Hello!
I have found that my Secret Key is stored in plaintext in IndexedDB.
Secret Key is a very critical and very sensitive part of the 1Password zero-knowledge architecture, and I'm very worried and disappointed that it is stored as-is in the database.
What do you think about that? Do you have any plan to fix that?
Is there any way to keep it encrypted (directly or indirectly) by the user's Master Password, for example?
Thanks!
1Password Version: Not Provided
Extension Version: 2.1.0
OS Version: Not Provided
Comments
-
@alexprogrammr Your Secret Key is intended to protect your data on 1Password's servers. It is not encrypted with your master unlock key because it is used with your master password to derive the master unlock key. So, in effect, it is your master password which protects your data on your devices. From the 1Password White Paper:
Locally exposed Secret Keys
Once a client is enrolled, it will store a copy of the Secret Key on the local device. Because the Secret Key must be used to derive the user’s MUK it cannot be encrypted by the same MUK. Although lightly obfuscated, the Secret Key is stored on the local device unencrypted. Where possible, the Secret Key will be put into something provided by your system for storing authentication secrets. For 1Password for Mac and 1Password for iOS that will use the iOS and OS X keychains respectively. But when 1Password has been used from a web browser, the Secret Key is stored in the browser’s local data store, a fairly exposed location. Recall that the Secret Key is designed so that an attacker will not be in a position to launch an offline password guessing attack if she captures data from the server alone. It does succeed at that goal, but in the current version, our ability to protect the Secret Key on your computer is limited by the tools available to that particular client.0 -
In addition to what rootzero quoted, you can read the white paper here if you're interested: https://1password.com/files/1Password-White-Paper.pdf
0