`op account add` shouldn't show the Secret Key!

dserodio

I'm configuring the CLI for the first time, and I was surpresed to see that op account add shows the Secret Key as I type it (same for op vault ls).
For such a sensitive secret, it should definitely not be shown in the terminal!

---

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided

XIII

It is stored in plain text after you signed in, so I doubt hiding it while typing makes much difference?

dserodio

Wow, really? Where? I certainly wasn't expecting this!

XIII

$XDG_CONFIG_HOME/op/config if I remember correctly (already deleted it)

Isn't much different then in browsers; you see the secret key when you type it and it is also not very well protected, I think.

Is probably mentioned in a 1Password security document? (Plus explanation why this is somehow OK?)

dserodio

I use Mac, and $XDG_CONFIG_HOME is undefined, so I guess it would be ~/.config by default. I can't find any ~/.config/op directory. Maybe in macOS it's different?

XIII

You can use XDG_CONFIG_HOME (also) on macOS since version 1.8.0 (I use it myself in both Raspberry Pi OS and macOS), but if you don't the location is ~/.op/

Justin.Yoon_1P

Hey @dserodio

We do not treat the secret key like a password in all of our clients, and @XIII is correct in that we do save the secret key on disk.

The default directories are either ~/.op or ~/.config/op which will contain a file named config that stores the accounts' info, including the secret key, but not the password.

dserodio

Sorry, but I'm completely lost. My understanding was that the secret key (previously called Master Password) is extremely sensitive, since it's used to unlock 1Password, and give access to all of my (940) passwords. It's hidden in the 1Password for Mac, 1Password in the browser, and in the web (https://my.1password.com/).

Now you're telling me that it's not sensitive, and it's ok to store it in cleartext in a text file with a known location?

What's the purpose of locking the vault then? If an attacker has access to my computer he can read ~/.op/config and then unlock my vault and read all my passwords!

Justin.Yoon_1P

@dserodio no need to be sorry!

So I think there may be a slight misunderstanding here - the secret key is different from what used to be called the Master password.

The Master Password is now referred to as just password.

The secret key is a sequence of characters that has been assigned to the user by 1Password during signup. It is used in conjunction with the password to authenticate a user.

We do not store or log your password anywhere in your system or our servers!

dserodio

Oh, it all makes sense now. I'd read somewhere that the Master Password had been renamed, and assumed it was called Secret Key now. Sorry for the confusion, and thank you for your patience and explanation.

FWIW, since I had typed my Master Password in the Secret Key field, it did get saved to ~/.op/config. Even thou it was completely my fault, maybe you can improve the UX somehow to prevent other users from making the same mistake as I did.

Justin.Yoon_1P

Not at all, happy to clear things up! And yes, we did change Master Password to just password :)

FWIW, since I had typed my Master Password in the Secret Key field, it did get saved to ~/.op/config. Even thou it was completely my fault, maybe you can improve the UX somehow to prevent other users from making the same mistake as I did.

We are continuously reviewing our authentication flow, and will consider this moving forward.

Thanks for your feedback!