Double checking password & secret key security when adding browser extensions

TambourineMan
TambourineMan
Community Member
in 1Password in the Browser

I still have LP as I have not yet migrated my LP vault. So for the time being I need some browsers with and without the LP extension.

So I have added the 1PW add on extension to Brave, Chrome, Firefox, Epic & Opera.

They all required me to provide my email, master password and my secret key which are all the keys to the kingdom. This does not seem safe. I think it is correct that my secret key and perhaps my password are not transmitted to 1PW, but just some token or confirmation that I am I (me) and have what's needed to unlock the vault.

But what about the browser? I think I recall there's a away to recover a lost secret key as long as one browser/device still has 1PW. So it must remember the secret key.

Is the secret key saved and resent every time we use 1PW? I also believe this and the password (or a token) are sent using secure encrypted method so a VPN is not needed, correct?

Are any or all of the three retained in browser files or in memory? Is so, for how long (is that what the time does?) and how are they secured (encrypted)? How does 1PW make sure they are safely stored or deleted? Does this get into a paging file?

As an aside I really like the secret key feature - it seems like a PGP public and private key system which can be very secure and it would seem to vastly increase the resistance to cracking the vault at 1PW.

But it does not seem like a good idea for a browser to have all three at once. How is that safe?

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided

This discussion has been closed.