Secret key visible on web page.
I understood that the Secret Key was set up on my local system and never travels to the 1Password on cloud database. So I was surprised to see that I can view it under "My Profile" in the 1Password. website? This rather surprised me!
Seemingly this would enable anyone who finds my master password to set up an instance of 1Password on their own computer and view all my data. Have I made some error in my setup??
1Password Version: 7
Extension Version: Not Provided
OS Version: Windows 7
Browser:_ Not Provided
Referrer: forum-search:If my secret key is not known to 1Password in cloud, why can I view it in "My Profile" in the website
Comments
-
Hello,
To access your profile, you must enter your secret key in addition to your main password.
Select "This is a public or shared computer" on the 1Password site login page.
So knowing the master password is not enough to gain access to your profile.
If you install the application on another computer, both keys (master password and secret key are required)0 -
@elliotg22 Browsers have a small local storage facility, a small database where web apps can store complex and private session data beyond to what cookies do. Stuff the web server doesn't need to know. The secret key is queried and stored in this local storage when you login. It's not sent to the web server, the Javascript on the website is using that only locally.
Finally, what you see is the secret key pulled from the local store of your web browser by the website's Javascript. The web server is only serving the Javascript code, it doesn't run it. It does run locally in your browser.
0 -
I am very happy to have my fears alleviated! I know it could not be that stupid. My worry was that I might have set things up that were caching the logon page itself for an extended period of time.
0
