displaying secret key in the clear. why ever do this?
BLUF: You obfuscate it in several places. Why not all? Be consistent.
When initially logging in, the secret key is displayed in full cleartext. Researching why, I have seen some other threads where people have parenthetically complained about this behavior - for several obvious reasons, e.g., uneasy feelings, shoulder surfing, remote control screen sharing, video conferencing, etc... I myself ran into a different one - screen capping the login flow for family members and having to edit the screencap. Which is what frustrated me and prompted me searching out those threads and registering here so I can post this message.
In those other threads, the general responses from 1P staff have been: the SK is our most wonderful differentiating factor re: our competitors and we laugh at them not having one; but it's never seen by us, it's to protect you from us, or something bad happening to us, print out your emergency kit and stick it in your bank's safe deposit box, just be careful sharing your screen, don't really worry about it and oh yeah, you can always change it if you want. Which, of course, would require making a special trip to the bank to replace that copy and necessitate securely disposing of that old copy that presumably had your master password written on it - which oh yeah, was two passwords ago because driving to the bank for this whole safe deposit thing is stupid. And especially stupid when it's so obviously easy to protect it from disclosure with the software in the first place. And isn't that kind of the point?
I get what it does, how it works, what threat model it's designed for. But if it's the big deal that it is, then it needs to be treated that way. So, let me state for the record that having the secret key displayed in cleartext by default is dumb. And the wrong decision. Even given all your above poo-poos of why it doesn't matter. Because it does matter. I know this. And you, 1P, know this. It should be dotted out by default with an eyeball clicker for verification. This isn't a big ask - especially when you control all the fields where it is ever entered.
It's even more incredulous why it hasn't been done when the code to do so is literally a copy and paste from one of the several ways you have already already done exactly this in other places of the UI. Knowing devs, they have already spent more time in your internal bugzilla about whether to fix this than it would take to actually fix this. It probably took me longer to search the few threads about why something so obvious isn't fixed and then type this message out than it would take to fix this. And for y'all to read it and type a reply. And then all the future questions and multiple answers of y'all with the same answers as above.
Or, if you persist in stating that it doesn't matter, then please de-obfuscate it in the several other places where you do. Like in the "you have been auto-logged out due to 10 minutes of activity" screen. And in the details of the 1Password Account login category item. And in the "My profile" screen. And you could also de-blur the QR code wherever it appears since it's just the email and SK.
So, as a new customer, I'm asking: be consistent, not hypocritical.
1Password Version: none yet
Extension Version: 2.5.1
OS Version: Win 10
Browser:_ Firefox
Comments
-
I guess you would not like it when I say you can even find the secret key in clear text in the database files Chrome or Firefox create for the plugin local storage. The clear text secret key vanished from the desktop app database (in old versions, it was really stored cleartext as A3-xxxxxx-yyyyy-zzzzz-... and could be easily found with an sqlite browser or just any disk editor - it's now obfuscated or encrypted), but it didn't vanish from the browser plugin database yet.
0 -
Hello,
Why do you use the web version and not the application?0 -
@Tertius3 Already know about that and while a good guess, only slightly correct. :) I get why the key was plaintext on disk years ago. Not as much with a product that requires the user present to use - i.e., you don't really need to fill in a password when you're not there to login, right? But it was kind of required with products like cloud-backup apps that continually run in the background. But, the file can certainly be protected by, oh the account password that you need to unlock and use the product. Or nowadays, with a per-machine key to make the file a per-device secret so moving the file or data wouldn't work off the box. I'm not a Windows guy, but an example of this tech worth looking into is the PowerShell.SecretManagement and .SecretStore modules that some client use to automate scriptings. Or, sidestep the whole unencrypted disk as rest storage issue with FDE and get with the naughts. :)
But this is a separate issue and out of scope to my OP, which is visually revealing the secret key in some places but not all of them. But it reinforces the reasoning why my statement is correct - they're protecting the salt in some places but not all. Which is weird why you would protect it in the more obscure places but leave it unprotected in the most obvious and probably most seen place - a login screen.
0 -
@Ekalb Thank you for replying. I do agree that the browser is the more hostile environment for the end user and prefer dedicated, signed, provable apps when possible. Especially when dealing with security stuff, but then everything on the box is security-related and part of the attack surface. amiright?
But I've been using 1P for only a few days now and haven't gotten to the desktop app yet - still at Step 2 in the "getting started". :) This was glaring enough for me to throw the WTF? flag.
Since it seems the web browser is required for some purposes/full functionality, your answer doesn't address the threat vectors nor the incomplete fxing of them, as described in my OP. And if your implying that the secret key is visually obfuscated in the dedicated app is true, you're really agreeing with my point. So, thanks (provisionally) for the support. :)
0 -
For security reasons, I can simply add: be sure to check the option "This is a public or shared computer" on the 1Password site login page.
0 -
Which does not in any way hide the secret key from being revealed in full plaintext during the login process.
And I just found two more places where the secret key is shown in an obfuscated manner. In the "get the apps" page, the QR code is blurred and when you click the "sign in manually" button, the code is shown with the non-known-prefix parts dotted out, requiring a button press to reveal.
0