Android App Profile contains Secret Key
Let me start off by saying how much I love 1Password. I came over from LastPass when they were hacked. IMO LastPass got distracted with offering other services/ apps, and lost sight of their primary business's objective of protecting their customers' passwords.
As a result, I became even more security conscious than before my data was accessed.
I just stumbled upon the secret key, when setting my wife up on the app, is stored in my profile on the Android app.
I'm concerned if someone were to gain access to my Pixel device and is aware of how to access the secret key stored in my 1Password Profile they would have access to all of my 900 passwords.
Is it necessary to keep my secret key in the app profile for the app to function?
Could you help me understand why the app default setting automatically included in my profile?
I would prefer to not store it in my profile if possible.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Android
Browser: Not Provided
Comments
-
The Secret Key is about protecting your data on 1Password.com. It's required to be available on your device or you'd need to enter it each time just like your password.
https://1password.com/files/1password-white-paper.pdf
unlike your Master Password isn’t something that people could be expected to memorize or
even to type on a keyboard regularly
- Is it necessary to keep my secret key in the app profile for the app to function?
Yes, the Secret Key is half of the encryption of your data. Your password is the other half. It protects access on 1Password.com. If the key were not locally available then you'd be unable to unlock.
But while the Secret Key is unguessable it is not the kind of thing that
can be committed to human memory. Instead of being stored in your
head, your Secret Key will be stored on your device by your 1Password
client.0
