How/where is the account key stored locally? Is it encrypted using the master password?

michalc
michalc
Community Member

I'm wondering what the security implications are if someone has physical access to a device that has a 1Password client on it. Assuming the account key is not in plain text in memory, is the account key immediately compromised?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:How/where is the account key stored locally? Is it encrypted using the master password?

Comments

  • Hi @michalc,

    That's a really good question. The exact technical answer would depend on which platform you're talking about, but the generalities are common so I'll talk about that.

    What matters most of all is that we (AgileBits) never know your Account Key. We make sure that it never gets to us.

    Locally on a device, it's not considered the same level of secret. You brought up that we could maybe encrypt it using the master password (or a key derived from it). It turns out that this is actually a bad idea that can weaken your Master Password, and so we don't do that. I'm pretty sure Goldberg could write a book about why this isn't as good an idea as it sounds.

    The Account Key isn't put under heavy protection locally. If you suspect that someone may have gotten their hands on your Account Key, they'll still be missing your Master Password, so your data should still be safe. In that event you should use the function available on the website to re-generate the Account Key, which will invalidate all sessions with your account and cause all of those devices to require re-authentication with both the Master Password + new Account Key in order to talk to the server.

    The best way to look at it is that your data is protected by your Master Password. Access to communication with the server, as well as the data that resides on the server, is protected by the combination of your Master Password + the Account Key.

    I hope this helps.

    Rick

  • michalc
    michalc
    Community Member
    edited March 2017

    It does help... interesting that would/could weaken the Master Password: I have to say I didn't expect that, but thinking about it...

    If someone got access to the encrypted Account Key, then if they did manage to decrypt it (say, via brute force), then they would have both the Account Key and Master Password, and be able to decrypt the data. So you essentially only have the 1 key protecting the data, rather than 2.

    If the Account Key isn't encrypted, as indeed it isn't, then there is no way it can give you any information about the Master Password.

    Is this right?

    Also: is it possible to have a bit more information about the technical details of how the account key is stored on each platform?

  • AGAlumB
    AGAlumB
    1Password Alumni

    @michalc: One way to think of it is that someone having access to your Secret Key (the artist formerly known as Account Key) encrypted only with your Master Password could perform a brute force attack on it to discover your Master Password.

    Depending on how strong your Master Password is, this would be easier or harder. I'd venture a guess that (by virtue of you asking questions like this in the first place) you've probably chosen a pretty strong one, so you'd be okay. But for the folks out there using weaker Master Passwords that would be relatively efficient way of discovering it.

    We're not going to pretend that everyone uses a long, strong, unique Master Password though. So that all sounds kind of dire. But we designed 1Password.com's +2SKD with this in mind, since encrypting data with both the Master password and Secret Key (née Account Key) means that a brute force attack would need to effectively guess both of them together to be able to get into the data (and the likelihood of discovering the identity of both is even more astronomical).

    Regarding the technical details of how the Secret Key is stored, ultimately it doesn't matter because if someone has access to your machine enough that they might be able to get it, it will be easier for them to simply capture anything you enter or access instead. But that doesn't quite address your question. The problem is that it varies not only between platforms, but also browsers, which, as Rick mentioned, is why he didn't go into more detail: this is just too general a question (hence his general answer), and all the technical details could fill more space than we have here. The 1Password Teams security white paper is a start, but, we store an obfuscated copy of the Secret Key using the system's authentication store (for example, Keychain) for the apps, or the browser’s local data store for the web interface. But again, once someone else owns your system, all bets are off. I hope this helps!

This discussion has been closed.