Entering secret key securely

I was wondering if there was any way to enter my secret key in Windows without a keylogger or image grabber or other malware capturing it. Right now I'm just using 1Password on my iPhone because I know the risk is far less of anything being captured on it.

I know nothing is 100% safe but is ther any way I can minimize the risk when entering the secret key besides scanning for viruses and being careful what I download? I've seen there used to be a Secure Desktop option but that seems to be gone from version 6.

I know the secret key is only entered once, but getting it once is all it takes to get access to my data.

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni

    @xjustintime: Good security hygiene like you described is really the only safe bet. Even if Secure Desktop could prevent a keylogger from getting your Secret Key as you entered it, there's nothing stopping malware from doing a lot more that recording keystrokes. If your machine is compromised, you should assume that its new owner has the ability to access anything you do, including your 1Password data as you use it. 1Password can protect your encrypted data at rest even if your machine is compromised, but if you're using login credentials or viewing sensitive data, there's nothing to stop the attacker from collecting that. And while your best defense is to keep your machine secure in the first place, if you ever do have reason to believe that your Secret Key has been stolen, you can always regenerate it from your Profile page — from a safe machine, of course, otherwise you're back to square one.

  • xjustintime
    xjustintime
    Community Member

    Thanks for the information. You would know better than me, but it seems like it would be more likely that a keylogger would be installed than someone having total access to my computer.

    Is it possible to have an Addison all separate 1Password.com vault that's password protected? That way even if someone had access to my computer they wouldn't have access to that (I don't think) unless I had accessed that vault on it and typed my password?

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited June 2017

    Thanks for the information. You would know better than me, but it seems like it would be more likely that a keylogger would be installed than someone having total access to my computer.

    @xjustintime: You're completely right. But I think with security we need to, in principle, plan for and assume the worst unless there's evidence to the contrary. And this is especially important since we're talking about hypotheticals. I don't want to make the hypothetical attackers stupider than what we're likely to encounter in the real world.

    My concern is that if malware is installed on your computer (or mine) that there's absolutely no reason it should be limited to only capturing keystrokes.

    An attacker with any sense at all will collect everything they can. Often, they collect way more information than they could reasonably deal with themselves in the short term, and either go through it over time, share it with others, or sell it.

    If I'm writing malware, I'm going to make it as valuable to me as I can: logging, screenshots, remote access, etc. Otherwise I'd probably just do something else with my time. Just a thought.

    Is it possible to have an Addison all separate 1Password.com vault that's password protected? That way even if someone had access to my computer they wouldn't have access to that (I don't think) unless I had accessed that vault on it and typed my password?

    I think there may be a typo/autocorrect there, and I'm having trouble understanding what you're asking. Can you clarify? :)

  • xjustintime
    xjustintime
    Community Member

    Lol, sorry, I was trying to say "an additional separate vault." It looks like the master password unlocks all vaults at this time though.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @xjustintime: Ah, thanks. That makes sense. Indeed, 1Password uses one Master Password to unlock the app and all of the vaults therein. We don't have plans to have it work differently in the future, as that means not only more complexity, as unlocking each vault separately is a bit of a pain, but also that encourages each of us to use weaker passwords since we have to remember and type many more. A single long, strong, unique Master Password is going to be not only harder to guess (or brute force), but also much easier for brain- and muscle-memory, making it easier on the user at the same time. Cheers! :)

This discussion has been closed.