If 1Password doesn't store my secret key, how is my emergency kit available at 1password.com?
Is it in fact stored on their servers, but encrypted by my master password? I would like to think the PDF is generated on the fly on my client and the secret key is pulled from the 1Password instance running there, but I haven't attempted to download the emergency kit from a device where 1Password isn't installed, to test this.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:emergency kit
Comments
-
Hi @vdavidoff
The Secret Key isn’t stored by us at all, encrypted or otherwise. While 1Password.com looks like a typical web app where all data that you input is transmitted to the server that isn’t the case with 1Password.com. All of the decryption and management of the Master Password and Secret Key are done locally within your web browser. The Secret Key is stored in your browser’s local storage. Essentially 1Password.com tells your browser how to generate the Emergency Kit, and where to find the information that is needed for it (locally on your device), but again the Emergency Kit itself is not actually on 1Password.com — it is in your browser.
Admittedly even this is not an ideal arrangement. Web browsers tend to be fairly hostile environments with various extensions and whatnot running. We’d like to eventually make it so that most/all tasks could be accomplished without the use of a web browser, but we’re not there yet, and it’ll take some time before we get there. One improvement we have made since the launch of the service is that it is now possible to complete the initial signup process in the apps (at least Mac & iOS, I’m not positive about the other platforms).
If you’re interested in this sort of stuff and want to learn more about how it works and what the concerns might be we have a fairly in-depth white paper available here:
I hope that helps!
Ben
0 -
Thanks for the thorough reply, Ben. I have seen the whitepaper but only skimmed it. I'll give it a closer read.
Of the answers I was able to dream up, this is the one I was most hoping was the case, so that's good. I share your concern about the secret key being in the browser's data store, but I get it.
Thanks again.
Andy0 -
You’re very welcome @vdavidoff. :)
Ben
0