Entering secret key securely

@xjustintime: Good security hygiene like you described is really the only safe bet. Even if Secure Desktop could prevent a keylogger from getting your Secret Key as you entered it, there's nothing stopping malware from doing a lot more that recording keystrokes. If your machine is compromised, you should assume that its new owner has the ability to access anything you do, including your 1Password data as you use it. 1Password can protect your encrypted data at rest even if your machine is compromised, but if you're using login credentials or viewing sensitive data, there's nothing to stop the attacker from collecting that. And while your best defense is to keep your machine secure in the first place, if you ever do have reason to believe that your Secret Key has been stolen, you can always regenerate it from your Profile page — from a safe machine, of course, otherwise you're back to square one.

Thanks for the information. You would know better than me, but it seems like it would be more likely that a keylogger would be installed than someone having total access to my computer.

@xjustintime: You're completely right. But I think with security we need to, in principle, plan for and assume the worst unless there's evidence to the contrary. And this is especially important since we're talking about hypotheticals. I don't want to make the hypothetical attackers stupider than what we're likely to encounter in the real world.

My concern is that if malware is installed on your computer (or mine) that there's absolutely no reason it should be limited to only capturing keystrokes.

An attacker with any sense at all will collect everything they can. Often, they collect way more information than they could reasonably deal with themselves in the short term, and either go through it over time, share it with others, or sell it.

If I'm writing malware, I'm going to make it as valuable to me as I can: logging, screenshots, remote access, etc. Otherwise I'd probably just do something else with my time. Just a thought.

Is it possible to have an Addison all separate 1Password.com vault that's password protected? That way even if someone had access to my computer they wouldn't have access to that (I don't think) unless I had accessed that vault on it and typed my password?

I think there may be a typo/autocorrect there, and I'm having trouble understanding what you're asking. Can you clarify? :)

@xjustintime: Ah, thanks. That makes sense. Indeed, 1Password uses one Master Password to unlock the app and all of the vaults therein. We don't have plans to have it work differently in the future, as that means not only more complexity, as unlocking each vault separately is a bit of a pain, but also that encourages each of us to use weaker passwords since we have to remember and type many more. A single long, strong, unique Master Password is going to be not only harder to guess (or brute force), but also much easier for brain- and muscle-memory, making it easier on the user at the same time. Cheers! :)