Secret key in clear text in C:\Users\<username>\AppData\Local\1Password\1password.sqlite
1Password v8 seem to store its local data in C:\Users\\AppData\Local\1Password\1password.sqlite.
With any sqlite client, it's dead easy to extract the secret key(s) of your account(s) with an SQL command like this:
select substr(data, instr(data, 'secret'), 60) from accounts; secret_key":"A3-xxxxxxx-yyyyy-zzzzz-aaaaaa-...."
Since this database is the first thing an attacker would check, I don't consider this good storage of the secret key. It's plain text in plain sight. The only thing that protects it are the ntfs file system permissions, which are void if you boot a live CD/DVD/Stick or if you have admin permissions.
It's clear text, not even obfuscated. I expect this key to be at least obfuscated, better encrypted with the master password.
In the sqlite database of the v7 client, the secret key isn't found that easy, if at all.
1Password Version: 8
Extension Version: Not Provided
OS Version: Windows
Comments
-
That is interesting. I was also able to locate mine in ~/.config/1Password/1password.sqlite (Ubuntu 20.04, perm: 0600). But, I don't think that this is specific to 1P8. I am assuming there might be a technical limitation that the secret key cant be encrypted at rest?
From the docs: How your Secret Key protects you
Like your Master Password, your Secret Key is never sent to us. But because you can’t memorize your Secret Key, 1Password stores copies of it for you, so you can:
Unlock 1Password without entering your Secret Key every time. It’s stored in the 1Password apps and browsers you’ve used to sign in to your account on 1Password.com.
Have peace of mind if you lose a device. Encrypted copies of your Secret Key are stored in your device backups and keychains to provide data loss protection. If you have iCloud Keychain turned on and lose your Mac, iPhone, or iPad, you can restore from a backup and unlock 1Password with just your Master Password. It’s the same for Android backups.I think this is a deliberate trade-off for convenience. But, if your home directory is accessible by others in your workgroup or gets hacked, then it looks like you are only protected by your master password. In that case, you should probably regenerate your secret key.
cc: @jpgoldberg
0 -
This is pretty funny lol.
So I was curious what a 1P7 db stored to compare. I had a work computer I had never upgraded to 1P8 to do a sample test and here's what I found.
They store your encrypted master password. (no biggy)
and they also store an encrypted login which I ASSUME is the secret key but hashed along with some other things. I found no traces of the secret key or anything that would cause a hacker who was in your system to access your vaults. IIRC 1P7 along with many others (maybe even 1P8) dump your entire password vault into memory on unlock, which means in theory, a program running in the background could memory dump if they had privileges and gain your passwords that way.
That being said. Storing your supposedly secret key, the most important piece of your entire vault security in plain text is unreal and further proves 1P8 is a joke compared to 1P7.
0 -
@roustem discuss this please. Seems like a pretty big deal you store anything in plaintext, let alone the account secret ... Are we labelling this as a bug or is this how the architecture is staying?
0 -
@blankspace We had these discussions in the past. There is probably more than one thread in the forum about it.
The purpose of the Secret Key is to make the data stored on 1Password.com completely safe, even if the server data was stolen and the user had a weak master password. We originally called this value the "Account Key" but many customers would email it to us and we decided to rename it to "Secret Key" to help with this. It solved one problem but created another 😄
In short, the best we can do with this value is obfuscate it. We don't have anything to encrypt it with. The master password is what protects the local data. The "Secret Key" provides the guarantee that the data on the server is safe.
0 -
Thank you
0 -
0
