`op account add` shouldn't show the Secret Key!
I'm configuring the CLI for the first time, and I was surpresed to see that op account add shows the Secret Key as I type it (same for op vault ls).
For such a sensitive secret, it should definitely not be shown in the terminal!
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Comments
-
It is stored in plain text after you signed in, so I doubt hiding it while typing makes much difference?
0 -
Wow, really? Where? I certainly wasn't expecting this!
0 -
$XDG_CONFIG_HOME/op/configif I remember correctly (already deleted it)Isn't much different then in browsers; you see the secret key when you type it and it is also not very well protected, I think.
Is probably mentioned in a 1Password security document? (Plus explanation why this is somehow OK?)
0 -
I use Mac, and
$XDG_CONFIG_HOMEis undefined, so I guess it would be~/.configby default. I can't find any~/.config/opdirectory. Maybe in macOS it's different?0 -
You can use
XDG_CONFIG_HOME(also) on macOS since version 1.8.0 (I use it myself in both Raspberry Pi OS and macOS), but if you don't the location is~/.op/0 -
Hey @dserodio
We do not treat the secret key like a password in all of our clients, and @XIII is correct in that we do save the secret key on disk.
The default directories are either
~/.opor~/.config/opwhich will contain a file namedconfigthat stores the accounts' info, including the secret key, but not the password.0 -
Sorry, but I'm completely lost. My understanding was that the secret key (previously called Master Password) is extremely sensitive, since it's used to unlock 1Password, and give access to all of my (940) passwords. It's hidden in the 1Password for Mac, 1Password in the browser, and in the web (https://my.1password.com/).
Now you're telling me that it's not sensitive, and it's ok to store it in cleartext in a text file with a known location?
What's the purpose of locking the vault then? If an attacker has access to my computer he can read ~/.op/config and then unlock my vault and read all my passwords!
0 -
@dserodio no need to be sorry!
So I think there may be a slight misunderstanding here - the secret key is different from what used to be called the Master password.
The Master Password is now referred to as just password.
The secret key is a sequence of characters that has been assigned to the user by 1Password during signup. It is used in conjunction with the password to authenticate a user.
We do not store or log your password anywhere in your system or our servers!
0 -
Oh, it all makes sense now. I'd read somewhere that the Master Password had been renamed, and assumed it was called Secret Key now. Sorry for the confusion, and thank you for your patience and explanation.
FWIW, since I had typed my Master Password in the Secret Key field, it did get saved to ~/.op/config. Even thou it was completely my fault, maybe you can improve the UX somehow to prevent other users from making the same mistake as I did.
0 -
Not at all, happy to clear things up! And yes, we did change Master Password to just password :)
FWIW, since I had typed my Master Password in the Secret Key field, it did get saved to ~/.op/config. Even thou it was completely my fault, maybe you can improve the UX somehow to prevent other users from making the same mistake as I did.
We are continuously reviewing our authentication flow, and will consider this moving forward.
Thanks for your feedback!
0
