How can I change my Secret Key after a machine is compromised?

Details: I made the mistake of authenticating my 1Password account on a machine owned by my employer. After exploring the surveillance capabilities of the software (jamf) that they've installed, I've decided that I no longer trust my employers with access to this machine, and I'd like to ensure that they don't have access to the elements I've encrypted with 1Password.

I fully understand that I should assume at this point that all of the information currently stored in my 1Password account is compromised, and take appropriate actions.

Before doing this, though, it's important to revoke access for that machine. It appears to me that in order to do this, I'll need to change my secret key. I've reviewed the security whitepaper, and it doesn't seem to contain any information relevant to my situation (I read the table of contents, the section on secret keys, and searched for "revoke", "revocation", "compromise", and "change secret key".)

It does appear to me that one way to handle this would be to create a new user for myself, and delete the old one. Is that the simplest way to make this happen?

Thanks!

John Clements

1Password 7
Version 7.9.3 (70903003)
1Password Store


1Password Version: 7.9.3
Extension Version: 2.3.2
OS Version: macOS 11.6
Referrer: forum-search:How to change the secret key after a machine is compromised?

Comments

  • Hey John,

    Thanks for writing in. This is going to be a bit of a complex topic. It's in my nature to go into a lot of detail, so before I even type anything else out, I'll apologize if I go into anything that you don't care to know. I never like to make assumptions in that regard. As a general rule, though, don't panic. Be sure that you approach all of this logically. I speak to many people who take action immediately and then regret it. Posting here and asking this question, for instance, was a good decision.

    First of all, having worked in customer support for a number of years, I've talked to a number of people who were uncomfortable with the software and services that their employers were using to monitor company devices. Often times, those services are meant to avoid security issues at the company level, but there are certainly some that are less than attractive in what they do and how they do it. Right off the bat, I'll say that I'm personally unfamiliar with Jamf (although I have heard of it) and so I'm unaware of the level of access that it may have to your device. I will say, though, that 1Password data is quite well protected, and so unless you believe this to be truly malicious, awful software that's capable of compromising the protections that are offered by both 1Password and the operating system on which it runs, I'd suggest that taking the easy approach of logging into 1Password on the web, heading to your profile in the top right corner, and deauthorizing the device in question is probably enough to ensure that nothing bad happens from this point forward. Regenerating your Secret Key is an optional step here, but given that the Secret Key is stored in an encrypted form on your device, it's unlikely to be compromised itself. Deauthorization like this will prevent the device in question will prevent that device from connecting to your 1Password account again, but it wouldn't do all that much in the case of a truly compromised 1Password account.

    The next level that you'd reach, if you were worried beyond this, would be changing your account credentials. If you're there, you've likely already regenerated your Secret Key as mentioned above. Changing your account password would be the follow up, after which you'd need to grab a new copy of your Emergency Kit to ensure that you retain those new credentials. You don't want to lock yourself out of anything. If you use 1Password with other people, such as in the case of 1Password Families or 1Password Business, going through the recovery process would have the same effect and may even be a bit easier than doing all of this manually. That would probably be preferable to creating a new user account, as you mentioned.

    After that, if you absolutely, truly believe that your account and data has all been compromised, we'd need to get into the territory of changing every password in your vault(s), enabling two-factor authentication with your 1Password account, contacting your credit card companies and banks of choice to request new cards and to flag your accounts for potential fraud, and potentially putting a freeze on your personal credit. These are steps that I recommend only to those that are 100% sure that they're been the victims of some sort of malware or scam that's exposed their 1Password credentials and account to a third party without their permission.

    Finally, I'll mention that if you still have that copy of 1Password's Security Design white paper, the section that you were likely looking for was under Beware of the Leopard in and titled Malicious processes on your device. Granted, again, that section mostly applies to various forms of malware that may compromise a given operating system and not so much to corporate tools that could be used for monitoring purposes, but this will depend on opinion, and since you seem to be leaning towards the idea of complete compromise, that's what I'll point to.

    In any case, hopefully this helps, but let us know if you have any follow up questions.

    --
    Zak Kaufman
    1Password Security Team | Privacy & Compliance
    Celebration, Florida

This discussion has been closed.