Why isn't the Secret Key masked on the sign-in page?
I feel the community deserves an official response to this. Why in the world is something called the Secret Key being shown in clear text on the web login page?
The Secret Key is obfuscated elsewhere such as:
• The "Set Up Another Device" dialog in the desktop + mobile apps
• The "My Profile" section of the web dashboard
So why advertise it to the world on the web login page? This needlessly increases the surface area for your Secret Key to be compromised due to things such as shoulder surfing or screen capture.
If we are to trust 1Password, we must assume this was a deliberate decision...but what is the reasoning? To make it easier to spot typos? Is 1Password willing to endanger everyone's Secret Key because some of us might make a typo? If this is the case, at least make it a toggle to show/hide the actual characters (with the default obviously being to obfuscate it).
This is extremely concerning.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided
Comments
-
@Dave_1P I disagree with you moving this discussion to the Membership category. This is not a membership question, and I can't help but feel that doing so was an attempt at sweeping the issue under the rug.
Can anyone from the 1Password team please offer some explanation as to why the Secret Key is not being masked on the sign-in page when it is properly masked elsewhere?
0 -
Hello @danglygem! 👋
Welcome to the 1Password community! We're very glad that you've chosen to join us here. "1Password in the browser" is our category for the browser extension. We don't currently have a category just for 1Password.com and "Memberships" is where posts discussing the website itself are currently hosted since this is where my colleagues who are the most knowledgeable about the website spend the most time. Hopefully in the future we can build a more fitting place.
On each browser, you only need to enter your Secret Key to sign in to 1Password.com once and then you'll only need to enter your account password to unlock the web app on subsequent access. The exception to this is if you clear your browser's history/cache. I would always recommend that you're careful about the environment that you choose to enter account credentials in.
The Security Key itself is only one component of how 1Password protects your data. Specifically, the Secret Key is designed to protect your data on our servers from things like a breach and even from 1Password (the company) itself. Your account password, which is always masked, is designed to protect your data on your device. Even if someone was to shoulder surf and pick up your entire Secret Key that Secret Key would be useless to the attacker because they wouldn't have:
- Your account password (needed to decrypt your data).
- Your encrypted data itself.
Of course, that doesn't mean that protecting your Secret Key isn't important and you can always regenerate your Secret Key if you feel that it has been exposed.
If you are concerned about someone gaining access to both your Secret Key and account password at the same time then you also have the option to enable two-factor authentication for your account:
- Turn on two-factor authentication for your 1Password account
- Use your security key as a second factor for your 1Password account
Let me know if you have any other questions. 🙂
-Dave
0 -
@Dave_1P I appreciate the answer but I am not sure if your post answers the question. The OP asked, given the rather critical function the Secret Key provides, why was a decision made not to hide them on the webpage? Your answer is... there are other metrics that the threat actor needs to gain access before breaching. It's clearly easy enough to "hide" the Secret Key on the website (or anywhere for that matter). I am kind of speculating here but I have a feeling that it's so that whoever is entering it can spot any mistakes given how long the key is and seeing that it only needs to be entered once (or at least only occasionally).
0 -
From my user perspective - when I am logging into the web app for the first time and need the Secret key, I must manually type it from my phone. Not seeing what I am typing wouldn't help me at all, considering how long and unreadable the Secret key is. Anyway, I agree the OP's question has not been answered, it is probably a question of why Secret key field is not of password form field (hidden with dots, with a clickable option to reveal.
0 -
@Dave_1P Thanks for the informative response, but the other posters have echoed my sentiments about the question not being answered.
Having the Secret Key visible on the login page is dangerous, and it's a shame that 1Password does not treat threats like this seriously.
0 -
Security is our number one priority at 1Password. Please see my previous post for more details about how the Secret Key is just one part of many that protects your data: https://1password.community/discussion/comment/699652/#Comment_699652
Both of your comments seem right to me, although I'll defer to any of my colleagues on the security team who want to jump in with more insight. We do many things to have users grasp and use the Secret Key, it's quite a unique concept and it can be confusing to many. For example, we also add dashes to the Secret Key so that it's easier for humans to read and type in.
-Dave
0 -
@Dave_1P Thanks. I didn't mean to sound accusatory but now that I am re-reading my post, it may seem so. Anyway, that's an interesting perspective I haven't thought about. However, from the OP's original post (I could be wrong about this), but it appears that other 1PW platforms (e.g. apps?) do hide them, which, if true, is slightly inconsistent with the explanation.
0 -
It's a good question from the original poster. I've reached out internally to find out why the Secret Key field is handled differently on 1Password.com than it is in the apps and I'll report back when I learn more. 🙂
-Dave
0 -
@Dave_1P Thanks Dave. I'm interested in their response. If it's simply for ease of use purposes, I'd suggest they make it a toggle field to show/hide the unmasked characters at will. That seems to be the best of both worlds.
@lodaka Yes, correct. The Secret Key is masked elsewhere, but strangely not when typing it in. The approach is wildly inconsistent... the Secret Key is either something that should be protected or not.
If I ever have to log in to 1Password via web in a public space, I have to worry about my Secret Key being blasted on the internet by someone making a TikTok behind me.
0 -
Hey everyone, I'm adding an unfortunate update to this discussion. Someone else posted this exact concern on Reddit 3 years ago:
https://www.reddit.com/r/1Password/comments/i4y7t7/why_isnt_the_secret_key_obscured_during_login/
Here are the highlights from the response from 1Password Security Team member "aglars":
Unless you have your Secret Key memorized, which is unlikely, you have to copy your Secret Key from somewhere else and the person looking over your shoulder can see it from that source just as easily.
Don't use 1Password in a public setting.
Here are my thoughts on the above highlights:
You can copy your obscured Secret Key from the desktop app into your browser, which is what I do when I have to manage my subscription billing because you can't manage billing in the desktop app. It's obscured in the desktop app, so the person looking over your shoulder in fact CANNOT see it from the source.
I don't always have the luxury of signing in to 1Password from my personal dungeon. Sorry about that. Also, the login page itself has a checkbox for if you're signing in from a public or shared computer... but an employee is saying don't use it in such a setting? Then why does such an option exist? Obviously because they recognize that there will be times that users need to.
It's the age old security vs convenience debate, and 1Password leans on the side of convenience. I'm sure someone will eventually get burned by this, but who cares about preventing breaches. Let's just react to them afterwards ;)
0 -
Hello everyone,
I had a chance to speak with some of my colleagues and was able to confirm that the Secret Key is displayed as a text field, rather than a password field, on 1Password.com in order to make it easier to enter the Secret Key into the website without typos. Unlike the account password, the Secret Key is not usually memorized and so it would be more difficult to enter while masked.
Please see my previous post for an explanation on the role that the Secret Key plays in protecting your account and why it differs from your account password (which is always masked).
As was mentioned by folks in this thread, the Secret Key is masked in the new desktop and mobile apps and I wanted to provide the reason for this. The 1Password 8 apps were part of a cohesive redesign around a "common core", this allows them to be consistent with each other in terms of design and consistency. It's why you can move from Windows to Mac to Linux and see the same great 1Password experience. The 1Password.com web app hasn't yet gone through this redesign and so the experience there is a little different and resembles the design of the previous generation of 1Password 7 apps (where the Secret Key wasn't masked either). Hopefully the same great design and experience from the new mobile and desktop apps will eventually come to the web app as well. This will make things more consistent across the board.
Regarding masking the Secret Key in particular: the team hears the feedback and an internal issue has been opened to look into standardizing this behaviour between the web app and the 1Password 8 mobile and desktop apps. Although the Secret Key is not your account password, it's still not ideal to have it be intercepted by someone peeking over your shoulder and the team is discussing the possibility of having it be masked by default with a reveal option, similar to the 1Password 8 apps.
Some tips on using 1Password.com securely:
- On each browser, you only need to enter your Secret Key to sign in to 1Password.com once and then you'll only need to enter your account password to unlock the web app on subsequent access. So if you do need to access 1Password.com on your device in a public place in the future, you'll only need to enter your account password which is always masked.
- Be careful about the environment that you choose to enter account credentials in.
- Avoid signing into your 1Password.com account using a public device. It's difficult to know if a public device is safe and free from things like keyloggers, malware, and other software that may spy on what you type and view on that device.
We appreciate the passion and everyone's efforts in helping us keep 1Password as the best and most secure place to keep the important data in all of our lives.
-Dave
0 -
Thank you again for the feedback. 🙂
-Dave
0 -
Over 2 months later and still nothing.
I have some new feedback. Let's rename "Secret Key" to "Public Key" to better reflect its unprotected status.
0 -
@danglygem I agree with you, and would think as a compromise they could at least provide a toggle option to hide it before pasting or typing it in, if someone chooses to do so.
0 -
114 days and they still haven't masked the Secret Key on the web sign in page.
Maybe we should start taking bets on how many holidays will pass before this vulnerability is addressed. Anyone think we'll make it to Halloween 2024?
0 -
I just had to log into my.1password.com to check my billing info and realized when I pasted my Secret Key into the text box, it was not hidden as I expected. I would really prefer this not be visible like the password text box.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: MacOS 14.4
Browser: Safari0 -
Hello @1PWguy! 👋
On each browser, you only need to enter your Secret Key to sign in to 1Password.com once and then you'll only need to enter your account password to unlock the web app on subsequent access. The exception to this is if you clear your browser's history/cache. I would always recommend that you're careful about the environment that you choose to enter account credentials in.
That being said, I can see how masking the Secret key on 1Password.com, like we do in the apps already, would be desirable and I've passed your request along to the team.
Thank you for the feedback. 🙂
-Dave
ref: dev/b5/b5#23097
0 -
Thanks. Yeah, it prompts me to do so every time. It could be the privacy sections I use in Safari or the VPN I use when working remotely. Not sure. I just feel the Secret Key is too precious to be publicly exposed. I was in a coffee shop with people (and cameras) around me when I had to access my.1password.com. I wasn't expecting it be exposed. Thanks for passing it along.
0 -
You'll need to login from scratch if you clear Safari's history/cache or if you haven't signed into 1Password.com in the last 7 days. This is due to how Safari's storage works. Other browsers will remember your Secret Key for much longer as long as you don't clear your cookies/cache, and you'll be able to access 1Password.com using just your account password.
I hope that helps.
-Dave
0 -
@1PWguy Don't count on your suggestion ever being addressed. I started a thread about the exact same thing LAST YEAR and still nothing. The same employee @Dave_1P responded to my thread too, saying it's been passed on to the team.
They don't care. It's not tough to make the text field a password field. They simply don't want to or don't prioritize it at all! Either way, it's really sad.
1 -
At a minimum there should be a warning that pasting/typing Secret Key will not be masked. By the time I realized it, it was too late and exposed.
0 -
I think I'd like to add a devils advocate opinion on this.
1Password has been very clear that they use public key cryptography. Which is better explained by this video, Wikipedia and 1password themselves.
https://youtu.be/GSIDS_lvRv4
https://en.wikipedia.org/wiki/Public-key_cryptography
https://blog.1password.com/what-is-public-key-cryptography/I do agree that 1password calling the Public key the "Secret key" is a misnomer. And has the potential for most users to incorrectly assume that the secret key is the next level of security above their password. Which it is not.
The thing is public keys are designed to be shared. Which is why they are called public. Everyone knows the key already. If you watch and read up about how public key cryptography works you'll know that even if your "secret key" were hidden on screen there are probably much much easier ways to retrieve this without having to look over your shoulder. (like packet sniffing) The only thing the public key tells an attacker is the door to your account. Which by design is not enough information for an attacker to compromise your account. Ever.
Even then the benefit of an attacker knowing your public key is completely nullified (as others have noted) by users having the ability to regenerate their "secret key" aka your public key, anytime.
In fact if you read around security/crypto forums people even ask for more convenient ways to publish their public keys. I think one of them even suggests putting their public key on their Facebook. Which is pretty funny but also goes to show what the public key's purpose is for. It's not something that needs to be hidden. In fact for it to work properly everyone needs to know it!
https://security.stackexchange.com/questions/406/how-should-i-distribute-my-public-key
https://www.reddit.com/r/crypto/comments/120uiop/does_publishing_a_public_key_lower_the_security/I think the unfortunate reality is that most people don't know how public key cryptography works. And the idea of having some random string of characters linked to your account be "public" is scary to most users. As such 1password as taken the route of calling it a "secret key". But since hiding the public key on screen provides no benefit to security, this is why it isn't hidden.
To combat an "over the shoulder attack" or a picture being taken of your screen, your "secret key" is intentionally long. Which as discussed before, gives nothing to the attacker except the door to your account. Which would be like an attacker knowing your username/email address. (Which usually isn't hidden either on the login page of a website)
IMHO making the text box for the "secret key" be hidden is just something to make users "feel safe" without actually providing anything to security. Aka security theater. To me this is essentially faking security. Which is the last thing 1password or any company that sells itself on its security, should be doing. And quite frankly saying 1password "doesn't care" when it comes to security over this is silly. Their entire business depends on them being secure.
This whole conversation to me honestly just stems from 1password staff being barred from telling users "no". Using html to hide what you're typing isn't "security" anymore people.
However I think something 1password could add as a feature is to allow users to have a reminder to regenerate their "secret key" after some set amount of time. For users that travel a lot.
0 -
You can read more about what we published about public keys here. What is Public-Key Cryptography?
As the name implies, the public key can be shared publicly, usually in a repository or directory.
Your Secret Key is never stored by 1Password. It is used locally on your device. Most folks think the Secret Key is transmitted to 1Password.com, but it is not. Your password and Secret Key are never shared with us, nor do we want you to share them with us at any time. They are for you and you alone.
This is where Secure Remove Password is used. How Secure Remote Password protects your 1Password account
Most websites send your password to a server when you try to sign in, leaving it vulnerable to interception. Your 1Password account uses the SRP handshake protocol to authenticate without sending your account password or Secret Key over the internet, so they can’t be stolen in transit.
From our white paper:
https://1passwordstatic.com/files/security/1password-white-paper.pdf
E2E: Data is only encrypted or decrypted
locally on the users’ devices with keys
that only the end users possess. This protects the data confidentiality and integrity
from compromises during transport or remote storage.0 -
I'm glad I could help. :)
0
