Skip to main content
March 27, 2026
Solved

Secret Key unencrypted within browser developer settings - normal behavior?

  • March 27, 2026
  • 1 reply
  • 76 views

Hi there,

today I found out, when I go into my developer section of any of my browsers I found out, that 1Password does store a lot about your account:

  • mail-address
  • username
  • vault name
  • creation date of account
  • userUUID
  • using something like Fastmail-extension within 1Password
  • ... and much much more

And I also found out, that the Secret Key is stored there unencrypted and visible for anyone with access to this machine (and browser).

Even when 1Password is locked, this information is available. 

How to find it? Just go into developer mode of any browser, search there for the extension and look at databases > accounts > a_by_uuid

Is this 'normal' behavior? Within your security white paper you're talking about that it is stored encrypted on all computers. But why is it shown here in clear text?

Best answer by 1P_Dave

Hello @dragon1! 👋

As outlined in our Security Design White Paper, your Secret Key is stored locally on your device, with 1Password relying on operating system protections where possible (which can vary by platform). In the browser, it’s stored in local storage and typically remains there unless that storage is cleared. In both the apps and the browser, the Secret Key is locally accessible, this is intentional and consistent with 1Password’s security model.

The Secret Key is not designed to protect your data on your device; it protects your data while stored on 1Password’s servers. On your device, your account password is what protects your data, meaning that even with local access, someone would still need your account password to decrypt and access your vaults. You can read more about the Secret Key here:

Please also see section 10.2 Locally exposed Secret Keys in our Security Design White Paper.

-Dave

1 reply

1P_Dave
1P_DaveAnswer
1Password Employee
March 27, 2026

Hello @dragon1! 👋

As outlined in our Security Design White Paper, your Secret Key is stored locally on your device, with 1Password relying on operating system protections where possible (which can vary by platform). In the browser, it’s stored in local storage and typically remains there unless that storage is cleared. In both the apps and the browser, the Secret Key is locally accessible, this is intentional and consistent with 1Password’s security model.

The Secret Key is not designed to protect your data on your device; it protects your data while stored on 1Password’s servers. On your device, your account password is what protects your data, meaning that even with local access, someone would still need your account password to decrypt and access your vaults. You can read more about the Secret Key here:

Please also see section 10.2 Locally exposed Secret Keys in our Security Design White Paper.

-Dave