Protect what matters – even after you're gone. Make a plan for your digital legacy today.
Forum Discussion
Solved
Secret Key unencrypted within browser developer settings - normal behavior?
Hi there,
today I found out, when I go into my developer section of any of my browsers I found out, that 1Password does store a lot about your account:
- mail-address
- username
- vault name
- creation date of account
- userUUID
- using something like Fastmail-extension within 1Password
- ... and much much more
And I also found out, that the Secret Key is stored there unencrypted and visible for anyone with access to this machine (and browser).
Even when 1Password is locked, this information is available.
How to find it? Just go into developer mode of any browser, search there for the extension and look at databases > accounts > a_by_uuid
Is this 'normal' behavior? Within your security white paper you're talking about that it is stored encrypted on all computers. But why is it shown here in clear text?
Hello dragon1​! 👋
As outlined in our Security Design White Paper, your Secret Key is stored locally on your device, with 1Password relying on operating system protections where possible (which can vary by platform). In the browser, it’s stored in local storage and typically remains there unless that storage is cleared. In both the apps and the browser, the Secret Key is locally accessible, this is intentional and consistent with 1Password’s security model.
The Secret Key is not designed to protect your data on your device; it protects your data while stored on 1Password’s servers. On your device, your account password is what protects your data, meaning that even with local access, someone would still need your account password to decrypt and access your vaults. You can read more about the Secret Key here:
Please also see section 10.2 Locally exposed Secret Keys in our Security Design White Paper.
-Dave
1 Reply
- 1P_Dave
Moderator
Hello dragon1​! 👋
As outlined in our Security Design White Paper, your Secret Key is stored locally on your device, with 1Password relying on operating system protections where possible (which can vary by platform). In the browser, it’s stored in local storage and typically remains there unless that storage is cleared. In both the apps and the browser, the Secret Key is locally accessible, this is intentional and consistent with 1Password’s security model.
The Secret Key is not designed to protect your data on your device; it protects your data while stored on 1Password’s servers. On your device, your account password is what protects your data, meaning that even with local access, someone would still need your account password to decrypt and access your vaults. You can read more about the Secret Key here:
Please also see section 10.2 Locally exposed Secret Keys in our Security Design White Paper.
-Dave
