Security concerns about 1password 8 for windows

Hi sj0123

You are correct: there are minimal protections applied for the Secret Key on your computer. The Secret Key isn't intended to be secret within your system. It is intended to protect the encrypted data that is stored on our servers. The account password is what protects the data on your computer. We cover this in our about your Secret Key guide:

Your 1Password account password protects your data on your devices. Someone who has access to your devices or backups won’t be able to unlock 1Password without your account password, which only you know.
Your Secret Key protects your data off your devices. Someone who attempts a brute-force attack on our servers won’t be able to decrypt your data without your Secret Key, which we never have.

We also talk in more depth about this in the white paper under the "Malicious processes on your devices" heading ("Locally exposed Secret Keys" sub-heading), which as of writing is on page 74:

Because the Secret Key must be used to derive the user’s AUK it cannot be encrypted by the same AUK or by any key that is directly or indirectly encrypted with the AUK. Depending on client and client platform the Secret Key may be stored on the device using some of the protections offered by the operating system and may be lightly obfuscated. However, it should be assumed that an attacker who gains read access to the user’s disk will acquire the Secret Key

And there is a relevant footnote:

We are deliberately vague about this, as practice may change rapidly from version to version, including different behaviors on different operating system versions

As for your last question:

Also, it would be great to see the whitepaper about how 1password protects locally stored data and it's memory.

Agreed; documenting this is a work in progress. I hope these answers are helpful. :)

Ben