Allow me to tell you a brief story — a story in which you (yes, you) are the protagonist.
You signed up for 1Password, opened the app, and noticed there were items in your newly created vault. You revealed the item fields to find your Secret Key and account password.
You didn’t create the item and know 1Password doesn’t have your credentials; you understandably wonder what happened — and how.
Sound familiar? You’re in the right place. In this article, I answer those very legitimate questions, in order, for bonus points, and address a couple others that may be lingering in the back of your mind.
Let’s start at the beginning.
Here’s what happened
The 1Password sign-up process consists of many technical and mathematical complexities. Among them is the code that triggers the creation of an Identity item and a Login item1 on your device.
You’ll find the fields empty in the Identity item — they’re left for you to complete. Add your name, address, phone number, email address, and any other personal information you want at hand to quickly fill online forms.
The Login item is completed for you. It contains everything you need to sign in to 1Password: the email address you used to sign up, your Secret Key, and the account password you chose during setup.
Both items are secured the way every other 1Password item is secured — with end-to-end encryption that requires both your Secret Key and account password for decryption. Together, the items form your 1Password Starter Kit.
Why it happened
Your completed Identity item lets you quickly and safely fill basic personal information in a variety of web forms. If you save nothing else in 1Password for the rest of your life (not recommended), you’ll save time and hassle with that one item.
The Login item is created to help you access your account on 1Password.com. If you need to sign in to make an account change, you can easily fill that complex, intricate, and very specific Secret Key with a click or keyboard shortcut, rather than digging around in the app, revealing the information, and performing a copy and paste.
But there’s more to the item’s creation than convenience: It can also keep your 1Password account details secure. Thanks to inbuilt phishing protection, 1Password will only autofill saved credentials if you’re on the site those credentials were created for.
So, imagine a world where you don’t have a Login item for 1Password.com. You receive a sophisticated phishing email that appears to be from 1Password. You click the button in the email and enter your login details, manually or by copy and paste, then sign in — to 1pasword.com. You just shared all the information needed to decrypt your vault and everything in it with… who knows? That’s the point.
Thankfully, you do have a Login item for the one-and-only 1Password.com. If you were to follow the link in the same phishing email, your login details wouldn’t be autofilled. And if you attempt to fill them, 1Password wouldn’t immediately oblige. Instead, you’d be notified that something is amiss, and given a gentle reminder to verify the website and form before you fill and transmit any information. Phew.
And let’s just put it out there: Occasionally people forget their account passwords. (Not you. Other people.) Provided they can still unlock 1Password via biometrics or other means, they can reveal (and change) their password — after they find it in the Login item.
How it happened, and other concerns
Your Starter Kit items are created on your device. 1Password — the software, not the company — has the ability to save your Secret Key and account password because you generated or entered them on that device.
You must have access to our credentials if you create the Login item! - Anyone who reads this far in the article (and many redditors)
You use your Secret Key and account password to locally encrypt and decrypt your data, so the software can be instructed to save that information the way it saves any other login. We — 1Password the company — have never had, and will never have, access to your Secret Key (beyond the first eight characters) or the unencrypted (readable) version of your password.2
But the Login item stores my Secret Key and account password together on my device! - You (probably)
That’s true, but only you have the tools to decrypt that information. What are those tools? Your Secret Key and account password.
Sure, that makes things a bit cyclical — you need your Secret Key and account password to unlock 1Password and access the Starter Kit item that contains your Secret Key and account password. But the item remains useful in the situations I described earlier.
So technically anyone with access to my device can steal my credentials? - You (maybe)
Not necessarily. If someone has local access to your device, 1Password is still protected by your (unique and secret) strong account password.
But there isn’t a password manager on the market that can protect you from someone who knows your account password and has full access to your device — and the knowledge (and desire) to use them for nefarious purposes.
It’s also you we’re talking about here — you have a device passcode and biometric unlock enabled, and full-disk encryption set up. (And, no, 1Password doesn’t store your biometric data, either.)
One more question
Will the Starter Kit items always be part of 1Password? I don’t know if they’ll be generated for every new user until the end of time. But whatever happens — no matter what’s revealed when you open 1Password the first time — know that it was designed and coded with our users, and their security, in mind.
When we programmed 1Password to automatically create a Login item that contains your account details, we isolated the process to your device so the data starts and stays protected. You’re the only person who will ever see your Secret Key or know your account password unless you choose to share them.3
If you’ve made it here, you’re likely curious and security conscious and, I suspect, you demand the utmost from the companies with which you entrust your most private information. And you absolutely should.
Continue to ask the hard questions: the whys and the hows. Your questions are often the impetus for articles like this one. Articles that have the ability to inform others who, like you, expect and deserve the highest levels of transparency and integrity of 1Password.
The company and the software.
Individuals and 1Password Family members start with two items; 1Password Business customers (and those who join a business) receive one Starter Kit item. ↩︎
One exception exists: A 1Password employee will see the information if you voluntarily include either detail in a support request. Please don’t! ♥︎ When this occurs, the customer is instructed to change their password and/or regenerate their Secret Key immediately, and we remove the information from our ticketing system. ↩︎
Seriously, please don’t. ↩︎
Megan Barker
Security Scribbler
Tweet about this post