undefined | Better HN

0 pointsselykg3y ago0 comments

With 1Password you also have a randomly generated secret key. As I recall it’s a 128-bits, but could be wrong.

To access your vault an attacker will need both your master password and the secret key. These are effectively combined to generate your keys for decryption.

This protects against an attacker gaining access to 1Password servers. They can’t control whether you chose an awful password or not. So to protect them the secret key adds a ton of protection for those with weak, reused, or compromised passwords. Even in those cases an attacker needs to guess the secret key alongside the awful password. Using both the secret key and a strong master password is basically the equivalent of making a vault incredibly secure and, uncrackable using todays technology.

This does not protect against local compromise of a device of yours though, as the Secret Key is stored on device and is accessible. This prevents you from having to type it every time.

0 comments

pecheny3y ago

Sorry, I don't get it. The secret key has to be stored somewhere, right? If it's on the server, the attacker gets it together with the vault. If it's on the client, then you lose your phone → you lose your passwords, which is, while secure, very risky and I wouldn't expect it from a company focused on regular customers.

selykgOP3y ago

It’s generated locally when you create your account and not shared with 1Password. Various keys are derived from your master password and secret key.

The secret key is never sent to 1Password and is only used locally.

This is why it’s so much more secure than LastPass, and Bitwarden, and any other cloud hosted solution. I know, I just pissed off all the Bitwarden fans, but it is true.

You must save your Secret Key, but it’s also saved in Apple’s Keychain so there’s a copy there as well.

Finally, if you do lose your secret key, your account can be recovered using the Account Recovery process as long as there is someone else on your account with the appropriate permissions. If you want to know how that works, ask, but it’s sort of lengthy so I’ll skip it for now.

PuffinBlue3y ago

When you setup your 1password account you are provided an ‘Emergency kit’ in the form of a PDF containing this key and other info. You are supposed to save it somewhere secure or print it and place it somewhere secure.

You could save it in a local keepassXC database if you like.

This 128bit key is only saved locally, not on their servers. So contrary to you disbelief, 1Password does actually prioritise security in this manner over focusing on ‘regular customers’.

Its also fairly common to have more than one device, so you would have the key on more than one device as a result too.

poglet3y ago

It sounds like a public and private key pair, like in asymmetric encryption or public-key cryptography. The private key is stored on the client. The private key and users password are both required to authenticate against the public key stored the server.

An attacker would have no success with a dictionary attack (used in the article). Even if the password was in the dictionary, the private key is still missing.

xvector3y ago

No. It's symmetric, not asymmetric. The secret key is a 128-bit key that is effectively concatenated with the master password for master key derivation.

j / k navigate · click thread line to collapse