To protect your privacy: email us with billing or account questions instead of posting here.

What's the purpose of the Secret Key?

TristanBerger
TristanBerger
Community Member

I read the relevant sections of the white paper and I get the impression that it's ultimately equivalent to adding 128 bits of entropy to the Master Password. Is this true?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni

    @TristanBerger: Sort of. It is 128 bits of entropy, and it is used along with your Master Password to encrypt your data. But it doesn't technically strengthen your Master Password. It's a small distinction, but its purpose is to protect you from brute force attacks against your Master Password in the event that your encrypted data is stolen from us. If your data were encrypted with "only" your Master Password, then an attacker could use password lists or random guesses to try to guess your actual Master Password. But because the data is also encrypted with the Secret Key, that would be impossible; they would have to guess both. I hope this helps. Be sure to let me know if you have any other questions! :)

  • RoWi69
    RoWi69
    Community Member

    So if I understand correctly, the Master Password is used to encrypt the data that is synced with the server? The Master Password itself is not synced in any way?

  • @RoWi69

    Correct. Both the Master Password and the Secret Key are used in the encryption process and the Master Password is not synced in any way. The Secret Key may be synced via iCloud Keychain, but is never transmitted to our servers. All encryption and decryption happens on your devices.

    Ben

  • TristanBerger
    TristanBerger
    Community Member

    they would have to guess both

    That's the part I was looking for, thank you. I couldn't think of a way that an attacker who guesses both wouldn't know he'd gotten them right, but wasn't sure.

  • Right; though I'd say "guessing" a Secret Key is highly improbable. They look something like this:

    A2-A3ABCD-123456-12345-12345-12345-12345

    So guessing one that is even a valid Secret Key for someone seems a bit ridiculous, let alone guessing the valid one for a specific account that you also have guessed the correct Master Password to? Hmm. With what we know about today's humans and technology I think we can say the chances of that are very very close to zero.

    The only way to know you've got them right is to attempt to log in to 1Password using them (you'd need email address, sign-in address, Secret Key, and Master Password) or to try to decrypt a copy of someone's vault that you have also somehow obtained. In that case you'd need the Secret Key and Master Password, though if you have the means to steal the vault you also likely have the means to steal the Secret Key. As such we still recommend using a strong Master Password, even when using a 1Password membership and have the benefits that the Secret Key does provide.

    Ben

This discussion has been closed.