master password and secret key security

I have been using 1password (version 4) for Windows and WLAN syncing with my iOS devices. I would like to encourage my family members to use a password manager, so I have signed up for a 1password families membership. I had been avoiding the cloud so far because I worry that if my master password and secret key are leaked (eg by phishing) it would be quite disastrous. Is my concern misplaced? I am aware of two-factor authorisation to protect 1password accounts, but I’m unsure how keen the less tech-savvy members of my family would be to adopt it.

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:Leaked secret key


  • ag_anaag_ana

    Team Member

    Hi @gsw!

    My apologies for the late reply! Your post must have slipped through the cracks :( I wanted to send you a quick update to let you know that I have asked our security team to chime in on this when they have a moment :+1:

  • LarsLars Junior Member

    Team Member
    edited January 9

    Hi @gsw - Lars from the Security Team here. It would certainly be both unfortunate and a real risk if your Master Password and your Secret Key were to be obtained by attackers, but that risk isn't limited to accounts. If you can envision an attacker sophisticated enough to socially engineer you into divulging not only your Secret Key but your Master Password as well - which should live only in your head and never be typed or pasted anywhere except into a 1Password application or the website - then it seems reasonable that such an attacker could also do the same to get you to divulge the password you use for your user account on your computer, or simply get you to click a malicious link or attachment somewhere that would allow the attacker to install all manner of remote access software right onto your local device.

    I'm not mentioning these things to suggest that it's futile to even try to defend yourself against digital attack on your private data, quite the contrary! The point is that if your reasoning for not using a account is that you might be tricked or socially engineered into giving away your Master Password, then the same reasoning would apply to your own local assets as well.

    Fortunately, neither of those possibilities need be considered likely scenarios if you practice good (and relatively simple!) security measures consistently. There's an unofficial saying around here that security is a process, not a product. No piece of hardware nor software (not even 1Password) is capable of protecting your data under all conditions, 100% of the time, if you are not practicing good security measures as well. 1Password can function quite well as the centerpiece of a good digital security strategy, but you (the user) are always the most important component of your own security. Fortunately, the things that help keep you safe aren't overly complicated, difficult to remember or time-consuming. And most of them are probably things you already know, like keeping your software and your OS up to date. Most of the hacks that are carried out today are a result of attackers probing systems for unpatched vulnerabilities. When a vulnerability is discovered, vendors patch it...but such a patch only works if you apply it by updating your device(s). Don't click on links or attachments on unfamiliar or untrusted websites or in emails you weren't expecting to receive. Check the digital security certificates (HTTPS) of the websites you visit. Never give away your Master Password or the password you use to unlock your user account on your computer. There are a few other helpful things, but the point is: none of them are magic or available only to the technically advanced.

    To answer your question about multi-factor authentication, 1Password does indeed offer MFA for accounts. It can be turned on in the settings when signed into the account in a browser. You'll need an authenticator app such as Microsoft Authenticator, Google Authenticator or Authy, etc. to be able to set it up. And yes, in a situation such as the one you imagined, where a malicious person had managed to obtain both your Master Password and your Secret Key but not a copy of your data, having MFA turned on for your 1Password account could provide the last barrier that would prevent someone from remotely obtaining your encrypted data from our servers and decrypting it. But your best defense against breach of any data protected by a password is to not share that password with anyone, or leave it written either on paper or digitally where others might discover it, just as it has always been.

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file