Secret Key questions

edited June 6 in iOS

Hello, I had a few questions about the secret key.

  1. According to the docs, the secret key is a secret unknown by AgileBits.

Using the iOS app, I have no way to reset the secret key. I noticed the website does have this ability. How does AgileBits not know my secret key when I generate it on the website?

  1. According to the security white paper:

Master Password changes don't change keysets
A change of Master Password or Secret Key does not create a new per- sonal keyset; it only changes the Master Unlock Key (MUK) with which the personal keyset is encrypted. Thus an attacker who gains access to a victim’s old personal keyset can decrypt it with an old Master Pass- word and old Secret Key and use that to decrypt data that has been created by the victim after the change of the Master Password.
Your mitigations
A user’s personal keyset may be replaced by voluntarily requesting that their account be recovered. This will create a new personal keyset which will be used to re-encrypt all of the vault keys and other items which were encrypted with the previous personal keyset.

Is this the same recovery that family members can do for each other?

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Ios
Sync Type: Not Provided


  • ag_anaag_ana

    Team Member

    Hi @Gears!

    I just wanted to let you know that I have sent both your questions to the security team ;) We will get back here as soon as possible.

  • LarsLars Junior Member

    Team Member

    Hey there @Gears! Lars from the Security team here. You're correct that the 1Password applications do not have the ability to regenerate a user's Secret Key.

    How does AgileBits not know my secret key when I generate it on the website?

    The short answer is: you don't generate it "on the website," you generate it in your local browser, and your Secret Key is never transmitted to us.

    How do we accomplish this? Through the use of SRP - Secure Remote Password. If you're interested in a deeper dive into how SRP works its magic to allow you to enter your Master Password and Secret Key into our website without us ever learning what either of those secrets are, you can read about it on our blog, or in Appendix B of our white paper, but essentially SRP allows our server to know that you are you -- and allows your local client (1Password app or browser session) to know that the server it is communicating with is genuine -- by means of a verifier which can only be computed by knowing certain secrets, but for which the secrets themselves do not need to be divulged, shared or transmitted -- and from which those secrets cannot be reverse-derived.

    Is this the same recovery that family members can do for each other?


Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file