Reset/Change the Account Secret key
I know about the role of the secret key for a 1Password Account, that it acts as a second half of your password to increase the entropy of the users password.
One of the members in a family subscription got their printed letter of the secret key stolen without the master password being noted anywhere. Now the master password was not that super awesome, but acceptable since the secret key was protecting it. The master password was now immediately changed and improved to a very secure one.
My question is: What, is the recommended or safest way possible to change/reset the secret key. I assume requesting the family organizer to reset the account is one way. But, is there any risk of losing any data inside the private vault of that account?
BR
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided
Comments
-
Hello @Tabaluga! 👋
I'm sorry to hear that your family member was the victim of theft. If they had their Secret Key stolen but still have access to their account then they can regenerate the Secret Key by using 1Password.com:
- Have your family member log in to their 1Password account on 1Password.com (in the browser, not the app).
- Have them click on their name in the top right and choose My Profile.
- Click Regenerate Secret Key.
- Have them enter their account password, then click Regenerate Secret Key.
Once this is done make sure that they download and save a new copy of their Emergency Kit.
I hope that helps! 🙂
-Dave
0 -
Hi Dave, thank you.
Now that you mention the functionality it seems obvious, but we weren't thinking of regenerate secret key as change or generate new secret key. I am not sure why. 😄Anyhow, thank you very much, everything worked out.
0 -
@Dave_1P I am in the habit of changing site passwords on a periodic basis. But never thought of changing the Secret Key for 1Password.
Back in 2014 when I first subscribed to 1Password there was no Secret Key, but there was a like User License. Question: Is it a recommendation that the Secret Key be changed on a periodic basis?I have read many articles on this forum site about the security in place with the use of the Secret Key and Account Password. In the case of a stolen Secret Key as experienced by @Tabaluga I can see the need to change it immediately. Otherwise, I think (based on the articles mentioned) that the need does not exist. Am I correct in my thinking?
As a separate note, I do refresh my 1Password Account Password when I perform my annual review of security.
0 -
There's no need to change the Secret Key unless you suspect that someone else might have access to it because one of your devices has been compromised or it might have otherwise been stolen.
I also don't recommend the practice of regularly changing your passwords. Instead I recommend that you change your passwords if one of the following conditions is met:
- The password for a website/account is not a secure and unique password generated by 1Password.
- 1Password's Watchtower sends you a warning that your password for a website/account has been reused or was found in a data breach.
You can read more about how Watchtower helps you keep your passwords safe here: Use Watchtower to find passwords you need to change
Regular password changes for no other reason but because an amount of time has passed is no longer recommended as a security practice by many cybersecurity experts and organizations such as the National Institute of Standards and Technology (NIST).
-Dave
0