Why Keep Secret Secret Key in 1P

mel66

I am unclear about where to store my Emergency Kit. I have a paper version of it in a safe place away from my computer. I did write in the master password.

I also have a copy of my Emergency Kit in 1P and it includes my secret key and master password. If 1Passwrod had a Last Pass-type of breech, wouldn't it be a bad idea to have my Emergency Kit (with my secret key inside) in 1Password?

Would it be better to have my secret key (but not my master password, email address) somewhere else (like Proton Drive)? So that the email address, master password and secret key were not in the same place? And, I did hear that the secret key could be hidden in a shoe...

Thanks,

---

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided

DeeEye

I too would like to know what the Secret Key best practice is. Doesn't appear wise to store this in 1P if you're on 1P8!

Tertius3

I'm saving a copy it in my Onedrive cloud storage. It's the pristine kit with only the secret key. So I have it available in case I'm installing new devices. Login to Windows and to Onedrive works passwordless with Microsoft Authenticator, so when I install the 1Password desktop client as 1st action on a new device, I can point it to the emergency kit to import the secret key. Saves me from manually entering the secret key.

For a real emergency, I also have a printed copy including the account password and mfa qr code.

ag_josephine

Hi @mel66,

If I had to boil this down to a single statement I would say that you can trust storing your information on our server because the data stored there is complete unusable gibberish. And the keys needed to decrypt it are never sent to our servers so even if someone were to steal the data, there's nothing they can do with it. And thanks to our innovative Two-Secret Key Derivation function, even those with a weak account password are protected as the attacker would require your Secret Key before being able to decrypt the data.

This data is encrypted with your account password, but there is no concept of a Secret Key, so in many ways your data is more secure on our servers than anywhere else.

Our security is very open to make sure everyone knows what we're doing behind the scenes, we wrote a White Paper and published it on our website.

Additionally, If you'd like to learn more about the security of 1Password, head over to: https://1password.com/security/

I've also included a link to our How the 1Password Starter Kit items keep you secure blog post.

J_O_D

I am saving my Emergency kit on Onedrive in the locked vault (Microsoft calls it Personal Vault, which could be misleading to some 1Password users:-) ).

mkenright

I understand the assurances provided by the 1Password Team member that the system is completely secure and that there is no risk. I feel better with those representations and assurances, but you don’t provide a response to the subscriber who says: “I trust the security on 1Password, but just the same I am more comfortable storing it exclusively in paper only in my safe deposit box, and deleting any storage of the secret key and password on my account.” I understand the risk that I may die or there may be a problem in a caregiver not being able to access my safe deposit box, but other than that, what’s wrong with doing this? And if there’s no solid reason not to, how do I delete Emergency Kit/password/and secret key from 1Password?

VT1P

The first saved login item in my 1P8 vault is 1Password.com. It has my Username, my Master Password, my Secret Key as a text note, and my Emergency Kit as a PDF. I only need it to log-in to my 1P8 account at my.1password.com. I don't need my Secret Key to open 1Password on my computer.

As far as security, I completely trust 1Password's zero knowledge security set-up, which I understand is completely inaccessible, even to 1Password's top IT employees. I hope I am right! If my 1P cloud vault ever got hacked I would be toast - having someone get my Secret Key would be the least of my problems.

ag_josephine

@mkenright,
There's nothing inherently wrong with removing the Starter Kit/Account credentials from within the 1Password account, as long as you're aware of the risks such as possible inaccessibility, etc which it sounds like you are.

If you'd like to delete this item, you can do so in the manner you would delete other items, locate the item>click the 3 vertical dots on the right hand side>choose delete.

@VT1P,
That's correct, we do not have access to your account information in as if we did that would be a security hole that could be exploited to gain access to your secure information.

This way, no one, not even someone at 1Password, can read your secure data.

For more information you take take a look at our Privacy article:
https://support.1password.com/1password-privacy/

Coka

Save the Secret Key in keepass, database password + certificate or yubikey encryption after uploading to Onedrive, you need to use the download database to decrypt with keepass.