What's the purpose of the Secret Key?

TristanBerger

I read the relevant sections of the white paper and I get the impression that it's ultimately equivalent to adding 128 bits of entropy to the Master Password. Is this true?

---

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

AGAlumB

@TristanBerger: Sort of. It is 128 bits of entropy, and it is used along with your Master Password to encrypt your data. But it doesn't technically strengthen your Master Password. It's a small distinction, but its purpose is to protect you from brute force attacks against your Master Password in the event that your encrypted data is stolen from us. If your data were encrypted with "only" your Master Password, then an attacker could use password lists or random guesses to try to guess your actual Master Password. But because the data is also encrypted with the Secret Key, that would be impossible; they would have to guess both. I hope this helps. Be sure to let me know if you have any other questions! :)

RoWi69

So if I understand correctly, the Master Password is used to encrypt the data that is synced with the server? The Master Password itself is not synced in any way?

Ben

@RoWi69

Correct. Both the Master Password and the Secret Key are used in the encryption process and the Master Password is not synced in any way. The Secret Key may be synced via iCloud Keychain, but is never transmitted to our servers. All encryption and decryption happens on your devices.

Ben

TristanBerger

they would have to guess both

That's the part I was looking for, thank you. I couldn't think of a way that an attacker who guesses both wouldn't know he'd gotten them right, but wasn't sure.

Ben

Right; though I'd say "guessing" a Secret Key is highly improbable. They look something like this:

A2-A3ABCD-123456-12345-12345-12345-12345

So guessing one that is even a valid Secret Key for someone seems a bit ridiculous, let alone guessing the valid one for a specific account that you also have guessed the correct Master Password to? Hmm. With what we know about today's humans and technology I think we can say the chances of that are very very close to zero.

The only way to know you've got them right is to attempt to log in to 1Password using them (you'd need email address, sign-in address, Secret Key, and Master Password) or to try to decrypt a copy of someone's vault that you have also somehow obtained. In that case you'd need the Secret Key and Master Password, though if you have the means to steal the vault you also likely have the means to steal the Secret Key. As such we still recommend using a strong Master Password, even when using a 1Password membership and have the benefits that the Secret Key does provide.

Ben