Doubt about Secret key

qzn25qzn25
Community Member

Hi guys, I have read the articles but there is something that I do not understand.

Does the secret key provide any security? Or is it ONLY a way to recover the account in case of forgetting the password?

My question comes since the secret key is visible within my account. To which I do not see any sense, unless it is only and exclusively for recovery.

Thanks


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided

Comments

  • MerryBitMerryBit
    Community Member

    I would suggest you read the 1Password security whitepaper here:

    https://1passwordstatic.com/files/security/1password-white-paper.pdf

    Specifically, pages 10-12, "Account password and Secret Key". I think that section explains the Secret Key and its role very well.

  • BenBen AWS Team

    Team Member

    Hi @qzn25

    In addition to what MerryBit said, which I think is good advice, I'd like to clarify a couple points:

    Does the secret key provide any security?

    It does, yes. The Secret Key is required in addition to your account password in order to decrypt the data in your account. It is designed to protect the encrypted data stored on our servers. It is not designed to add protection to the data already downloaded to your devices.

    Or is it ONLY a way to recover the account in case of forgetting the password?

    It does not do that. Having the Secret Key would not help you recover from a forgotten account password. Both are required to decrypt your data.

    My question comes since the secret key is visible within my account.

    Only after you've entered it.

    To which I do not see any sense, unless it is only and exclusively for recovery.

    I can understand this perspective, especially if one were to view the my.1Password.com web app the same way one views most other websites — where everything you view is delivered to you by the server. But that isn't how our web app works. Instead, the web app is a client that runs locally within your web browser, and all decryption happens on your device. The secrets (account password and Secret Key) are not sent to the server.

    I hope that helps!

    Ben

  • qzn25qzn25
    Community Member

    @Ben I quote a part of the text "Decrypting your data requires all three of the following: your account
    password, your Secret Key, and a copy of your encrypted data"

    Sorry for such basic questions maybe, I'm trying to understand how it works (I read the whole article, I learned many things).

    I have this doubt, anyone with my password could see my keys according to the practice that I carry with the software, why for an emergency kit do I need to give another person my secret key as well? If I leave a paper with my password, and I die tomorrow ... a relative could come to my pc, put that pass and uala. What am I missing?

    again, sorry if they are very basic.

  • BenBen AWS Team

    Team Member

    @qzn25

    Not a problem at all; no need to apologize. Your encrypted data and your Secret Key would already be stored on your device, so all that is required there is the account password. The Secret Key is designed to protect the encrypted data stored on our servers, not the data already downloaded to your devices.

    If I leave a paper with my password, and I die tomorrow ... a relative could come to my pc, put that pass and uala.

    That's correct. You're not missing anything. In fact that is what we recommend for people who want their heirs to be able to access their accounts.

    Ben

This discussion has been closed.