Isn't having Password and Key stored in Vault a risk? Would hackers see both?

Hello @Lanny,

Thanks for contacting us with your question, allow me to explain why they are stored in your vault.

On brand new accounts, 1Password leaves a few gifts for our new customers to help them understand 1Password. Instead of signing in and finding an empty vault, you have a few items to help get them started (hence the name). Here's what we create:

Login item (only for the account owner) – Contains the account Username, Password, Sign-in address, and Secret Key.
Identity item – Contains the first name, last name, and email address used during account signup.
Secure note – Contains some helpful links to our support resources and a friendly welcome note.

Having the account credentials stored in your vault is helpful if you forget your account password and/or lose your other account credentials. For example, if you forget your credentials, you can use a device with biometrics to unlock your device and access your credentials.

Only you can reveal your account password. 1Password doesn't store your account password in plaintext, but in order for you to view it, it does need to be decrypted. It's inside your vault, encrypted with both your Master Password and Secret Key.

The reality is that the only way someone could get into your vault would be using the account password. So, since they know it anyway at that point, having it stored inside does not help them at all. It's like keeping a spare key to the safe in the safe: you may want to have one on hand to give to someone if they lose theirs, but you wouldn't want to keep it out in the open. You still need your key to get to it. It's just there for safekeeping.

Along with having your credentials saved as a Login item, I would suggest that you save your details in you Emergency Kit:

1. Click your name in the top right and choose My Profile.
2. Click on the Save your Emergency Kit button. This will prompt you to download a copy of your Emergency Kit.
3. Click Download. The “1Password Emergency Kit” PDF will be downloaded to your Downloads folder.
4. Update the PDF with your account password, in the blank password section. ( If you can not update on the computer, print a copy and manually update it by hand )
5. Print a copy and keep this copy in a safe place. You can also save it to your personal cloud storage, so you always have a digital copy available.

Let me know if this has been helpful at all, I look forward to hearing from you.

Jermaine

Welcome to the 1Password Support Community, @Lanny! I'm glad to see someone new here thinking so comprehensively about the security and privacy of their most important data. We do, too.

In this current case, however, the important part of jermaine.f_1p's ⬆️ response is this:

The reality is that the only way someone could get into your vault would be using the account password.

It's like keeping an extra key to a safe containing valuables...inside the safe itself. You might choose to do this because you want a spare to lend to someone if needed, for example. But keeping the key that unlocks a safe full of valuables IN the safe doesn't pose any additional risk because to obtain it, one would have to be able to unlock the safe already.

...you state the advantage of your system is hackers need my password and the key while with LastPass they only need my password.

True! We do state that, and it is correct.

Having that information in the vault means they really only need my password, same as LastPass.

The encryption key that actually decrypts your data is derived from a combination of two secrets: your chosen Account Password and your randomly-generated Secret Key. Without both of those, the encryption key cannot be derived and your 1Password data cannot be decrypted. In order to get to that starter kit item containing your Account Password and Secret Key, an attacker would need...your Account Password and Secret Key to decrypt the data. You see what I mean about "keeping an extra key inside the safe?" It's inaccessible unless you already have a way into the safe.

There is one exception to this, which is that, on your local devices, the Secret Key is stored in app or browser memory, so it is your Account Password which protects you, but that has always been the case: the Secret Key is designed to keep you safe if WE get hacked or breached. If someone steals (or compromises) one of your actual devices, then it is only your Account Password which protects you (because you don't keep that anywhere except your brain). But this isn't a function of the fact that the starter kit item exists, it has always been this way, regardless of the presence of the starter kit item.

Finally, if you don't want the starter kit item, you always have the option to simply delete it.

You’re quite welcome, @Lanny - glad I could help clarify.