In the wake of LastPass’ security incident in December 2022, clients have asked me how vulnerable their 1Password password vaults would be, if the vault were stolen. The short answer is that the vault would be very secure. For more details please check out 1Password’s recent blog post about how 1Password protects your data. Additionally, check out 1Password’s article about their security model.
Thanks for your thoughts on 1Password. I’m considering moving from Lastpass. One thing confuses me, though. I opened my account on my Mac and got my “secret key.” I assumed I would have to enter that key on a new device in order to decrypt the data. But I simply downloaded 1Password to my iPhone, entered my user name and password, and voila, I had all my passwords on the phone. How does the extra layer of encryption protect me? Thanks.
I’m not sure I can give you the answer you’re looking for. It’s been a while since I setup 1Password on an iPhone. In the past I think 1Password facilitated setup by letting one scan a QR code. I’m not sure if that’s still an option.
That said, in my experience one needs to type in both the Secret Key and your master password when setting up a new device. Subsequently, each time you open 1Password on a device, you only need to type in your master password.
You can think of the Secret Key as an additional 34 characters appended to your master password that you don’t need to type each time. It is stored on your device, but not on 1Password’s servers.
The Secret Key and master password are both used to encrypt your vault, greatly increasing the strength of the encryption. This protects you in the event that an attacker gets hold of your encrypted vault from 1Password’s servers.
1Password’s description of the Secret Key may be more useful https://support.1password.com/secret-key-security/