Musings about 1Password's "secret key" feature

if someone sees you typing in your password and steels your phone, if there is a secret key , they still wont have access to your account

i dont use 1passwor on my phone, only as 2fa. so stealing my phone wont give secret key

1 Like

where would i post the question about bitwarden allowing a "secret key " option.

If it’s an actual question, you can start your own thread in the Ask the Community forum.

However, if you want to request this as a new feature, just add your vote to the existing Feature Request. The pros and cons of this feature have already been hashed out in extensive discussions (now deleted, unfortunately, although some of it has been preserved in the Internet Archive), so attempting to make a case for or against this feature would be beating a dead horse.

1 Like

the secret key is both a second factor AND an encryption.

even if i go to 1password team, they cannot override my secret key, cause the vault is encrypted with seccret key,

with google auth for instance, the 2fa can be overridden by the vault owner

so if i gave you my vault, and my password, you still could not get into the vault.

every other 2fa does not help once the vault is stolen. in 1password, the stolen vault cannot be hacked by ANY BRUTE force.

the reason i bring this up, is i am going back and forth between bw and 1p.

I was wondering the same, but ultimately this is a feature you can achieve by simply ensuring you have a similarly strong mater password as the 1pw+key combined.

I think the only benefit for 1pw is that you don’t need to type in the secret key, i.e. you get away with a shorter master password. The disadvantage is that 1pw actually have your secret key stored somewhere (probably encrypted somehow). Personally, I’m content with BW. Coming from 1pw myself, I did however select a slightly longer master password than what I had there.

The other benefit of BW is that you can select a much higher number of kdf iterations, which does improve the security of your master password against brute force attacks. So that helps a lot, too. All based on my understanding of the cryptography!

The secret key alone is adding the equivalent of 21 random characters to your password.
That is 21 random characters not words from A-Z, a-z, 0-9, plus the 8 special characters BW seem to allow.
You begin to appreciate how powerful their secret key is. It makes the password of “Password” uncrackable.