undefined | Better HN

Skip to content

Top Best Ask Show New Jobs

0 pointschrisweekly5y ago0 comments

"they might be able to get your master password, but that doesn't mean they gain access to anything"

I can't be the only one who finds that to be small comfort; isn't it sensible to respond, "if my 1Pwd master pwd is stolen, I must treat the vault as if it had been exposed"?

0 comments

5 comments · 2 top-level

a10c5y ago· 3 in thread

Not really. At least not in the 1Password case.

Having access to the 1Passswrd Master Password and your entire encrypted vault still doesn't get the attacker what they need. To decrypt your vault, you also need to know the 128 bit secret key which is also used in the encryption strategy that is stored offline (e.g. on a piece of paper in your safe or via another already authenticated device)

https://support.1password.com/secret-key-security/

This is not true for the standalone version of 1Password.

movedx5y ago

It’s 100% true of the standalone version of 1Password because there is only one version of 1Password - the standalone version.

Everything else interacts with it.

Your secret key is still required to decrypt passwords via the desktop application (which is the only version - everything else interacts with this.)

a10c5y ago

The article is about Cloud-based Password Managers.

lazide5y ago

With the current well designed systems, it isn’t the case however. That password is important (one of several factors), but you can’t get access with only that information. It is also something that is easy to change with no retroactive access abilities.

j / k navigate · click thread line to collapse