Jeffrey GoldbergDec 28, 2022

I and my employers, #1Password, have never directly criticized a competitor before. But #LastPass's claim that it would take "millions of years" to crack the data made available from the breach needed to be addressed explicitly.

I also take the opportunity to explain why 1Password's distinct security architecture would keep users safe if we were to be breached.

https://blog.1password.com/not-in-a-million-years/

Not in a million years: It can take far less to crack a LastPass password | 1Password

How 1Password goes above and beyond to protect you in the event of a data breach.

1Password Blog
Show threadRyan ScullenDec 30, 2022
@jpgoldberg so I have a question - when you say the device generates the secret key, how do other devices get access to the account if you don’t have a copy of the secret key to pass into the new device being added ti the account?
Or is it that each device has a secret key and joins the chain of trust for the account by using the account ID + master password? Perhaps the post could be updated to explain there are multiple secret keys?
Show threadChris Johnson
@rscullen @jpgoldberg There’s a single secret key per 1Password account. If you want to add an additional device to your account, you must tell it the secret key. There are a number of ways to do this. The new device can scan a QR code displayed in 1Password on the first device (or on a piece of paper that you previously printed), or you can type it in manually. On Apple devices, the secret key is synced among your devices via iCloud Keychain, if you have it enabled.
Dec 30, 2022 at 8:51pmWeb
Show threadRyan ScullenDec 30, 2022

@captainslim @jpgoldberg thanks for this.

For some reason I got it in my head that the secret key was an “account number”, and the real secret key was behind the scenes obfuscated from the user, but at no point in the UI does 1P say that so I don’t know where that thought came from lol. Makes sense now that I’ve looked at my account screen again. Cheers.

Show threadJeffrey GoldbergDec 31, 2022
@rscullen @captainslim The A3-XXXXXX is not secret, and is an identifier, but the rest of it is, indeed, the secret of your Secret Key.