The only feature of 1Password that matters is their business dies overnight if they get hacked so they’ve thought harder about security than anyone you know.
You can’t vibe code that in two evenings no matter how much you ask Claude to “make it secure”
@jemonat Yeah, they call it your "Secret Key":
https://support.1password.com/secret-key-security/
This is an extra layer of protection for the vault when it's stored on the 1password servers that helps ensure resistance to offline password cracking and also makes the strength of the password less critical. It was one of the things that made me think their security model was suitably paranoid. 😄
But, yeah, I still totally agree that people absolutely should make a strong master password! You're putting a *lot* of eggs in that basket, so you still want to make sure that only you can access it, and on your own devices only the password is required to access the vault (I believe a copy of the Secret Key encrypted with just the master password is present there). I was only meaning that the copy of the server side is a bit safer. There may also be other caveats depending on what account recovery options you have enabled.
Dare Obasanjo
Jeremy Monat
Nick