Protect what matters – even after you're gone. Make a plan for your digital legacy today.
Forum Discussion
Isn't having Password and Key stored in Vault a risk? Would hackers see both?
I'm just installed and am on trial. I'm assuming this entry is there for a reason but isn't it a risk?
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Prov...
Welcome to the 1Password Support Community, @Lanny! I'm glad to see someone new here thinking so comprehensively about the security and privacy of their most important data. We do, too.
In this current case, however, the important part of jermaine.f_1p's ⬆️ response is this:
The reality is that the only way someone could get into your vault would be using the account password.
It's like keeping an extra key to a safe containing valuables...inside the safe itself. You might choose to do this because you want a spare to lend to someone if needed, for example. But keeping the key that unlocks a safe full of valuables IN the safe doesn't pose any additional risk because to obtain it, one would have to be able to unlock the safe already.
...you state the advantage of your system is hackers need my password and the key while with LastPass they only need my password.
True! We do state that, and it is correct.
Having that information in the vault means they really only need my password, same as LastPass.
The encryption key that actually decrypts your data is derived from a combination of two secrets: your chosen Account Password and your randomly-generated https://blog.1password.com/what-the-secret-key-does/. Without both of those, the encryption key cannot be derived and your 1Password data cannot be decrypted. In order to get to that starter kit item containing your Account Password and Secret Key, an attacker would need...your Account Password and Secret Key to decrypt the data. You see what I mean about "keeping an extra key inside the safe?" It's inaccessible unless you already have a way into the safe.
There is one exception to this, which is that, on your local devices, the Secret Key is stored in app or browser memory, so it is your Account Password which protects you, but that has always been the case: the Secret Key is designed to keep you safe if WE get hacked or breached. If someone steals (or compromises) one of your actual devices, then it is only your Account Password which protects you (because you don't keep that anywhere except your brain). But this isn't a function of the fact that the starter kit item exists, it has always been this way, regardless of the presence of the starter kit item.
Finally, if you don't want the starter kit item, you always have the option to simply delete it.
