"1Password is a mature, paid alternative to LastPass that is unique in that in addition to using a master password, it requires an additional Secret Key when attempting to access your password vault."
Is the Secret Key required to decrypt the vault or only to access it? For example, if a hacker got access to the vault through a backdoor, like they did with LastPass, would they need both the master password and the Secret, or only the password? 2FA is a Secret, but it isn't required to decrypt the vault after you access it.
Hey Steve! The Secret Key is required for both decrypting the static vault as well as to access it, e.g. via the browser plugin.
This means if the attackers nicked your password vault like they did in the LastPass attack, they couldn't decrypt it - even if they knew your master password - because they don't have that Secret Key which is stored on your device.
"1Password is a mature, paid alternative to LastPass that is unique in that in addition to using a master password, it requires an additional Secret Key when attempting to access your password vault."
Is the Secret Key required to decrypt the vault or only to access it? For example, if a hacker got access to the vault through a backdoor, like they did with LastPass, would they need both the master password and the Secret, or only the password? 2FA is a Secret, but it isn't required to decrypt the vault after you access it.
Hey Steve! The Secret Key is required for both decrypting the static vault as well as to access it, e.g. via the browser plugin.
This means if the attackers nicked your password vault like they did in the LastPass attack, they couldn't decrypt it - even if they knew your master password - because they don't have that Secret Key which is stored on your device.