This is a two-step verification process that does not rely solely on a password, meaning the hacker needs both your password and the security code to access your account. A one-time random security code is sent via a SMS message, a phone app, an auxiliary device like a token or smart card, or a secondary email address. Create a secret link. Or generate a random password. A secret link only works once and then disappears forever. Sign up for a free account to set passphrases for extra security.
Your Secret Key is 34 letters and numbers, separated by dashes. It’s stored on devices you’ve used to sign in to your account, and in your Emergency Kit. Only you have access to it. Your Secret Key works with your Master Password – which only you know – to encrypt your data and keep it safe.
Your Secret Key is:
- Yours. Everyone has their own unique Secret Key.
- Secret. Your Secret Key was created on your own device. We have no record of your Secret Key and can’t recover it.
Your Secret Key is not:
- A license key or serial number. It’s an encryption key that’s unrelated to your purchase.
- A backup code. It doesn’t let you sign in if you forget your Master Password.
Protect your Secret Key
No one can access your 1Password data without your Secret Key. That includes you, so make sure you’re always able to find it.
- Keep it secret. Don’t send it to us or make it public.
- Keep it safe. Save your Emergency Kit, which contains your Secret Key. Then you’ll be able to find it, even if something happens to your devices.
How your Secret Key protects you
Your Secret Key and your Master Password both protect your data. They’re combined to create the full encryption key that encrypts everything you store in 1Password.
Because you need to memorize your Master Password, it can only be so strong – about 40 bits of entropy on average. Your Secret Key doesn’t need to be memorized, so it can be much stronger. It has 128 bits of entropy, making it infeasible to guess no matter how much money or computing power an attacker has available.
These differences in entropy and memorability allow your Master Password and Secret Key to protect you from different kinds of threats:
- Your Master Password protects your data on your devices. Someone who has access to your devices or backups won’t be able to unlock 1Password without your Master Password, which only you know.
- Your Secret Key protects your data off your devices. Someone who attempts a brute-force attack on our servers won’t be able to decrypt your data without your Secret Key, which we never have.
Like your Master Password, your Secret Key is never sent to us. But because you can’t memorize your Secret Key, 1Password stores copies of it for you, so you can:
- Unlock 1Password without entering your Secret Key every time. It’s stored in the 1Password apps and browsers you’ve used to sign in to your account on 1Password.com.*
- Have peace of mind if you lose a device. Encrypted copies of your Secret Key are stored in your device backups and keychains to provide data loss protection. If you have iCloud Keychain turned on and lose your Mac, iPhone, or iPad, you can restore from a backup and unlock 1Password with just your Master Password. It’s the same for Android backups.
*You won’t be able to find your Secret Key in Safari unless you sign in to your 1Password account at least once every 7 days.
Learn more
The first two characters of your Secret Key are the version number (“A3”) followed by a 6‑character identifier, both of which are known to us and used to aid in troubleshooting.
The Secret Key was called the “Account Key” in previous versions of 1Password, and may still be labeled that way in your Emergency Kit. They are one and the same.
One Password Security Review
To find out more about the format of the Secret Key and how it is used in encryption, check out our 1Password Security Design White Paper