diff --git a/CHANGELOG.md b/CHANGELOG.md
index 7945b93..6166bcc 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -12,6 +12,11 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 
+## [Unreleased]
+
+### Changed
+- Secret keys are now restricted to 128 bits (16 bytes) or 256 bits (32 bytes)
+
 ## [0.2.0] - 2023-08-11
 
 ### Added
diff --git a/src/locales/en.json b/src/locales/en.json
index 3323d65..9a5ba50 100644
--- a/src/locales/en.json
+++ b/src/locales/en.json
@@ -35,6 +35,7 @@
 		"cancel": "@:invariants.controls.cancel",
 		"error": {
 			"invalidBase64": "The key must be a valid base64 string.",
+			"invalidKeyLength": "The key's length must be either 128 bits (16 bytes) or 256 bits (32 bytes).",
 			"invalidSeparator": "The separator must be a single character.",
 			"cameraNotAllowed": "Camera access permission was not granted.",
 			"cameraNotFound": "No camera detected.",
diff --git a/src/locales/fr.json b/src/locales/fr.json
index 74663c2..db9cf68 100644
--- a/src/locales/fr.json
+++ b/src/locales/fr.json
@@ -35,6 +35,7 @@
 		"cancel": "@:invariants.controls.cancel",
 		"error": {
 			"invalidBase64": "La clé doit être une chaîne de caractère en base64.",
+			"invalidKeyLength": "La longueur de la clé doit être de 128 bits (16 bytes) ou de 256 bits (32 bytes).",
 			"invalidSeparator": "La séparateur doit être un unique caractère.",
 			"cameraNotAllowed": "L'accès à la caméra n'a pas été autorisé.",
 			"cameraNotFound": "Aucune caméra détectée.",
diff --git a/src/views/AddAccountView.vue b/src/views/AddAccountView.vue
index 84f224e..da11f2b 100644
--- a/src/views/AddAccountView.vue
+++ b/src/views/AddAccountView.vue
@@ -15,6 +15,7 @@ const separator = ref('+');
 const domainName = ref('');
 const privateKey = ref('');
 const errorMessageId = ref('');
+const authorizedKeyLengths = [16, 32];
 
 const base64Decode = (str_b64) => {
 	try {
@@ -47,6 +48,9 @@ const addAccount = () => {
 				throw new Error('addAccount.error.invalidSeparator');
 			}
 			const key = base64Decode(privateKey.value);
+			if (!authorizedKeyLengths.includes(key.length)) {
+				throw new Error('addAccount.error.invalidKeyLength');
+			}
 			const hash = sha256(`${localPart.value}@${domainName.value}`);
 			const newAccount = {
 				id: base32Encode(hash, 'RFC4648', { padding: false }).toLowerCase(),