Why do I have to type in the master password even if "do not unlocked" is checked???

edited January 17 in 1Password X

Hello,

yesterday I started using 1password with the strong intention to use it in the future, as well. I spent 2 hours of creating new passwords and the next day I wanted to use it on my Windows pc.

Now the software prompts me to type in the master password even if I set "do not unlock" in the settings! This is absolutely a no go for all day usage. On smartphone the problem doesn't exist because we have face detection (or fingerprint). But on Windows/Linux desktop I have to type in the master password after every computer restart.

This practice is even hard for me as a software developer, but I planned to use the software also for my parents (both 60 years old) to solve the problem of lost passwords for each and every website/app. For them this is simply rediculous and not doable in practice.

Why does the checkbox "do not unlock" not have any effect (on browser and on desktop app)? Is there any way to solve the problem (e.g. a hardware solution using dongle, fingerprint on Windows, ...)?

I already had the credit card for the 1Password subscription in my hand but so I can't simply make it :-(

Thanks in advance.

Bye The_Unknown


1Password Version: latest
Extension Version: latest
OS Version: Windows 10, Ubuntu 16.04, iOS 12, ...
Sync Type: Not Provided

Comments

  • Hi @The_Unknown,

    By "do not unlock" do you mean you have the setting Automatically lock 1Password disabled? If that is what you are referring to, that only applies after 1Password X has been unlocked for the first time that day.

    The 1Password vault is encrypted and it only resides on disk in an encrypted state. With 1Password X, any time you terminate the browser entirely or restart the device it will mean the Master Password is required to unlock once more. With 1Password for Mac and 1Password for Windows, if paired with the companion extension the browser restarts won't cause an additional request for the Master Password as the locked state is controlled by the application which is running all the time.

    1Password 7 for Windows supports Windows Hello but I do need to stress, that these aren't a complete replacement for your Master Password and I would go as far as to say that you need to repeatedly use the Master Password so that you do not risk forgetting it. We have seen this happen for people that only used 1Password for iOS. The Master Password isn't about authentication, its decryption and there is no backdoor, no way for anybody here at 1Password to unlock your data for you. As I'm sure you understand, any backdoor is a weak point and it will eventually be exploited.

  • I understand, but this practice makes it impossible to use the software with a strong and long password. I cannot type in a 32 character monster each and every system restart. If I'd use a Mac and mobile devices only, Face-ID/Touch-ID would do the job for me, but on windows it's way more complicated.

    Besides that: Forgetting about the master password. Mhm, if I print the emergency pdf and write the master password on it as advised by the pdf, this is simply not a problem. Of course, I should store this on multiple devices.

    What would your advice be for my parents which definitely can't remember a 32 char password anymore and have windows computers?

  • Hi @The_Unknown,

    As somebody who types a ~30 character Master Password every time 1Password locks, let alone once every system restart I can't agree that asking for it as infrequently as once a restart is that bad.

    It's worth noting that a 1Password account only stipulates a minimum of a 10 character password and that it alone is not enough if somebody is attempting to attack our server, that's where the secret key comes in to augment the Master Password.

    While some of the UI (User Interface) features of 1Password X would probably be appreciated by your parents, if typing a password frequently would be a dealbreaker they would probably want to use 1Password 7 for Windows with the companion extension until such a time that 1Password X can be unlocked by the client. My recommendation is based on the fact that unlike macOS, Windows likes to terminate the browser when you close that last window which would mean 1Password X locks every time that happens. The browser can still be running without a window in macOS so it isn't as bad there.

    If 1Password didn't ever require unlocking it would mean either we're not encrypting your data or the Master Password is being stored somewhere. On the Apple side we use the secure enclave that comes with any device supporting Touch/Face ID and something similar on Windows for Windows Hello. Given what is stored in a vault I just don't see us ever leaving things so wide open that 1Password is basically not offering any protection against unauthorised access.

  • „If 1Password didn't ever require unlocking it would mean either we're not encrypting your data or the Master Password is being stored somewhere“

    —> I don‘t think so. What about a token login which is often used with API accesses? After unlocking with the master password a token is generated and stored (cookie e.g.). If a token exists, 1Password unlocks using this token for let‘s say 1 month. After that time one must type in the master again. This way neither my data is unencrypted nor is the master password stored anywhere.

  • Hi @The_Unknown,

    A token won't work though, that's only useful for authentication. The only thing that will allow you to decrypt are the encryption keys. On Touch/Face ID devices we have to store the encryption key in the secure enclave given both forms of biometrics are themselves only authentication only and if it weren't for the work Apple did relating to the secure enclave there's no way we would have considered it. Your fingerprint isn't unlocking your vault, it's our trust in Apple that means we allow 1Password to retrieve securely stored data to unlock if the operating system tells us authentication was successful

    In theory you could encrypt all of your data with a second key, call that key a token and store the token in a cookie to roughly implement what you're suggesting. Here though, there would be the overhead of decrypting and encrypting all of your data with the second key and really it wouldn't be any different from storing your Master Password in plain text in a cookie. I'm sure you agree that would be bad on a scale that ought to be unimaginable for a security company.

  • The token would only have a limited validity in terms of time. That‘s the difference ;-)

    I understand your arguments though.

    All in all I nevertheless think this necessity is what keeps many users away from using a password manager. What might be a solution at least for my case would be Windows Hello. I‘ll think it over.

    Thanks for your time ;-)

  • Greetings @The_Unknown,

    The way you're viewing the token; storing it in a cookie, an expiry date, all of that is based on the idea that our server is transmitting your data and all we do is authenticate. The server key, that is about authentication but the Master Password, this is decryption. You can't put an expiry date on an encryption key, all you could do is re-encrypt the entire database with a new key but if somebody was to access the machine copy the key and the encrypted database then it doesn't matter how often you change keys or if we added some pseudo security with the idea of time-limited passwords, they can use any third party tool to decrypt the data using the stolen key because it will always allow a person to decrypt that copy of the data no matter how much time passes or what you do to your data afterwards.

    Our server only handles encrypted blobs of data and we never transmit anything that would allow us to decrypt it. So there isn't something server-side we can have in place. Any service that would can reset a password is either authentication only or they maintain a set of accessible keys and in both scenarios a user should be asking themself, can I trust the protection they have in place? I wouldn't, not if they have a method of helping users in the manner I describe.

  • Ah, I understand the difference between authentication and decryption you mean.

  • Hi @The_Unknown,

    We see a lot of confusion and it's understandable. As soon as you use the word encryption everything is about the maths and details and the only way to have a discussion is to be pretty much neck deep in it all. Before we introduced the concept of 1Password accounts at all we had people asking us to add 2FA to 1Password for the standalone vaults and we had to keep saying no, it would be completely security theatre. Any implementation would only exist in the client and so anybody could take the encrypted database and decrypt using a third party library, instantly bypassing the appearance of that second layer. Pretty much each time it was raised you could guarantee it wouldn't be a quick conversation because it's all so much about the details and why they are important.

    I would go as far as saying somebody able to communicate all of these concepts to us mere mortals (myself included) has a knack as it's definitely an art :smile:

  • Hello again,

    I have a last question concerning that topic. Maybe the following would be possible and I'm interested in the technical feasability:

    Maybe it would be possible to use a smartphone to unlock 1Password X. Of course I know, the Browser API doesn't let the add-on out of the sandbox. But what about the following:

    The prompt for the master password opens up in the 1Password X browser extension and then I click a Face-ID-icon. This triggers the 1Password iOS app to send a push notification to the smartphone using the same account both in Chrome and in the iOS app. Then an autentication takes place using Face-ID (as it would when using the iOS app on device). If this is successful, a POST request containing the master password is sent over HTTPS to the 1password server which is propagated also using HTTPS to the user's Chrome extension again (I think this is the critical part since the master password doesn't stay only local).

    This would solve the issue that we don't have good fingerprint/face recognition devices in non-mobile devices (see amazon ratings for proof ;) ). Also an access to the OS level would not be necessary in the 1Password browser extension and the solution would work on any platform able to run 1Password X.

    Would that be possible or am I missing something?

  • Hello @The_Unknown,

    From a purely technical standpoint I'm sure there could be code written that would perform such an action but there's no way we would ever consider it I'm afraid. All the hidden stuff none of us see surrounding the security of 1Password accounts was explicitly designed so your Master Password was never transmitted. That is a secret that should never leave the device for any reason, not even with good intentions. This holds true of even the web interface, the Master Password doesn't leave the browser.

    We are investigating the possibility of a locally running copy of 1Password somehow sharing its locked state with 1Password X and whilst I don't know the details (so crucial) the little I am aware of means there's been a huge number of discussions about what might work, what we could never allow and masses of complexities. All of that when 1Password X and the native application are on the same device and can communicate directly. It's very tricky and far easier to get wrong if you're not careful than it is to get it right.

  • „That is a secret that should never leave the device“

    I assumed that sadly ;) But thanks for your feedback. In the end I‘ll go with Dashlane for my family and myself. Here I can cache the login for 14 days. I can live with that.

  • ag_sebastianag_sebastian 1Password Alumni

    Hi @The_Unknown. :smile:

    Thanks for letting us know, using a password manager is much better than not using one, regardless of the company that makes it. I hope your choice works out well for you and your family. We'll be here should you ever change your mind. :)

  • dtearedteare Agile Founder

    Team Member

    Good news, @The_Unknown!! 1Password X now has Desktop App Integration on Mac! It means you can have more flexibility with your auto-lock settings and you'll be able to restart Chrome and have 1Password X unlock automatically. 🎉

    Check out our recent beta announcement for details on how to set things up so you can use Touch ID on your Mac. Support for Windows and Windows Hello will be coming in a future release.

    If you're feeling adventurous, please give the beta a try and let us know how it goes. 😘

    ++dave;

  • Hi - I am new to 1 Password (still on the trial version)l and am fine with remembering a long password and using it often. The problem is that when I type the password into the desktop icon it says it is incorrect. I then have to go to the website and log in and everything works. This is the same on two different Windows 7 computers (one with Chrome and one with Forefox). I have changed the Master password if this has any impact.

  • brentybrenty

    Team Member

    @Shirl36: Thanks for reaching out. I’m sorry for the confusion! It sounds like you've setup the app differently, with a local vault, with a different Master Password than the one you setup for your account. There is no problem with trying multiple times, but you will only be able to unlock the app by entering the correct Master Password for the first vault/account you setup there. Alternatively, if you changed it on the website but not in the app, that may need to be updated. Can you tell me if your data is in a Primary (local) vault ("on this computer"), or is it all in your account when you sign into the website?

  • I seem to have fixed the problem by reinstalling the app and the browser extension. All data is on the website.
    So if I understand correctly - if I change the master password on the website, I also need to change it separately on the browser?

    Thank you

  • brentybrenty

    Team Member

    @Shirl36: It really depends on your setup, and I don't really have any info on that. Anyway, glad to hear that you were able to get it sorted, but we're here if you need us. :)

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file