How can I require 1Password to prompt for my password for a local vault?

I have a seperate vault that I do not want to have unlocked all the time (for banking information, etc.) I want to segregate this information. I have created a seperate local vault with a separate password, however when I lock and unlock 1Password the vault does not prompt me for this password. How can I configure 1Password so that it prompts me for the separate password before the contents of this vault are available? Thanks!


1Password Version: 7.3.657
Extension Version: Not Provided
OS Version: Windows 10 1809
Sync Type: Not Provided

Comments

  • GregGreg

    Team Member

    Hi @tomgibson,

    Thank you for getting in touch and using 1Password!

    It is not possible to create a separate password for the vault in 1Password. In 1Password 7 for Windows, the master password is based on the first account or vault you unlock with 1Password.

    The thing is that 1Password creates a very strong, local, and unique to the device encryption key the moment you start using 1Password. This key is then used to encrypt the local 1Password database (which can contain several vaults) stored on your disk and this key is then re-encrypted with your master password you enter for the first time.

    Think of it like a house key stored within a combination lock (combination is your master password), you can't unlock the house door until you enter the combination to the lock and then get the key to unlock the door. When you add more accounts or vaults (houses), 1Password puts it in this lock box, which is still protected by the combination, nothing changes.

    Please let me know if it helps. Thank you!

    Cheers,
    Greg

  • This helps explain from a technical point of view, however I am not really sure what the point of having separate vaults is if they are all unlocked at the same time with the same password. I might as well just use one vault.

    I get that if I want to share passwords it's useful and that if I don't want to store passwords on the 1Password cloud it also enables that, but I definitely don't want to share my banking passwords and I wouldn't have a problem storing them on the cloud if I could add an extra layer of access control as I'm confident that the 1Password cloud security is adequate. Maybe I'll use KeePass instead for my banking passwords as then I can keep the unlock separate, but it is a shame as I will have to use two programs to get the job done and I can only envisage that this will get very ugly on mobile.

    Could the ability to require a configurable secondary password unlock for specified additional vaults be added as a feature request? If not then even if the secondary vault password has to be the same, if I could just require that the secondary vault is not automatically unlocked when logging in to 1Password and the master password must be re-entered to unlock it that would probably give me the reassurance I'm after.

  • MikeTMikeT Agile Samurai

    Team Member

    Hi @tomgibson,

    I am not really sure what the point of having separate vaults is if they are all unlocked at the same time with the same password. I might as well just use one vault.

    They're not encrypted with the same password on disk though, each vault is encrypted with their own vault keys and each items is encrypted with their own keys as well. When you unlock with your master password, you're unlocking a local key that unlocks the access to other vault keys that can give you access to the entire database. For anyone to get access to all vaults, they must compromise the entire system. At this point, it won't matter if you have two separate protected vaults with two separate programs, they'll see what you're entering in both programs and have access to both passwords.

    but I definitely don't want to share my banking passwords and I wouldn't have a problem storing them on the cloud if I could add an extra layer of access control as I'm confident that the 1Password cloud security is adequate.

    Now we switch from the local machine to the cloud, which has different attack points.

    In this case, 1Password.com has extra security to protect you and one of them is the Secret Key, so you actually have two separate levels of security with your master password and Secret Key that needs to be compromised to get access to your 1Password account's data.

    Plus, if you do your banking online, 1Password has the same or better security as these banks with various encryption protocols in place.

    If you like to learn more how the Secret Key protects you from the cloud storage, please read this: https://support.1password.com/secret-key-security/

    By the way, you can configure the vault settings on the website to not send certain vaults to your devices like this:

    As for why people do separate vaults; it is not for everyone for sure but there are use cases for this:

    1. Archive vault, I have data that I no longer use and I don't need to see it all the time when I'm using 1Password mini. I can move items into Archived vault, set All Vaults to hide this vault.
    2. Family vaults, I can create shared vaults to invite my family in to share secured data. Some family use this to store passport information, billing and stuff.
    3. Coworkers, guests. You can create isolated vault for your contractors, home nurse/babysiters, etc to invite as a guest to use Wi-Fi network, contacts information, etc.
      and more.

    As you continue to add more information to 1Password, you may choose to organize the data.

    Could the ability to require a configurable secondary password unlock for specified additional vaults be added as a feature request?

    We do not plan to do this at all but we'll keep this in mind. We had something like this in the past but it caused more problems than it helps; such as people forgetting their secondary passwords and can't restore access to it.

  • Thanks for your detailed explanation, it's very helpful. I'll have a think about what I want to do. At the moment I rely on physically recording complex banking passwords in a book, and whilst they can't be compromised from my book remotely I am concerned about the risk of losing the book, someone else reading it etc. as well as the fact that most if not all banks forbid doing so which is why I think it's a bad system. Hence my interest in moving away from this arrangement.

  • MikeTMikeT Agile Samurai

    Team Member

    Hi @tomgibson,

    Oh, I totally understand! We're full of paranoid folks on our team and constantly worry about this and for our customers too.

    There's a trade-off for every approach and you have to decide on which one you're willing to live with. For me, I know my bank is willing to help even if I get compromised but they tend to want details anyway, so I keep them in 1Password with PDFs and stuff. I am biased anyway but I've been storing everything in 1Password for nearly a decade and I'm actually happy this way because I know I have a central place to go to anytime and I don't have to panic finding stuff in my office to get back on track.

  • lumarellumarel
    edited January 29

    Hey,

    May I be allowed to add something of my paranoia to this discussion as well

    I'm using two separate vaults vor my personal- and my work-items, so I'm also seperating the login passwords for the devices (personal devices, personal-vault-password; work devices, work-vault-password). There's not really a safety gain until now, because both are connected, but it helps a lot to remind myself on which device I'm working. (and as well if somebody wants to crack my vault only one is affected)
    It would be more safe to have to sign in another time, if I switch to the other vault :+1:

    I know this wouldn't be requested by a lot of people but, maybe you could consider it for the future feature list :chuffed:
    And I think it doesn't need to be enabled by default, maybe just a switch in the vault settings (a per vault setting, for all except the primary), like "vault paranoia mode" :lol:

  • MikeTMikeT Agile Samurai

    Team Member

    Hi @lumarel,

    I'm not sure if you missed it in my post earlier but you can do that already;

    It's platform-based for now but we might be able to expand this to device specific in the future.

  • lumarellumarel
    edited January 29

    Hey @MikeT,

    I don't think you remember, but I'm one of the guys with an local-vault-license ^^
    So, I'm speaking about features for local vaults, I know you don't really prefer this way anymore
    So the paranoia mode refers to the needed password for the second vault :+1:

    But I have to admit really great feature :chuffed:

  • MikeTMikeT Agile Samurai

    Team Member
    edited January 29

    Hi @lumarel,

    No, I didn't remember, sorry.

    There are no plans to do that but we may have an idea for profiles though. You could switch databases but we don't know if that'll ever happen.

  • Hi @MikeT,

    (No problem, at this amount of users that was clear)
    For me this just a "nice to have", but sounds like a helpful solution :+1:

  • MikeTMikeT Agile Samurai

    Team Member

    :+1: Yep, whatever we do, we'd like to make it consistent for both accounts and standalone vaults as much as possible. Profiles would be the way to go in my opinion but it is very difficult to do this on mobile, which is why we're not all for it at the moment.

  • lumarellumarel
    edited January 29

    I'm really pleased to hear that :chuffed:
    It might need a lot of discussing this, but maybe some time in the future there is enough time to do something like profiles :+1: Thanks

  • MikeTMikeT Agile Samurai

    Team Member

    No problem!

  • such as people forgetting their secondary passwords and can't restore access to it.

    I also have all the casual things, including some banking/credit logins which I have been letting Chrome store,
    along with 800 web page and forum logins where I really don't care if someone impersonates me.

    I have other things that I have kept in a manually encrypted file in Dropbox, readily accessible with gpg from Linux/Windows/...
    I wanted to put them in 1Password, but I don't want them unlocked as soon as I unlock 1Password-X for the casual logins.

    I don't need it to be a separate password, but I would like an additional prompt, much like Google does when I try to invoke certain activities when I am already logged in to Google. Same password, prompted again.

    All of the replies refer to how well encrypted the data vault is, including the first thread I found, closed in 2010.
    That ignores what the users are trying to accomplish, and I'm not sure it pertains at all to the request.
    This is engineers counseling the users on how best to use a product, instead of providing a feature that has been requested for 10 years.

  • GregGreg

    Team Member

    Hi @ClarDold,

    Thank you for chipping in! Your feedback is really interesting. Could you please elaborate on your needs?

    In my opinion, additional prompt for your Master Password within 1Password (when your main vault is already unlocked) will not add any additional security to your data in 1Password. If a bad actor has already unlocked 1Password, it means that they know your Master Password and they will be able to enter that password the second time, if we prompt for it.

    On the other hand, if we prompt for a different password within 1Password, it will be result in a lot of confusion. We have similar requests in the past, e.g. see this discussion in a different thread.

    Thanks in advance!

    ++
    Greg

  • A bad actor didn't unlock my 1Password. I did, for casual web site logins.
    The bad actor has no idea what my Master Password is, and would fail a challenge.

    The idea that everything is unlocked at once is contrary to proper security protocols.
    IBM requires multiple levels of of security, with challenges at different entry points after the initial login.
    Google agrees. I occasionally get a challenge to enter the password that I already entered.
    Microsoft Windows gives a password challenge for certain activities, and I enter the same password that I used at login.
    Ubuntu also challenges, requiring reentry of the same password that I already used for login, for administrative actions.

    I see no value in the other thread you linked. It is a customer asking a similar question, and being told no.
    The flippant answer that you would have to change the name of your program is embarrassing. (already, in the face of 2FA.)
    Each of the other threads being closed to further comment is awkward.

  • bundtkatebundtkate

    Team Member

    Older threads get closed as things evolve, @ClarDold. What was true in 2010 is simply not true any longer in many cases and we don't want folks looking back at posts from 2010 thinking that info is current. Nothing about closing those threads prevents the same questions or requests from being raised again, nor does it prevent the info there from being found, but it does make it less likely folks will stumble upon outdated info since those posts won't have any new activity.

    Regarding your use case, however, could you maybe provide an example of what threats you feel this will protect from? To use Windows as an example (since it's one case I feel I have a full understanding of here), it will prompt for an admin password for certain things, but the purpose there is to prevent a normal user with lesser permissions from taking actions reserved for admins. It can also prevent an attacker able to gain user-level permissions from engaging in admin-restricted tasks. An attacker can get user-level access without your admin password. Similarly, standard users also won't (or shouldn't anyway) know your admin password. In this way, asking for it protects you from a defined threat. In 1Password, there is simply no way at all for anyone to unlock anything in your vault without your Master Password, so asking for it twice doesn't seem to protect against the same sort of threat to me. But, I could easily be missing something here and I'm sure you're not exclusively seeking to draw direct analogies. What threat are you seeking to combat? Perhaps that will help us better understand why this is important to you.

  • In each of the analogous cases of being challenged for a password, the password that I am entering again is the one I used to log in.
    I am sure that your product offers perfect security, but it does not operate the way I have been trained over the years.
    It would seem that a few users on this forum, from time to time, have a background similar to mine.

  • GregGreg

    Team Member

    Hi @ClarDold,

    We are always open for the feedback in regards to new features, so your suggestion is really appreciated. At the moment, it is not possible to do what you want in 1Password, it is not designed for things like that. However, if you shared the examples of the threats that you want to eliminate with this feature, I will make sure to pass them along to our team and we will have an internal discussion. Thank you! :+1:

    Cheers,
    Greg

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file