How can I recover my master password when I am the family organizer?

Hello,

I am the organizer of the family which has another member.
I have forgotten my master password, but I have the secret key in my possession and I have access to my e-mail which is linked to my account.

The problem with the account recovery following the instructions here https://support.1password.com/recovery/#begin-recovery is that we're not sure and we do not recall what permissions does the other family member have as apparently he cannot find 'People' tab in the sidebar.

How can we recover the access to my account?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • If you did not name another Family organizer it is unfortunately not possible to restore your account. Did you by chance write down your Masterpassword on a copy of the Emergency Kit that you stored somewhere safely?

  • @peacekeeper Well, I am not sure if I have promoted him to an administrator, owner or organizer as I do not recall, so I cannot verify or deny it.

    Unfortunately, I only have my secret key, but not the master password.

  • LarsLars Junior Member

    Team Member

    Welcome to the forum, @thousand_joules! I'm sorry for the trouble. If you gave the other person Family Organizer permissions, then that person will be able to help you recover your account. If you didn't, then that won't be possible. Any other person in the family account can check by signing into their account in a browser, then checking if they see the "People" tab in the right sidebar. If they can't see that, or if they see it but clicking on your name in the list does not give them a "Begin Recovery" option in the left sidebar, then you didn't give that person Family Organizer permissions.

    If you've forgotten your Master Password, there's very little you'll be able to do to access your data or the account management functions of your account, since the Master Password is the one piece of data that's not stored anywhere except your head (even the Secret Key is stored in the browsers/apps you use 1Password with). You can't sign into 1password.com in a browser, and even if you can use Touch ID or Face ID to unlock the 1Password app on one of your devices, you won't be able to change your Master Password without knowing the current one.

    I'd consider trying the steps outlined in this article to see if you can jog your memory or one of those tips works for you. If none of it does, however, then you and everyone else in the 1Password Families account will need to start over. If that turns out to be the case - you've exhausted all options and you're sure you can't recover your account or remember your Master Password, let me know and we can give you some further instructions via email for how the members of your account can salvage as much of your data as you can.

  • Hello @Lars, thank you for your response. I have read through all the tips in the link that you have provided, however I reckon I will have to start from scratch, unless it is possible to elevate the permissions of the other family member through support (provide him with the minimum “Recover Accounts” permission)?

    Would that be possible?

  • LarsLars Junior Member

    Team Member

    @thousand_joules - nope. It would be both improper and a huge security hole for us to possess the ability to manipulate user privileges in your account or see any of your data. 1Password is designed to protect you -- even from us. The downside to that is, well, what you're experiencing now: if you forget your Master Password or lose your Secret Key...we can't help you. Not because we wouldn't like to be able to help, but because there's no way we know of to grant ourselves that kind of power while also maintaining the kind of privacy and security you expect, deserve and pay for. Wish I had better news. :(

    However, all may not be totally lost. In fact, your other users (presuming they still know their Master Password(s) and Secret Key(s) can transfer their data to another account or local vault or even export it in unencrypted format, then (after you delete the account) re-import it back into the new one. Are you and your family members using Macs or PCs?

  • @Lars we are using 1pass on Mac, Linux and iOS. How can we proceed with the account deletion and re-creation so that it would be an easy transfer for my other family member (he is using 1pass without issues)? Is it by using local vaults?

    Is it possible to include him into the conversation?

  • ag_anaag_ana

    Team Member

    @thousand_joules: one option is to first create a new account, and have your other users move their existing data to their new account. Otherwise, you can have them export their data, at which point you can delete the existing account. It's up to you what you choose.

    But if you want to include him into the conversation, please feel free to email us at [email protected] so we can continue the conversation over there. When you receive your Support ID, please post it here so we can locate your email in the system.

    Thank you!

  • @ag_ana We are ready to start the process, support ID: [#VBH-47423-331]

  • ag_anaag_ana

    Team Member

    Thank you @thousand_joules. I confirm we have received your email, so we will get back to you over there as soon as possible.

  • edited January 24

    Hi @ag_ana @Lars ,

    I'm trying to evaluate 1Password and became curious about master password recovery feature for Family Plan.
    As stated everywhere on the website, you never stores master password anywhere.

    Your Master Password is never shared with anyone, even us at AgileBits, which means that you’re the only person who can unlock your 1Password vaults and access your information

    And it doesn't even transmitted over network while authentication

    Your Master Password is never stored alongside your 1Password data or transmitted over the network.

    But how it's technically possible to "reset" the password then?
    As far as I understand, master password (alongside with secret key) is used for encrypting and decrypting your passwords database. But for setting new password (=encrypt db with another secret), you must decrypt it first. How it's possible if no one except of me knows the old password (which I forgot)?

    I can't find this information on your site, so could you explain how it works?
    Thank you in advance

  • DanielPDanielP

    Team Member

    @denisdenis:

    This is a very good question! I have answered a very similar one some time ago in this very forum, which I think will address your question too. Therefore, I hope you don't mind if I first refer you to that answer as a first reply to you. You can find that discussion here.

    But should you have any follow up questions, by all means let me know and I will be happy to help clarify things further.

    ===
    Daniel
    1Password Security Team

  • Hi @DanielP ,

    Now it seems a little bit clearer, but I still have some spots which needs clarification.

    every group in 1Password, including the Recovery Group, holds some encryption keys or, more correctly, a public/private key pair.

    So when a new team member joins family plan, he needs to obtain those keys? Is it really safe to transfer private keys over internet?

    At the same time, every vault has a vault key. We encrypt the vault key with the Recovery Group's public key, so the members of the recovery group can decrypt it with the group's corresponding private key

    Does it mean that my private vault key is encrypted by recovery group's public key?

    (note that this does not mean being able to access a vault's content, this is something that is enforced by permissions on the server).

    So ability to decrypt vault's content with the vault's key is defined on permissions level somewhere on your servers?

    Sorry for being stupid 🙂

  • DanielPDanielP

    Team Member
    edited January 24

    @denisdenis:

    Sorry for being stupid 🙂

    This is absolutely not the case. These are all very, very valid questions.

    So when a new team member joins family plan, he needs to obtain those keys?

    Not if they are a regular Team Member, because a Team Member is not a member of the Recovery Group. Therefore, in this specific case, there is no need for the Team Member to access the recovery group's private key.

    But if you were talking about Recovery Group members instead (which I think is what you were referring to), then yes, we need a way for them to access this key pair (more on this in the next section of my post).

    Is it really safe to transfer private keys over internet?

    The private key of the recovery group is not transmitted in clear text.

    Let Bob be the name of the member of the Recovery Group. When Bob is made an Admin with recovery permissions, the private key of the recovery group is encrypted with Bob’s public key, so that only Bob will be able to decrypt it.

    Does it mean that my private vault key is encrypted by recovery group's public key?

    That is correct. This is what allows the recovery group to perform recovery without knowing your credentials (and knowing your Secret Key and Master Password is something that the recovery group cannot do): recovery is the recovery of the vault keys, not of the account credentials.

    However, and this is an important point, Bob never gets your encrypted key unless you go through recovery. Only the server receives this encrypted key (see step 5 in the "User recovery" diagram on page 41 of the security white paper).

    Nevertheless, we built the 1Password recovery system so that there are additional mechanisms that help prevent a malicious member of the recovery group from doing something that they are not supposed to do:

    1. Having access to the vault key does not mean having access to the encrypted data. Recovery team members do not have access to the encrypted data of vaults that they are not supposed to access (this addresses your concern about your private vault key being encrypted by the recovery group's public key). In other words, having just the key (or, conversely, just the encrypted data) is not enough.
    2. Recovery group members only get the new encrypted keys after the end user has recreated the account, not before. So this only happens with the authorization of the end user (or, in other words, a malicious recovery team member cannot trigger this process without the end user knowing, and completing a series of steps).

    Having said this, I should probably also make it explicit here that any recovery mechanism will inherently lower the security of a system, so there certainly needs to be a level of accepted risk in exchange for the safety net provided by such a solution. There are however mitigating measures (such as the ones I described above) and expected precautions that are listed in our security white paper in the section titled "Recovery Risks" (page 40 in the current version of the document).

    So ability to decrypt vault's content with the vault's key is defined on permissions level somewhere on your servers?

    This is not defined exclusively through permissions (see my previous section in this post for some more details), but in summary, yes: there are mechanisms on the server to help prevent a member of the recovery group from accessing vault data that they shouldn't have access to. Just because they have access to the keys for recovery purposes, does not mean that they should be able to actually use those keys to access data.

  • @DanielP thanks a lot for this detailed explanation!

  • DanielPDanielP

    Team Member

    You are very welcome @denisdenis, always a pleasure :)

This discussion has been closed.