Multiple Vaults: secondary vault unlocks automatically

tompave

I've been using 1Password on my personal macs for years, where I have only one vault (henceforth: personal_vault).

I've recently installed it on my work mac computer too, where I created a distinct main vault (henceforth: work_vault) that contains all my work-related accounts. Of course, work_vault has a different master password.

I later decided to add my personal_vault as a secondary vault on my work computer.

I accomplished this easily: I was already syncing and backing up personal_vault through Dropbox, and I followed the instructions in this article to add it as a secondary vault to the computer I use at work.

It works. Now my work computer has work_vault as the primary one, and personal_vault as the secondary one.

There is a problem, though: unlocking work_vault will automatically unlock personal_vault too. This means that with just the work_vault password I have access to both vaults. Sounds really weird, because it means that 1Password is either:

• not encrypting personal_vault,
• or storing its password somewhere on disc.

The other way around it works as expected: if, after opening the application, I start by unlocking personal_vault, switching to work_vault will require me to type its password.

Is this a bug? How can I solve it?

tompave

bump

Megan

Hi @tompave,

1Password's new multiple vault feature was designed so that you still only have to remember one password, no matter how many vaults you create. Your primary vault holds the encryption keys for all of your secondary vaults. This means that unlocking your primary vault will give you quick and easy access to all of your data, regardless of which vault it is stored in.

However, you still can unlock a secondary vault on its own. In the main app, use 1Password > Switch Vault menu. (In the 1Password mini, click on the lock image on the lock screen to select the secondary vault.) Please note that when you unlock the secondary vault alone, all other vaults will remain locked. You won't be able to copy items between vaults, and you will need to enter your Master Password to view another vault.

tompave

Hello @Megan‌, thank you for the explanation.

Yes, I see why it can make sense, but I still believe that keeping vaults completely separate would provide an extra layer of security.

After all, if a user wanted to have access to everything with just one password (pun not intended), they would just use a single vault. :-)

Anyway, I think that I will swap the vaults, so that my personal_vault will be the primary one (and will always require a password) and my work_vault will become the secondary one.

Megan

Hi @tompave,

Thanks so much for the feedback here. I'm glad that my explanation helped! :)

vikaspell

I second @tompave‌ i would also like the vaults to remain unaccesable if the passwords are not entered.
there are so many uses if it is like this...
why have multiple vaults when if the security layer does prevent its access

Jasper

Hi @vikaspell,

Thanks for the feedback! I'll let our developers know that you're interested in this change. :)

horseman

Conversely those that are migrating from a single to multiple vaults may well initially appreciate the single Master password approach which potentially means an option in Primary Vault to use either method perhaps?

Jasper

Hi @horseman,

If the developers add this function, it would most likely be an option like you mentioned.

Thanks for the feedback!

Marc Bernstein

Hi @Megan‌, add my vote to the concept of not automatically unlocking secondary vaults. I have a primary vault that I created which has my personal items and I share it with my wife via dropbox. I have created a secondary vault for my work items that I will not share. However, I realized that my wife would now have access to all of my work passwords if she uses my laptop while its at home and opens my primary vault, to which she has the password since we share it. Not a likely scenario since she has her own computer, but an unacceptable risk for me.

Really, I should have the option to force the entry of my secondary vault password in order to open it. Or, give users the option to have it either way if you want to still provide the convenience. You can call it 1password for all vaults or 1password for each vault, but it's still 1password :)

Jasper

Thanks for the feedback, Marc! :)

tompave

Hi, I wanted to followup with what I did to setup 1Password on my systems.

Again, I will use personal_mac and work_mac to identify the machines, and personal_vault and work_vault to refer to the 1Password vaults.

The starting point was:
personal_mac configured only with personal_vault, backed up with dropbox.
work_mac configured with work_vault as the primary vault, with personal_vault added later as secondary vault, synced through dropbox. On this machine, unlocking work_vault would also unlock personal_vault, which I wanted to avoid.

I started by removing personal_vault from work_mac. The related data remained safe and sound on my personal_mac and on Dropbox.
I then exported work_vault to a 1pif file (File > Export > All Items) and reset 1Password following these instructions. Jusr remember that 1pif files are not encrypted, and must be deleted once you're done.

With 1Password on work_mac in a clean state, I proceeded to setup personal_vault as the main one, and I did so by creating a new empty vault with the same master password as personal_vault, and then setting up dropbox sync by pointing it to the agilekeychain file in Dropbox.

Next, I setup work_vault as secondary vault. Again, I created an new empty vault on work_mac and then imported the 1pif file I exported earlier (remember to delete the file once you've done this). This time, when creating the new empty vault I could choose any password, because I imported unencrypted data.

With work_vault successfully re-created as a secondary vault, I configured it to sync to Dropbox, pointing it to a different file from the one used by personal_vault. I could then use the new agilekeychain backup file to import work_vault on my personal_mac.

Now I have the same situation on both computers, with personal_vault as the primary vault, and work_vault as the secondary one. Both vaults synch independently through Dropbox.
Of course the master password of personal_vault still unlocks both of them, but I can live with this: on work_mac I'll use work_vault 98% of the time, and I just wanted to be sure that my personal data would remain locked.

tompave

I also found that it is indeed possible to achieve complete separation of the vaults. I also see that other users manifested their interest in this feature.

All that is required is to create an empty primary vault that will never be unlocked directly. It's advisable to configure it with a very strong and long password, since you won't use it often anyway.

Then, it's just a matter of adding all other vaults as secondary vaults of the primary empty one.
This ensures that all vaults will not be able to unlock each other, although it might be tedious to manually select a vault each time 1Password starts (since the primary vault is always selected by default).

Megan

Hi @tompave,

I'm so glad to hear that you have found a solution that works for you! Thanks so much for sharing it here.

:)

Syzygies

I'm astonished that Agilebits is surprised at this feedback. I wrote them well before this feature was released to describe exactly the scenario in Agilebits' "what's new" blurb for 1Password4:

"Have to handle your parents’ finances but want to keep that separate from your own stuff?"

So I use 1P to log into Facebook at work, so I can post a picture of my half-empty coffee cup. Of course the default is "lock after 5 minutes" so that 1P is actually useful for such inane purposes. I step away from my desk, and a co-worker drains my parents finances. My brother and sister sue me for being too stupid to fog a mirror, and they deserve to win in court.

Megan

Hi @Syzygies‌

Thanks for taking the time to share your thoughts. I've asked our security expert @jpgoldberg‌ to give a bit more of a technical explanation about our reasoning here.

However, I have a few general tips that could help keep your data more secure in a shared office environment:

• Stricter locking settings (in Preferences > Security) could help: mine are currently set to lock after 1 minute of inactivity, and as long as I continue to use my computer, 1Password stays unlocked for me, but I know it will close quickly when I step away.
• Control-Option-Command-L will lock 1Password immediately if you are stepping away from your desk.
• Because vaults are synced individually, you do have the option of not syncing a particularly sensitive vault.

Of course, this doesn't fully address your original concern, so we'll leave that for the expert. ;)

peter.m.calloway

Hi team.

I am a happy user of 1password, but I am surprised on how your handle the security of a secondary vault.

Storing the encryption key of the secondary vaults in the primary vault is very dangerous, when you share a secondary vaults with someone.

It means that the robustness of the secondary vault dos not depend on how long and complex the passphrase is, but how long and complex is the primary passphrase of your counterpart.

Dangerous.

Example: I want to share sensitive infos with my wife (banks details, etc) but her primary password is less secure than the one of the shared vault.
Result: the security of the secondary vault depend on the strengh of her primary password.

Jasper

Hi Peter,

Thanks for the feedback! I'll pass this along to our developers.

However, I think if you shared a secondary vault with someone, and the vault uses very complex master password, the other user would likely store the secondary vault's master password as an item in their primary vault anyway. If they don't want to remember and enter a complex master password for the data in their primary vault, they probably won't want to do so for a secondary vault. I think that remembering a single, very strong master password is the best option (hence the name of the app: 1Password).

Mr. H

Support for multiple vaults is something I’ve been waiting for for a long time (started using 1password at version 2) and provided feedback as such back then. My excitement that this was added to version 4 quickly turned to disappointment when I discovered that the feature has been implemented in such a way that I struggle to see why you bothered.

-- The vaults should be independent!
-- This means that unlocking one, should not unlock another, even if the first one is your primary one
-- This also means that it should be possible to set the auto-locking settings independently. I want to keep less-sensitive stuff in my primary vault [which I would like to unlock automatically at login and basically never auto-lock (like Apple’s default keychain)], and more sensitive stuff in a secondary vault which does not auto-unlock at login and would require me to enter a password whenever I try to access any information inside, and auto-locks after a very short time-out period. This is something that I can (and do) do easily with Apple’s keychain and I’m surprised that I still can’t do it with 1password.

Mr. H

@Megan, you said "mine are currently set to lock after 1 minute of inactivity, and as long as I continue to use my computer, 1Password stays unlocked for me” (sorry, not familiar with this forum software and couldn’t see any way of quoting a post).

If I understand correctly what you’ve said here, then I have another piece of feedback. There should be an option to Auto-lock based on vault inactivity rather than computer inactivity. My “high security” Apple keychain is set to auto-lock after 2 minutes of “inactivity”, and what this means is that if no access is made to items in the keychain for two minutes, the keychain locks. The computer can be being used during this period; it makes no difference to the auto-lock.

Megan

Hi Mr. H,

Thanks so much for sharing your thoughts here. For the situation you describe, I would suggest storing your high security items in your primary vault, locked behind your strong, secure Master Password. Lower security items can then be stored in a secondary vault. You can then access these directly by using the Command-# keyboard shortcut from 1Password's lock screen (where # is the number of the secondary vault in your list of vaults).

You can then enter the specific password for your secondary vault and unlock only that vault. You will need to enter a specific password for any other vault you wish to switch to.

I know it's not exactly the answer that you're looking for, but I do hope this helps make your life easier as we work to improve our multiple vaults feature. Again, your feedback here is much appreciated! :)

Mr. H

Hi @Megan, thank you very much for thinking of this workaround and posting a walk through. I hope others find it useful. I had thought of this too, but there’s a couple of issues:

1. Is it possible to get not-primary vaults to automatically unlock upon login? (In fact in 1Password 4, can you even get the primary to auto-unlock at login? I’m sure 1Password 2 did that, but I’ve only just upgraded to version 4 [was running OS X 10.5.8 and upgraded straight to Mavericks a couple of weeks ago] and haven’t logged out and back in again since). I guess I could whip up an Applescript to do it if not.
2. Unfortunately, whilst this workaround would be very close to achieving what is desired, it’s only half the battle, as the auto-lock settings of 1Password are global not per-vault. I would like very permissive auto-lock settings for the “non-sensitive” stuff but very aggressive auto-locking of the high-security vault.

Do you have any comments regarding my second query regarding “inactivity” timeouts?

thightower

Re : # 1

No you cannot unlock the vault automatically. The 1Password preferences for version 2 opening the keychain had an option to store the master password in the OS keychain. That option has been removed.

Megan

Hi Mr. H,

Is it possible to get not-primary vaults to automatically unlock upon login?

You can lock 1Password at any time by using the keyboard shortcut ⌘⌥⌃L (Command-Option-Control-L). Are you suggesting that 1Password locks as soon as it finishes filling your username and password into a site?

Do you have any comments regarding my second query regarding “inactivity” timeouts?

I'm assuming that you're using your computer in a public place where you are concerned about other people being able to access your data when you step away from the computer. In a situation like this, I would recommend using the lock shortcut I mention above whenever you step away from your computer. Another suggestion I've heard from some users is to ensure that 1Password will lock when the screensaver is activated (in Settings > Security), then use a hot corner on your Mac to enable the screensaver when you leave your desk.

As to your specific request, we do not have plans to implement lock settings based on vault activity or inactivity at this time. Please understand that there is a delicate balance to be maintained with respect to the number of settings available to users: we need to have enough options to ensure that people can safeguard their data in the way that best fits their needs but not offer so many that users are overwhelmed with options: "Do I want to have 1Password lock based on computer inactivity ... or vault inactivity?"

I hope this helps, but as always, we're here if you have any further questions!

benfdc

@JasperP writes:

However, I think if you shared a secondary vault with someone, and the vault uses very complex master password, the other user would likely store the secondary vault's master password as an item in their primary vault anyway. If they don't want to remember and enter a complex master password for the data in their primary vault, they probably won't want to do so for a secondary vault. I think that remembering a single, very strong master password is the best option (hence the name of the app: 1Password).

That strikes me as a plausible justification for local storage of passwords for secondary vaults. However, it does not justify automatic opening. IMO there should be an option to NOT automatically open secondary vaults. When a user wishes to open a particular secondary vault, the user could be required to re-enter the master password to the primary vault. That way, some users would not need to create separate entries in their main vaults with the passwords of the secondary vaults.

This is analogous to the way that OS X requires re-entry of passwords for special operations. LastPass has a similar feature where you can require re-entry of the master password in order to access or make use of specified high-value items even though one’s vault is already open. I use this feature to protect banking passwords, among other things.

Come to think of it, that might be a nice feature to add to 1Password generally, and not merely in the context of secondary vaults. This does not seem as though it would be hard to do given the architecture of 1Password, which does not decrypt items en masse but only does so one at a time, on demand. All you would need to do is add a flag to each item which the user could set to require re-entry of the master password. I suppose that this would represent a return of sorts to a two-tier scheme that was present in early versions of the iOS app.

Megan

Hi @benfdc,

Thanks, as always for adding your thoughts here. :) I'll be sure our developers see them.

Mr. H

@Megan

Are you suggesting that 1Password locks as soon as it finishes filling your username and password into a site?

No, I was wondering if 1Password 4 could do what 1Password 2 did, which was unlock automatically when you log in to OS X. It would appear that the answer is “no”. Not sure why you took that option away, but I can fix that with AppleScript.

I would recommend using the lock shortcut I mention above whenever you step away from your computer

I hope that you will change your multiple vaults feature to allow independent settings for auto-locking of vaults. If you do, you will quickly see the advantage of having the “inactivity” based on vault usage not computer usage. As I’ve said before, with OS X keychains, I keep non-sensitive stuff in the login keychain that unlocks automatically upon OS X login and high-security stuff in another keychain with a different, longer password. The high security keychain is normally locked, locks on computer sleep, and locks after 2 minutes have elapsed since the last time an item in that keychain was accessed. This setup serves me very well and it makes me sad that I cannot replicate it with 1Password.

we need to have enough options to ensure that people can safeguard their data in the way that best fits their needs but not offer so many that users are overwhelmed with options

Sure, I understand that. Some developers solve this problem by having some options that are not exposed in the UI and only accessible via a “defaults write” command.

@benfdc

LastPass has a similar feature where you can require re-entry of the master password in order to access or make use of specific high-value items even though one’s vault is already open (I use this feature to protect banking passwords, among other things.) Come to think of it, that might be a nice feature to add to 1Password generally, and not merely in the context of secondary vaults.

This is an interesting alternative but I think it shouldn't be necessary if multiple vaults is implemented better. Having to enter the password every time you want to use a "high-value” item could get annoying! For example, I have a lot of bank accounts and once a month have an online banking session which entails logging in to about 12 different accounts. All the passwords are stored in my high-security keychain which is unlocked when the first password is requested. All the other accounts can then be logged in to without having to enter the keychain password again, and the keychain will then auto-lock, even whilst I continue to use the computer to do my banking etc.

benfdc

Mr. H writes:

This is an interesting alternative but I think it shouldn't be necessary if multiple vaults is implemented better.

I am not inclined to agree. Having a separate vault for one’s high-security items would mean having to remember which items are in which vault. I don’t want that mental overhead, and I see no need for it. There is also a workflow issue: ticking a "require password" checkbox to increase the security of an item is much easier than exporting (sharing) an item to a secondary vault, deleting it from the primary vault, and emptying the trash in the primary vault.

Megan

Hi Mr. H

Thank you for your suggestions. We'll take them into consideration as we continue our work on 1Password.

ref: OPM-2227

Mr. H

@benfdc‌

Having a separate vault for one’s high-security items would mean having to remember which items are in which vault.

Why should you have to remember that? You don’t with Apple’s Keychain. 1Password should know what's where, and when you try to access an item from a locked vault, it asks you to enter the vault’s password.

There is also a workflow issue: ticking a "require password" checkbox to increase the security of an item is much easier than exporting (sharing) an item to a secondary vault, deleting it from the primary vault, and emptying the trash in the primary vault.

Since multiple vaults fundamentally don’t work in the way that I would like them to, I have not had cause to try to use them. If the process of moving items to another vault is as you say it is, this is another thing that Agile need to revisit. You should be able to, you know, just move stuff from one vault to another without having to remember to delete and empty trash for the source vault. Imagine if the Finder worked like that whenever you moved a file! Nightmare!

benfdc

My observations relate to the Multiple Vaults feature as presently implemented, Mr. H.

Moreover, I do not think that I would want 1Password to “know” the contents of locked secondary vaults. By default, the contents of locked vaults are secret. There is an Integration option under 1Password’s Advanced preferences tab that allows the user to permit the exposure of some information to third-party utilities like Alfred, Quicksilver, and LaunchBar. Perhaps this same scheme, or something similar, could be implemented to allow 1Password to scan the contents of locked secondary vaults. However, I would want to be able to control this on a vault-by-vault basis rather than via a global setting as it is at present.