Change Master Password or Start Over?

Options
whistlingmike
whistlingmike
Community Member
in Mac

I have a situation where I have employees no longer with me that have had complete access to my 1Password account and think it is time to change. I understand from reading the forums that I should have had limited access vaults for these people (as well as current employees) but that wasn't the case. In also reading the forums, particularly the thread "Security: Changing Master Passwords Started by khad, 21 Jul 2014", I see it is a complicated procedure to change the master password if you want to do it in a manner that is secure (without there being old copies of the vault that continues to have access with the old master password) so it makes me wonder if I should start over from scratch by creating a new account with a new master password that is more secure, and just go through the time consuming procedure of copying over accounts. In this way, I could create a smaller vault for my new employee with only the items they need access to. I believe I could keep the old account running until all the logins and passwords have been transferred and then hopefully completely delete the old account. Is that true - could the old account be completely deleted? Any thoughts on this? BTW, I am running 1Pass on several Mac laptops (this one is OS10 Yosemite version 10.10.1) as well as my iPhone 5 and iPad using Dropbox for syncing.

Comments

  • Drew_AG
    Drew_AG
    1Password Alumni
    Options

    Hi @whistlingmike,

    The information you found about changing your master password is correct, but you don't need to start from scratch in order to change your master password and re-encrypt your 1Password data. Instead, what you can do is export your data from 1Password for Mac to a .1pif file, reset 1Password to create a brand new vault (which will generate brand new encryption keys), and import your data from the .1pif file to the new vault. There are a few other steps involved as well, and you can find instructions to do all that in this post.

    There are a few important things to keep in mind about those steps:

    • If you have multiple vaults, you need to export each vault (this is mentioned in Step 1).
    • Your employees will need to export any vaults they may have created on their own (for example, if they created their own personal vaults). But they won't need to export/import the vault you're sharing with them, as they'll be re-syncing that from Dropbox once you follow the steps.
    • Your employees will also need to follow the steps to reset/start over with 1Password on their Macs (and/or other computers/devices).
    • After following the steps on your Mac, you'll need to delete & reinstall 1Password on your iOS devices and set it up to sync again.
    • Before you sync/share a vault with your employees again, you'll probably want to create another vault for employees with only the items they'll need.

    Now, regarding your previous employees: If they still have any devices with 1Password & the vault you shared with them, they still have access to that data. They won't be able to get any future updates because you'll be deleting the old sync file from Dropbox, but they'll still have whatever data was in 1Password before you do that. This is because the 1Password data is stored locally on each device. If that is a concern, you'll probably want to change passwords for any sites you don't want them to be able to access.

    Hopefully this all makes sense, but if you have any questions about that, please let us know. Thanks!

  • whistlingmike
    whistlingmike
    Community Member
    Options

    Thank you for your reply Drew. I understand most of what you presented. Regarding old employees, I do not believe they have copies of my 1Password on their computers as they were doing the work on studio computers, but I do think they would remember my old (still current) master password so I am wondering if they have that, would they be able to get into all the passwords some other way? I read somewhere how the old copies / keychains will continue to exist and give access, so I am wondering if this is where I need to be concerned. Thanks, Michael

  • littlebobbytables
    littlebobbytables
    1Password Alumni
    Options

    Hi @whistlingmike

    You are correct, if they can remember the old Master Password and somehow have access to an old copy of the .agilekeychain that was created when that same Master Password was in use they will be able to decrypt that single vault. An .agilekeychain only represents a single vault, even if you multiple secondary vaults in a copy of 1Password 4/5. Now as Drew_AG was saying, access to an old version won't allow access to the new if you follows his advice. If you've that and you change the passwords to the sites/servers etc. that the vault stores then they're completely locked out.

    Does that help? Please do ask more questions if you're unsure of anything or I haven't explained myself well enough.

  • whistlingmike
    whistlingmike
    Community Member
    Options

    I guess a greater concern is my master keyword isn't the best (putting it mildly). When I got going on 1Password, I thought I would get it all created quickly and then create a good master password (obviously a really bad plan in retrospect!) That being said, if someone were to steal my computer, I would say with the original password would be broken in record time. Then the question is how do you scrub the drive (and my many externals) clean of what may be copies of the original vault I am not aware of?

  • Drew_AG
    Drew_AG
    1Password Alumni
    Options

    Hi @whistlingmike,

    As they say, the first step to stronger security is admitting you have a weak master password! Actually, I'm not sure if anyone really says that, but it sounded good in my head. ;)

    When you follow the steps to re-encrypt your 1Password data, you'll definitely want to choose a strong (but memorable) master password. Our security guru has written an excellent guide with tips to do that: Toward Better Master Passwords

    Now as far as copies of the original vault, that should be taken care of when you follow the "Start Over" steps as part of the instructions to re-encrypt everything. Those steps will have you find the data folder on your Mac and move it to the Desktop. That folder contains your database for 1Password, as well as backup files. Once you've followed all the re-encryption instructions and are all set again, you can delete the old files/folders that you had moved to the Desktop (you can choose to do a "Secure Empty Trash" if you want).

    If you have external drives with backups of your Mac, you may want to delete the old data folder from those drives as well.

    As always, let us know if you have more questions about that! :)

This discussion has been closed.