Changing master password not enough if 'Restore' allows you to rollback...?

1234
1234
Community Member

I suspected my vault may be compromised (due to a dodgy browser plugin), so after deleting the plugin I changed my master password in 1Password. Today I was going to change it again, but stupidly deleted the old 'new' password before going into 1Password to change it. (so I had my brand new unused password, but no longer have access to the previous one) [I used another password manager to create and store it which does not retain any history]

I thought I had lost access to my vault completely - we're assured that for our security there is no way to retrieve our password. And although I felt sick at losing all that data, I figured this is the price I accepted for security. No-one would be able to get into that vault...

Or so I thought, until I read the tips for getting back in when you're sure you know the password - all I had to do was restore from a backup with the original (potentially compromised) password and voila I'm back in.

My question is: what should we actually do if we believe someone has had access to our master password (hence dropbox password, hence backups...)? Changing the master password does nothing to prevent the malicious user using the password they stole to access the instance of the vault they have a copy of. Unless I'm missing something (very possible), if someone gets access to our master password the only secure option is to reset all of our passwords and start over??


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • 1234
    1234
    Community Member

    In fact... The way in which 1Password actually handles syncing the password change (https://blog.agilebits.com/2015/04/28/how-1password-syncs-changes-to-your-master-password/) means if someone gets hold of your master password plus a backup/copy of your vault it makes absolutely no difference to them whether you change your master password, as the old one will continue to work for the copy they hold... (If I change my password on one device, it doesn't 'update' that change on other devices linked to the vault until you open them with the new password, and until then the existing password will continue to work.)

    So if our password is stolen, we're screwed and should start over?

  • Drew_AG
    Drew_AG
    1Password Alumni

    Hi @1234,

    I'm sorry to hear about the problem you had with one of your browser extensions! But I'm glad you're thinking strongly about the security of your 1Password data, and you have some good questions. I'll do my best to answer them, but keep in mind I don't know what extension you had installed or what it was actually doing - all I can really do here is comment on how 1Password works.

    all I had to do was restore from a backup with the original (potentially compromised) password and voila I'm back in.

    1Password automatically makes backups of your data and stores those backup files locally on your Mac within your ~/Library/ folder. Forgetting a new master password is one of the reasons why 1Password makes backups. I can't tell you how many times we've helped users restore their database from a backup - they are invaluable! In order for someone else to have access to your backup files, they would need to have access to the files on your Mac in general.

    A 1Password backup file is like a snapshot of your data at a specific date & time, so it requires the master password you were using at the time that backup was made. You can certainly delete older backup files if you'd like. From the main 1Password app, go to 1Password > Preferences and click on the Backup tab, then click the Show Files button. That will open the location where you 1Password backups are saved.

    what should we actually do if we believe someone has had access to our master password (hence dropbox password, hence backups...)?

    Please note that Dropbox has nothing to do with your 1Password backup files. Your 1Password backups exist only on your Mac unless you copy them somewhere else. If you use Dropbox to sync your 1Password info, an encrypted copy of your vault is in Dropbox and changes every time you add or remove data in 1Password. If someone gains access to your Dropbox account, that does not give them access to the 1Password backups on your Mac.

    If someone is able to figure out your master password, you would of course want to change your master password. If someone has a copy of your 1Password vault, they won't be able to open it without your master password. Now, if someone has both your master password and your vault that is unlocked with that master password, that's a problem, but that brings us to the next question:

    Changing the master password does nothing to prevent the malicious user using the password they stole to access the instance of the vault they have a copy of. Unless I'm missing something (very possible), if someone gets access to our master password the only secure option is to reset all of our passwords and start over??

    If I understand, it sounds like you're worried that the extension you had been using was somehow able to send a copy of your master password as well as your 1Password vault to someone else? Again, I don't know anything about the extension you had installed, but you don’t actually type your master password into a web browser in order to use 1Password (unless you were using the 1PasswordAnywhere feature, but it doesn't sound like you were), and therefore the other extension would have no way of knowing what your master password is.

    When you unlock 1Password from the 1Password browser extension, you're actually unlocking 1Password mini, which is the part of the main 1Password app. The 1Password browser extension doesn't contain any of your data, so it doesn't know your master password or any data you store in your vault. Data transfers occur locally on your Mac and are encrypted and authenticated. As such, data cannot be sent to any other processes except for the 1Password extension and 1Password mini.

    When 1Password is unlocked, all of your data is still encrypted on disk just like when 1Password is locked. Only the specific piece of data you are accessing at any one time is decrypted. The rest of your data remains encrypted. Also note that even the bit that is decrypted is only decrypted in memory, so if someone were to try to remotely access your 1Password data even while 1Password is "unlocked" the data they would be accessing from your file system is all strongly encrypted like it always is. Decrypted data is not written to disk.

    For more information about how that all works, please take a look at this knowledgebase article: How secure is the connection between 1Password mini and the browser extension?

    In fact... The way in which 1Password actually handles syncing the password change (https://blog.agilebits.com/2015/04/28/how-1password-syncs-changes-to-your-master-password/) means if someone gets hold of your master password plus a backup/copy of your vault it makes absolutely no difference to them whether you change your master password, as the old one will continue to work for the copy they hold... (If I change my password on one device, it doesn't 'update' that change on other devices linked to the vault until you open them with the new password, and until then the existing password will continue to work.)

    First, I'd like to reiterate that your master password isn't stored anywhere (except for inside your head, of course). So no one should be able to get hold of your master password. But theoretically, if someone were to somehow get a copy of your 1Password vault and also knew the master password for that vault, then yes they would be able to unlock it. If that happened, you would certainly want to change important data like passwords, and you would want to disable the current sync method (like Dropbox) and erase your data from there so the thief would not be able to sync any new changes you make.

    In addition to the article from my link above, you may want to take a look at this other knowledgebase article: How does 1Password keep my data safe?

    You can also find a lot more data about the security of 1Password here: Security and Privacy

    I do hope this has been helpful, but please don't hesitate to let us know if you have more questions or concerns.

  • 1234
    1234
    Community Member

    Thank you Drew for that extremely detailed and helpful post. :) I will read through it all again more carefully, but I do feel much happier now about the security of my vault - though I changed my key passwords yesterday to be on the safe side and now hold the dropbox password in a different manager!

    [I wasn't 100% certain about the plugin so I won't name and shame, but it was only meant to check for cookies on websites but instead took up 140GB of my hard drive space and was using enough processor power to dramatically slow down my computer!]

    Thanks!

  • Drew_AG
    Drew_AG
    1Password Alumni

    You're very welcome! To be honest, I didn't realize how long my reply was while I was writing it - but I'm really glad you found it to be so helpful. :)

    It's definitely an important topic, so if you have more questions about that or need anything else, please let us know.

This discussion has been closed.