Need some help changing Master Password
Hello everyone!
I have decided to change my Master Password after a lot of reading on diceware passphrases and the articles put out by AgileBits, like 'Toward Better Master Passwords'. My current password is a sentence I came up with, so not so random, although it is quite odd and not something you'd hear anyone say often, and has about 35 characters if you count the spaces. This time I want to use a random diceware passphrase by rolling actual dice, and get setup with a nice strong passphrase that allows me to not be as worried. :) I was unaware of all of this at the time of purchasing 1password, otherwise I would have done it then to avoid situations like this. :)
I have been searching through older threads to see what is involved in making the change so that I am doing things correctly and generating new keys along with the new diceware passphrase so that my system is not compromised by having the old weak keys and master password with the keychain. I came across this thread that links to two others explaining the process/instructions, and I just wanted to double check that this is still valid information.
Here's the thread:
https://discussions.agilebits.com/discussion/35835/change-master-password-or-start-over
And here's the two others it links to:
https://discussions.agilebits.com/discussion/comment/135402/#Comment_135402
https://discussions.agilebits.com/discussion/comment/160995/#Comment_160995
I am currently on the newest version of 1password for Mac from the AppStore, running on the latest OSX 10.11. Also using an iPhone 6 with the newest version of 1password running on iOS 8.4 and 1password for Android version 4.2.1. These are syncing through Dropbox.
If I am missing anything at all, can anyone please let me know before I make the switch? I don't want to mess anything up and lose my data. :)
Lastly regarding diceware. Last year Arnold Reinhold suggested to move from 5 to 6 word phrases. What does AgileBits recommend today? In an article you also suggested subbing out one of the diceware words for a modified personal phrase, is this still valid? If so, how much does it affect your overall password entropy?
Thank you very much!
Chris
Comments
-
For starters, I am NOT with AgileBits.
That out of the way, you have to define your personal level of paranoia and the impact of that paranoia on your everyday life. In order for a bad guy to get access to your 1P information, he/she obviously must be able to determine your master password. If you do what you're proposing, you might think that you're making that determination unlikely. However, your master password will be something that you will likely not be able to reliably remember. For that reason, I expect that you'll write it down.
Now, the second requirement for a bad guy is physical access to your Mac. If this bad guy has access to your Mac, he/she will probably also have access to the piece of paper where you wrote down the master password. Then, he/she can get "in like Flynn" which, of course, is not what you want.
I have a sentence with meaning to me and only to me. Despite the fact that it's easy for me to remember, there is no way in hell that any bad guy could possibly determine it.
0 -
Thanks for the reply!
I have confidence in not allowing physical access to my Mac, and not misplacing a new diceware passphrase. If written, it will surely be obscured in some way and kept in my wallet or something, until it is no longer needed go commit the new passphrase to memory and then destroyed. What I am worried about, is the possible weakness in my current Master Password, and the keys somehow getting out since they're synced through Dropbox. While I understand this is rare, I don't want to take any chances and I would be a lot more comfortable with a fresh start and strong Master Password.
Reading through all the topics on this, it looks like you've done this already?
0 -
"I have confidence in not allowing physical access to my Mac..."
That's exactly my point. If you have that confidence, why are you concerned about the strength of the master password? Be reminded that your security is related to the combination of BOTH access to your Mac AND the strength of the password. If either one is solid, the other becomes less important."If written, it will surely be obscured in some way and kept in my wallet or something..."
I'm wondering just how you will obscure it, perhaps with asecond Diceware password? Of course, you then would have to remember/store the second password, and again and again and again ad infinitum.0 -
@hawkmoth,
Are those links I posted the instructions you followed?I'm worried because using Dropbox to sync between my devices, isn't there a possibility that someone could end up with the keychain? Or am I mistaken that physical access is the absolute only way for a would-be attacker to take a shot at my password and keys?
Also, without using something like a diceware passphrase where you can get a good idea on the entropy, how would I know just how secure my current passphrase sentence may or may not be?
0 -
Yes, I was syncing with Dropbox. I don't remember what I did about that for sure, but I'm nearly certain I stopped syncing on all platforms and deleted the file in my local Dropbox folder. Then I imported the 1pif file I had exported earlier into the new empty vault. Then started up syncing again, first on my Mac, and then after a few minutes, just to be sure, on my iOS devices.
The set of directions from @littlebobbytables was posted by an official AgileBits support person, which is the reason I chose it for the link. I don't think I can do anything more to reassure you.
0 -
Got it, thanks!
0 -
Hi @xwiredx,
I'm glad hawkmoth and Plato were able to help you out with this! The steps in the link from hawkmoth's reply (which is the same as the 3rd link you included in your original post) are still valid, so those will help you re-encrypt all your 1Password data.
Remember that, even if you were to make some horrible mistake while following those steps, you'll still have your data in the .1pif file you export at the start of those steps, and you'll also still have the previous backup files from 1Password that our "starting over" steps will have you move to the Desktop. You won't want to permanently delete anything until you're sure everything is working correctly again.
Those steps can look a little intimidating, but really shouldn't be that difficult to follow - they're just thorough. If you run into any problems or questions, just let us know and we'll be happy to help! :)
0 -
Hi, and thanks for chiming in! Yes I have read the posts several times and looked over each link at least a couple of times each. I am feeling comfortable with the process and will go through with it later tonight. :)
The only thing I was a little unsure about was whether or not I needed to manually delete the 1password Dropbox folder that contains the 1password.agilekeychain, or if that automatically gets cleared while going through the process outlined in the linked thread. Hawkmoth touched on that a bit. Can you confirm?
The reason I was a little unsure about it was because earlier in that thread Jasper.P mentioned Dropbox and linked to their write-up on clearing previous versions and backups. I just wanted to make sure that older versions weren't syncing and preventing the new keys and Master Password from working properly.
Thanks!
0 -
Hi @xwiredx,
In the steps from that thread, the 1Password.agilekeychain should be deleted during step 2:
Disable any syncing you are currently doing on all of your devices. You can do this in 1Password's preferences in the Sync tab. You can disable sync using the Change Syncing... button and tick the Delete data from XXXXX checkbox as you want the old sync data removed.
When you choose the option to delete data from Dropbox when disabling sync, it will delete the .agilekeychain. You can double-check your Dropbox folder after doing that, just to be sure. If for any reason there's still a .agilekeychain in Dropbox, you can manually delete it.
I hope that helps to clear that up, but let us know if you have more questions.
0 -
All is done and looking well so far! Still have'nt deleted the .1pif and other folders yet, just in case, but I am testing everything and looking through everything and it all seems well! :) I purposely tried using the old Master Password to sign-in to 1password for iPhone and it would not accept it. Nice! :)
Only thing I noticed is that within the 1password folder in my Dropbox on Mac, the 1password folder only contains the 1password.agilekeychain. Dropbox on my iPhone and on the web is structured 1password/1password.agilekeychain, and 1password.agilekeychain is a folder instead of a file like on the Mac that launches the 1password app. Inside of the 1password.agilekeychain folder, is another folder named 'data' and a file called 1password.html. This html file has a 'modified 8 months ago' date underneath it. Inside of data/default, every file including encryptionKeys.js, contents.js, 1password.keys and .1password.keys have a 'modified 45 minutes ago' date underneath them since I just went through the new Master Password process.
Does this all look and sound right, or is the 1password.html file old? Should it be there? I can't remember exactly what the file/folder structure was like before this, which is why I ask. Everything seems to be fine, but I just wanted to confirm on this. :)
Thanks!
0 -
Hi @xwiredx,
I'm glad things went well when you followed those steps!
Only thing I noticed is that within the 1password folder in my Dropbox on Mac, the 1password folder only contains the 1password.agilekeychain. Dropbox on my iPhone and on the web is structured 1password/1password.agilekeychain, and 1password.agilekeychain is a folder instead of a file like on the Mac that launches the 1password app.
The .agilekeychain file is actually a package / bundle (basically a special type of folder) which is made up of hundreds of smaller files. On Mac OS X it looks like a file, but on Dropbox it will look like a folder. On your Mac, you can see the contents of it by right-clicking the .agilekeychain and choosing "Show Package Contents".
Inside of the 1password.agilekeychain folder, is another folder named 'data' and a file called 1password.html. This html file has a 'modified 8 months ago' date underneath it.
The html file won't necessarily show the expected created/modified date. Having said that, It seems a bit odd that its modified date would be from 8 months ago. Does it show the same modified date on Dropbox.com as it does on your Mac (i.e. when viewing the package contents)? If you select that file on your Mac and go to File > Get Info, what does it show for the Created date?
It shouldn't be a problem at all, but one thing you can try is to disable Dropbox sync and delete that file (make sure it is deleted from your Dropbox folder), restart your Mac, then re-enable Dropbox sync to create another new .agilekeychain. Does that make a difference as far as the modified/created date?
Also, just to confirm the order of the steps you followed - did you delete the previous .agilekeychain before following the steps from our "starting over" guide? When you opened 1Password after that, did you set it up as a new user with an empty vault, and then import the .1pif file into that new, empty vault? As long as you followed all the steps in the correct order, everything should be fine, I just wanted to check a couple things to verify that.
0 -
Hi @Drew_AG ,
Im looking at the file on my Mac (show package contents) and on dropbox.com right now, and the modified date is the same, 10/29/2014.
For the order of steps, yes. After exporting the .1pif file, i disabled the dropbox sync, which sent the old 1password.agilekeychain package into my trash can. From there I did a secure empty. I also deleted the trashed version from the dropbox website, by using the delete forver option. After that is when I moved on to step 3 with the Starting Over Guide.
Regarding the deleting of that file, do you mean delete just the 1password.html file or the whole 1password. agilekeychain out of my dropbox folder on Mac? Also, by disabling dropbox sync, do you mean through the 1password preferences, or just quiting the dropbox app on my Mac?
**Edit
Forgot to mention that I just tried signing in to my 1password again using the old Master Password and it did not work. :)0 -
Hi @xwiredx,
It sounds like you did everything correctly, so you don't need to worry about the modified date for the html file. I believe that date may be related to the version of 1Password (I'm using the latest beta version, so the html file shows a newer date for me when I create one).
Regarding the deleting of that file, do you mean delete just the 1password.html file or the whole 1password. agilekeychain out of my dropbox folder on Mac?
The whole 1Password.agilekeychain, the same way you did that before following the steps to start over with a new vault. Just keep in mind that once you disable sync, delete the keychain, then enable sync & create a new keychain, that html file may have the same modified date you see now - which is a little confusing, but not a problem. :)
Also, by disabling dropbox sync, do you mean through the 1password preferences, or just quiting the dropbox app on my Mac?
Through the 1Password preferences, the same way you did it before. You don't need to follow the other steps to start over or anything like that though - just disable sync and delete the keychain, then re-enable sync.
Forgot to mention that I just tried signing in to my 1password again using the old Master Password and it did not work.
Great, sounds like it worked as expected! :)
0 -
Ok, just got done disabling/enabling dropbox sync, and indeed the .html file's modified stays the same (10/29/14), while everything else is showing the very recent modified date. Perhaps it relates to the date I first installed 1password or something? Everything seems to working fine though. :)
0 -
Hi @xwiredx,
Thanks for confirming that! I had a feeling it would end up being the same date, but like I said, that's not a problem at all - I was just surprised when I initially saw that was the date since I wasn't seeing the same thing when I created a new .agilekeychain (which I later realized is because I'm using a beta version). I figured it was worth double-checking by deleting and recreating the .agilekeychain to make sure, since that wouldn't have harmed anything.
The 1Password.html file doesn't actually contain any of your items from your 1Password vault - those are in the other encrypted files contained inside the .agilekeychain. The html file is used to view those items when using the 1PasswordAnywhere feature.
So just to reiterate, there's no problem, you followed all the steps correctly so your vault is now using a new encryption key that is encrypted with your new master password, so your old master password will no longer work anywhere. If all your data seems to be fine in 1Password now, you can feel free to (securely) delete the .1pif and the old files/folders you moved to the Desktop when following the "starting over" steps.
You should be all set, but as always, we're here for you if you need anything else! :)
0 -
Hi,
Just wanted to post a little update that everything has been working well, and say thanks to all who helped! Drew_AG, hawkmoth, Plato and everyone involved in the linked threads where I got the instructions from. Also Andrew Costen via email, and of course the great knowledgeable articles on the Agile Blog, Thank You! :)
0 -
@xwiredx, on behalf of @hawkmoth, @Plato, @Andrew_AG, and of course myself, you're very welcome! Thanks so much for following up to let us know it's all been working well, I'm so glad we were able to help you with that. :)
We're always happy to help, so if you ever need anything else, you know where to find us. ;)
0
