Individual unlocking of secondary vaults gone in 1Password 6

edited February 2016 in Mac

Hi AgileBits!
Before updating to 6.0 I would enter the passwords for separate vaults indvidually ie.

Vault A (primary) needed password A and
Vault B (shared) needed password B.

When switching between the two (for example with ⌘+1 or ⌘+2) I would need to enter the vault's individual password.

Since I updated this morning, I only need to enter the primary password to unlock both vaults. I would like it to go back to entering each password individually - is there a way to separate these again?

Cheers!


1Password Version: 1Password 6 Version 6.0 (600008) AgileBits Store
Extension Version: 4.5.2.90
OS Version: 10.11.2
Sync Type: dropbox
Referrer: ug:mac/multiple-vaults, kb-search:separate passwords, ug:mac/create-a-new-vault, ug:mac/switch-vaults, kb-search:1 password for vaults

«134567

Comments

  • Hi I am a new user of 1password so maybe the answer to this is simple and I just don't get it.
    I am not the only one using my mac so I'd like to use to different vaults. One vault with passwords the other users can use and another vault with sensitive data that only I should have access too. Is this possible?
    At this moment I have created two vaults but I only need the master password for the primary one and have access to everything. Using the safari add on I can always see the sensitive data that I'd like to be safe behind another password.
    Is there any way to do this with 1password?


    1Password Version: Not Provided
    Extension Version: Not Provided
    OS Version: Not Provided
    Sync Type: Not Provided
    Referrer: forum-search:how to not use 1 password for multiple vaults

  • Hi I am a new user of 1password so maybe the answer to this is simple and I just don't get it.
    I am not the only one using my mac so I'd like to use to different vaults. One vault with passwords the other users can use and another vault with sensitive data that only I should have access too. Is this possible?
    At this moment I have created two vaults but I only need the master password for the primary one and have access to everything. Using the safari add on I can always see the sensitive data that I'd like to be safe behind another password.
    Is there any way to do this with 1password?


    1Password Version: Not Provided
    Extension Version: Not Provided
    OS Version: Not Provided
    Sync Type: Not Provided
    Referrer: forum-search:how to not use 1 password for multiple vaults

  • Hi @kev79,

    You are correct, we do deem the password to the primary vault as special, hence the phrase Master Password. The primary vault is meant to be your personal vault, the one that no-one else has access to. Given this is your definitive vault the idea is all secondary vaults are also accessible by you and so if you unlock the primary vault it unlocks everything else as a convenience. Now if you switch to a secondary vault and enter the password for it then only that single secondary vault is unlocked and any attempt to move to another will result in the lock screen again. Even switching to the primary and then back to the secondary would require the password for the secondary vault.

    We don't have a multi-user approach in 1Password because OS X and Windows both do an excellent job of handling this themselves though user accounts. User accounts with fast switching would allow you to jump between user accounts in OS X giving each person their own copy of Mail, Safari, 1Password and well, every other application on the Mac.

    So if you remembered to lock your primary and supply a password for only a secondary vault that might work but personally I would mull over the idea of separate OS X user accounts as a way forward. It is your choice though and if you have any questions at all please do ask :smile:

  • JacobJacob

    Team Member

    Hey @schnaarius! What version of the app were you using before? The Primary Master Password has been used to unlock additional vaults since the ability to use additional vaults was added to the app. The only time you should be asked for the Master Password of a secondary vault is when adding the vault. Switching between them shouldn't require one.

  • Hi, I have the same issue after upgrading to 6.x.
    I have two vaults: master and basic, with different passwords (strong and weeker).
    With version 5.x and 1Password locked you could select (click on the keyhole logo) the basic vault and insert the weaker password, after that you had access only to basic vault.
    Then, if you needed to switch to master vault, it was asking the master password to unlock also the master vault.

    With version 6.x and 1Password locked, the only option is to unlock the master vault: it seems that basic vault password is useless.
    I suppose that this is somehow related with team vaults, but that functionality was one of the main reason for me to choose 1Password.

    It was like having two different levels of security, now I must always use my strong password... not good.

  • Hi @penderworth, thanks for the reply! @spantalo describes it better than me:

    Then, if you needed to switch to master vault, it was asking the master password to unlock also the master vault. With version 6.x and 1Password locked, the only option is to unlock the master vault: it seems that basic vault password is useless.

    So when I'm using 1password at work, and I only want to unlock the secondary vault (my work vault). Since updating to 6.x I can't unlock the secondary vault without unlocking the primary too.

    I still have 5.4.2 on my laptop, and when I open 1password I can choose which vault I want to unlock (⌘+1 or ⌘+2). Entering the master password on the primary unlocks both, but selecting the secondary vault and unlocking it won't unlock the master vault (which is ideal for work).

    Any way to restore this functionality?

  • I'm having this issue too.

    I think that it is NECESSARY to go back to the previous behavior

  • I am experiencing the same issue as well. I understand that being able to unlock all your vaults from the Master vault is great, but I agree with the conclusions drawn in this thread and that is that sometimes you want to be able to unlock just a less important vault. From a professional perspective this is essential.

  • And when you have kids and you don't want them to have access to credit cards, banking information, etc. I really this was a bad move. Going to downgrade now.

  • rickfillionrickfillion Junior Member

    Team Member

    Hi Everyone,

    We removed this ability in 6.0 because we found some security issues related to it, and once we knew of them we couldn't let it be with a clear conscience. I quite liked that feature, and would love to see it come back (built differently), but that's going to take some time.

    I would love for you to take this opportunity to tell us how you used the feature so that we can keep that in mind if/when we rebuild it.

    Thanks.

    Rick

  • Also affected by this.
    I used it pretty much as @spantalo: Having a separate vault with a different password for less sensitive entries, only which is unlocked during every-day usage. In addition to this, it is also synced, while my primary vault isn't.

  • @rickfillion I think that it is very important to us to keep some information more secure than other. Perhaps an alternative solution could be to add the option to request password each time you want to use o see this "top secret" items. LastPass works in this way.

  • rickfillionrickfillion Junior Member

    Team Member

    Thanks for the additional information @F30 and @JAnguita.

    Rick

  • I too am suffering from removing this functionality. I have 2 vaults, and I want to be able to log into the secondary vault independently of the primary. Please look into restoring this pronto, otherwise I seriously have to consider switching back to LastPass

  • We removed this ability in 6.0 because we found some security issues related to it, and once we knew of them we couldn't let it be with a clear conscience.

    It would be good then to know what's the risk on using 1P that way if we keep using version 5. You have a good reputation disclosing these kind of issues to let the users take actions to protect themselves.

    Regards

  • rickfillionrickfillion Junior Member

    Team Member

    Hi @juanii,

    I don't want to hide behind "it's a complex issue"... but it's not terribly easy to explain. Let me try though. The good news is that we have no reason to believe that the security issue in this case has ever been abused, and it's possible that things were such that it'd have been impossible to abuse. It's not a remote code exploit or anything like that. The issue in question was a design decision in how we managed the state of the app to control how/when to show the lock screen when you switched vaults, when the vaults were locked etc. It would have been easy for us to screw things up. So we rebuilt things such that it's nearly impossible to screw up because we felt like it wasn't worth the risk, and this feature was a casualty of that rebuild.

    It's more of a theoretical problem than a real world issue. The fact that it had real-world consequences is really unfortunate. I'm confident that the feature itself could be rebuilt in a safe way, we'll just have to find time in our schedule to work it in.

    My personal views is that I'd still feel comfortable using 1Password 5. This was more about protecting ourselves from future screwups.

    I hope this helps.

    Rick

  • How can I downgrade safely to the v5?

  • MasterReeMasterRee
    edited January 2016

    I have multiple vaults. With 1Password 5 (from the Mac App Store) I could lock my primary vault, but still unlock a secondary vault, revealing only that secondary vault's content. I could also switch between these vaults at the unlock prompts using the Command +1, Command +2 and so on, keyboard shortcuts.

    Since upgrading to 1Password 6, I have to unlock my primary vault to access any of the content in any of my vaults. I can switch between the vaults at this point using the drop down menu, but I am not able to switch between them using keyboard shortcuts before or after unlocking my primary vault. I have done a full uninstallation, including all hidden files and reinstalled the application. The issue persists.

    Please advise how this may be resolved. Thank you.


    1Password Version: 1Password Version 6.0 (600007) Mac App Store
    Extension Version: 4.4.4
    OS Version: 10.11.2
    Sync Type: Dropbox

  • JacobJacob

    Team Member

    @JAnguita If you absolutely require the feature, you can download to version 5, though I will say that we won't be updating that version in the future with the latest features. As long as you're okay with that, simply download version 5.4.3 (the last version of 1Password 5) from this page: https://app-updates.agilebits.com/product_history/OPM4#553001

    Before installing it, launch 1Password 6, click the 1Password menu, and click Quit 1Password and 1Password mini. Then move 1Password 6.app to the Trash, empty it, and move 1Password 5.app to your Applications folder. And that's it! You should be all set. :)

    @MasterRee I merged your post with a larger thread that has a good amount of discussion on the topic of unlocking vaults separately. I'd recommend reading the discussion here for some details about what can be done moving forward, and the info in this post if you'd like to move back to version 5 for this functionality. Hope that helps!

  • This change pretty much breaks 1Password for me. Is the functionality likely to be returned promptly? Or is reverting to version 5 the only work around?

  • MasterReeMasterRee
    edited January 2016

    Per your request, this is how I used the now deprecated feature:

    1. I have a primary vault with my most sensitive information (credit cards, banking, etc).
    2. I have multiple secondary vaults with specific functions (work, friends and family information, etc).
    3. At work I unlock the work vault so that I can access the relevant passwords, but I leave my other vaults locked so that this data is secure.

    I realize I could just sync only the work vault to my work Mac, but there are specific instances where I may need access to credentials in one of my other vaults. I also relied on this feature and it was one of the reasons that I chose 1Password. Thank you for favoring security over convenience as that is the better choice ultimately, but the flexibility and convenience of 1Password is why it is such a great tool. Please make implementing a secure version of this feature a high priority.

    Thank you.

  • Greetings @MasterRee & @tcaway (and everybody else so far),

    I've just confirmed that your collective voices have all been recorded and accounted for in a desire to see this return.

    At this stage this is sadly all I can really do. We've had Rick's explanation as to why it had to be removed right now and the guy is a great developer so if he can find a way I'd bet he will. The issue will be the timeframe. I can't make any promises here or offer even a rough ETA.

    If such a feature is essential then for the moment the only option would be to return to version 5 of the application. This is just a workaround though and not a solution. It's unfortunate that this needed to happen but at least by visiting the forums and informing us about how you used it we gain an idea of how much the feature was in demand.

    ref: OPM-3687

  • tompavetompave
    edited January 2016

    I've updated to 1Password 6.0.1 (Mac App Store), and I've found that the "vault switch" keyboard shortcuts have been disabled on the initial screen. I couldn't find a preference setting to re-enable the functionality.

    My workflow has always been to:
    1) select a specific valut (e.g. the work vault as opposed to my personal one);
    2) unlock that vault only with its master password.

    But now I have to first unlock the primary vault, then switch to the one I'm interested in. Also, the switch will require no further password to unlock the secondary vaults because I am forced to unlock the primary first (that gives me a sort of root access).

    This is not ideal because, especially when I'm at work, I do not want to type in my primary vault master password, have it open on screen, and then switch to the work vault. I want to open the work one directly.
    Furthermore, since my work vault is not the primary one, opening it directly gives me a form of further protection because all the other vaults will remain locked.

    Is this a bug or a deliberate UX choice?


    1Password Version: 6.0.1
    Extension Version: Not Provided
    OS Version: 10.11.2
    Sync Type: Not Provided

  • Hi @tompave,

    I hope you don't mind but I've merged your query with an existing thread as it is regarding this very matter. The best place to start would be with Rick's first post as I won't do any better explaining the situation than him. It was deliberate but as a byproduct of that deliberate decision rather than specifically intending to remove it. You may have questions after this which we will do our best to answer.

  • Hi @littlebobbytables,

    thanks for moving my post here. The conversations is definitely helpful and I'm glad to see that the team is taking the request into consideration.

    I have a couple of questions:
    1) Will Penderworth's instructions also work if I have the Mac App Store version of 1Password?
    2) The feature is important enough for me that I think I've found a hacky work around based on a shell script to quickly move and rename the vault_name.agilekeychain files in the 1Password folder, so that I can force 1Password to only see one of them at a time.
    Any contraindication to doing that? e.g. data corruption?

  • I also found it very useful to have complete access to all my information while allowing coworkers access to the logins they needed. We are a small group. Is 1 password for teams the way to go now?

  • Hi @tompave,

    1. penderworth's suggestion won't work if your want to stay with the Mac App Store version. The only way to find version 5 of the Mac App Store version would be in a backup now as Apple only retain certain versions and only for OS X compatibility reasons. As 1Password 6 will run everywhere that 1Password 5 did Apple won't retain 1Password 5 at all. Now if you were to download the AgileBits Store version of 1Password it would pick up on the fact that you have the Mac App Store associated with your Apple ID and so it would pop up saying that you're a Mac App Store customer and not bother you for a licence. Moving from Mac App Store to AgileBits Store, especially with 1Password 5, would mean you could not sync using iCloud. I don't know if that will be an issue for you or not.
    2. Sadly this won't work. Unlike 1Password 3, the Agile Keychain is merely a sync container. 1Password actually holds all of your vaults in an encrypted SQLite database file and shifting Agile Keychains around would only disable sync. Re-enabling sync and connecting it to a Agile Keychain for a different vault would only cause the contents to merge. Sorry, this path will lead to stress so I'd avoid it. As all of your vaults are contained in a single encrypted SQLite database file there isn't a way to switch them around and say vault X is now the primary.

    Sadly for this precise moment the only way to regain the ability to unlock a single secondary vault you would need to return to 1Password 5 and for most that would mean going down the route of the AgileBits Store version.

  • Hi @bearahu,

    1Password for Teams won't directly help here as while it has some great features it does connect to 1Password for Mac and 1Password for Mac is designed more as a single user application. I could be wrong but it sounds like you're saying multiple people access a single copy of 1Password from a single OS X user account and that's why you have found the ability to unlock just a single secondary vault advantageous. If each user has their own account and copy of 1Password then each can be configured so that they have their own primary vault and access to only the secondary vaults they need access to. This was all true prior to 1Password for Teams and still is. 1Password for Teams as lots of merit for teams in my opinion but it's best to make sure that it fits with your needs.

    As the thread is about the ability to unlock a secondary vault in a particular instance of 1Password I'm assuming multiple people are accessing a single copy. Is this assumption correct?

  • I've added all three of your votes to help highlight the demand.

This discussion has been closed.