Individual unlocking of secondary vaults gone in 1Password 6

12357

Comments

  • @LRT Thanks for the feedback! :) I think your workaround sounds like a good one for your setup. Your license allows as many computers as you own, and up to five other members of your household as well. Rather than uninstalling the app entirely, all you need to do is start over with a fresh vault and import your info. Are you syncing things somewhere? I'd recommend first syncing your personal and work vaults somewhere to make the import easier when setting things up again. This knowledge base article will help you figure out what syncing fits your situation best (if you don't already have something setup):

    Sync options compared: Dropbox vs. iCloud vs. Wi-Fi

    You can also use Folder Sync to sync things locally before you start over. Once things are synced, just follow this knowledge base article to refresh things:

    How do I start over with an empty vault?

    On your new user, you can grab 1Password from our downloads page if you purchased from our website, or the Mac App Store if you purchased there. Then the last step is to import your data, which is quite easy and 1Password will likely find it automatically. If it doesn't, the Using existing 1Password data on a new computer user guide will help you get things on track.

    Hope that helps! Let us know if you have any questions. :)

  • LRT
    LRT
    Community Member

    Thanks for the reply. So just to be clear, I currently have 1Password in the system Applications folder on the mac. This means it's in the applications folder in both my personal mac user account, and my work mac user account. If I delete 1Password from the applications folder on my work user account it will delete it everywhere. And because I purchased 1Password from the mac app store there is no option to download a 2nd copy while the 1st copy is still in the applications folder - it just gives me the option to 'open' not 'download'.

    So how do I go about this? I've tried moving 1Password from the system applications folder to my personal user applications folder but then I get an error message when trying to open it telling me it should be in the system applications folder. I tried temporarily moving it to another folder then going to my work user account and downloading a fresh copy of 1Password from the mac app store then moving the new copy to the work user accounts application folder but then that copy wouldn't open.

    Can you please tell me what to do to make this work?

  • @LRT Aha, good point! I forgot about the system-level Applications folder for a moment there. The app definitely needs to be in the Applications folder if it's from the Mac App Store. You should be able to use it on the other user though. What happens when you just launch it there? You don't need a second copy as I mentioned before. One app should be just fine, and there's no need to delete that one. :) I'm curious what happens when you try to use it though.

  • LRT
    LRT
    Community Member

    I can definitely open it and use it on the work user account but then I've got the issue that since the 'switch to vault' feature was removed I can only open the entire 1Password app with my personal password. That means other people can no longer get to the work passwords without seeing all of my personal passwords. This is why the 'switch to vault' feature was great and was one of the reasons I purchased the app.

  • littlebobbytables
    littlebobbytables
    1Password Alumni

    Hi @LRT,

    I think there might be a little confusion and if I'm correct I think I can clarify.

    The 1Password application bundle, what you download from either our AgileBits Download page or Apple's Mac App Store does have to be stored in the /Applications/ folder. This is down to sandboxing reasons and it basically can't live anywhere else without potential problems.

    The application bundle though is literally just the code 1Password needs in order to work - no user data is stored there at all. In the case of the Mac App Store version of 1Password, everything and by that I mean your vaults, backups, preferences etc. is stored in the following location.

    ~/Library/Containers/2BUA8C4S2C.com.agilebits.onepassword-osx-helper/

    The ~ means your OS X user folder. So let's say you have two OS X user accounts titled work and personal. They each have completely independent support folders and each would be the in the following location.

    • /Users/work/Library/Containers/2BUA8C4S2C.com.agilebits.onepassword-osx-helper/
    • /Users/personal/Library/Containers/2BUA8C4S2C.com.agilebits.onepassword-osx-helper/

    and neither can see the other unless you've heavily modified the standard OS X permissions. As such they are completely independent and you can follow the How do I start over with an empty vault? steps in one OS X user account without it having any effect on the other.

    I assume you keep these two accounts in sync using something like Dropbox and if you do that means you have separate Agile Keychains or OPVaults for each vault. This will be the key piece of information in a moment.

    So you can completely start over in one OS X user account without touching the other but what happens when you start 1Password for the first time after following the starting over steps? As each OS X user account is independent of the other and maintains all of it's own settings and data what constitutes as the primary vault doesn't have to be the same vault is in another OS X user account. Instead imagine you have two OPVault containers, one for each of the vaults in your personal OS X user account. In your personal OS X user account your primary vault is your personal stuff and your work vault is your secondary. Back in the work OS X user account though you've just started it for the first time and it's asking for the vault to use to kickstart everything. Here if you point 1Password to the work OPVault (or Agile Keychain) then in this OS X user account the work vault is the primary vault and it's the password required to unlock it each time. So the notion of primary and secondary vaults are local to either each iOS device or OS X user account and aren't tied to the actual application bundle.

    This of course all assumes I've understood everything I've read and deduced the current situation correctly. If I'm right hopefully something above helps in understanding how 1Password behaves with multiple OS X user accounts. If I'm wrong at all please do correct me so we can get back to trying to help :smile:

  • jacobrobbins
    jacobrobbins
    Community Member

    I also believe this is a serious downgrade in the functionality of 1Password.

    I considered the availability of multiple security levels a requirement and it determined my purchasing 1Password instead of a competing product. Now that it has been removed I feel that I have been cheated, both of the money I paid to purchase 1Password and the time it took me to configure it as my password manager.

    The new functionality is similar to always logging into a Unix server as root instead of having multiple accounts each with the minimum level of privilege that it requires. It is not a best practice of security, it is a simplified solution that emphasizes convenience over security.

    I am disappointed in the removal of an important security feature and I will no longer recommend 1Password to others. I wish I could say I will immediately switch my password manager but I have sunk a lot of time and effort into setting up your solution.

    -Jacob Robbins

  • Hi @jacobrobbins ,

    I certainly understand your frustration with the removal of this feature. But as rick said on page 1 of this thread ( https://discussions.agilebits.com/discussion/comment/269406/#Comment_269406 ) this was done due to improvements in the underlying security architecture.

    I want to emphasize that we did not do this to emphasize convenience over security, as it did not add convenience. Simply put, it was not compatible with some necessary under-the-hood improvements.

    That said, we are not saying that this functionality is gone for good. It just had to be removed in its current form. We've been asking users for their use cases, so we can better understand how/why the users require the feature when we revisit it. If you have a use case to add, we'd love to hear it and it would help out a lot.

    Thanks for the taking the time to let us know your thoughts. We really do appreciate it and it does help us shape the future of 1Password.

    Regards,
    Kevin

  • jacobrobbins
    jacobrobbins
    Community Member

    @ag_kevin ,

    I have 3 vaults:

    -- primary vault holds my most-sensitive personal credentials (bank accounts, personal gmail, healthcare website, etc)

    -- secondary vault holds credentials for the small business I operate (bank accounts, web hosting providers, domain name providers, other commercial services the business uses). If I'm working on business-related stuff I prefer to only have these credentials available and I like to be able to unlock only this set when I go to a website to conduct business-related transactions.

    -- another secondary vault holds the myriad less-sensitive credentials that build up in the course of using the web. For example, when registering for this forum to post I had to register. I don't consider those credentials a security risk but I need to keep track of them. There are dozens and dozens of instances of this happening and I do not want them mixed with the sensitive credentials in my primary vault. Similarly to the business vault, I prefer to unlock only the low-security vault when visiting one of those sites.

    The general theory behind this is called the "Principle of least privilege", which I learned from the Unix server administration community. See this Wikipedia entry for more info: https://en.wikipedia.org/wiki/Principle_of_least_privilege

    -Jacob

  • limbo
    limbo
    Community Member

    i have two vaults in 1password synced to my macbook
    one is my personal vault, the other one is for my girlfriend
    since setup it was possible to unlock my girlfriends vault only, but since a few weeks this isn't possible =(
    now its only possible to unlock the main vault, to access her vault.
    thanks


    1Password Version: 6.01
    Extension Version: 4.5.3.90
    OS Version: OSX 10.11.3
    Sync Type: Dropbox
    Referrer: forum-search:multiple vaults

  • hawkmoth
    hawkmoth
    Community Member

    @limbo - There is a very long thread about just your issue, into which I will merge your post. To be brief, there are many users who miss the feature you describe, and the AgileBits folks have been listening. In the thread I'll move this to, you will find lots of discussion about why things changed and assurances that the developers are considering the best way to try to bring it back.

  • LRT
    LRT
    Community Member

    Thanks for the reply littlebobbytables. I'm just thinking now that even if I set up my work account as a new separate primary vault I won't be able to sync both the personal and work vault (which would both now be primary vaults with separate primary passwords on separate instances of the app on different user accounts) to the one iPhone app (unlock-able with my one fingerprint) on my phone through the one iCloud account. Is this right?

  • F30
    F30
    Community Member

    So, 6.0.2 has a new "Always open to" preference. At first, this sounds like it could help a lot here; but at second sight, only a bit: You can now control which vault is opened, but it still always requires the master password and the other vaults are unlocked as well.
    Is this some reaction to the issue from this thread, or a completely unrelated changes which happens to touch a similar topic?

  • roads
    roads
    Community Member

    Pleae bring back vault switching functionality without having to open the primary vault. I want to grant limited access. And no I don't want User switching. Please!

  • @F30 : an unrelated change which happens to touch a similar topic. That change was in response to the fact that we were always unlocking and showing All Vaults as opposed to Primary.

    @roads : As Kevin mentioned in your thread, we're thinking hard about this problem. We have a couple ideas for how we can add something that would achieve what you used to be able to do here, and also more possibilities while being more obvious. We really hope that we can find a way to make everyone happy here.

  • c5yj3
    c5yj3
    Community Member

    You can add me to the list of folks that need a viable replacement for this feature. I used to maintain two vaults on a work-issued device; personal and professional. The professional vault password could be disclosed upon necessity without compromising personal accounts at the same time. There's no need to reiterate the current limitation.

    Just as an aside, synchronization to or use of a cloud-based service is not always an option for enterprises. Perhaps reviewing the architecture of true enterprise-grade password management systems - such as CyberArk or Lieberman - might lead you down the right path on how to handle multi-context vaults.

  • BeSafe
    BeSafe
    Community Member
    edited February 2016

    Plus 1

  • Thanks @c5yj3. I'll try to make time to checkout CyberArk and Lieberman.

    Rick

  • jobwat
    jobwat
    Community Member

    Same here, I'd love that feature back :|
    Thanks

  • Thanks for the vote @jobwat. :+1:

  • MetroEast
    MetroEast
    Community Member
    edited March 2016

    Please add my voice to those who miss this feature.
    I have…
    The primary/master, which holds next to nothing.
    A work vault for work related info.
    A personal vault for personal info.

    I'm accustomed to selecting the vault from the web widget or at app launch, and unlocking only the vault I need.
    I prefer being able to escrow a password with our comptroller, that does not expose my personal accounts.
    Similarly, I need to be able to share a copy of my personal vault password with my spouse… should they need to access info in an emergency.

    Not about multiple users; it's about venue. I rarely need to switch between vaults, but when I do… I don't want to switch OS users to do so. (I'd rather not create another user.)

    Perhaps those scenarios are intended to be addressed in another manner. I'm willing to adjust, but I'm not liking it as is.

    Is 5.4.3 still an option for us?

  • OtherGuy
    OtherGuy
    Community Member

    I don't want to beat the dead horse here and certainly do understand if a features compromises overall security, its worth removing it, but so did I purchased 1password and now I am in a limbo

    Are there possible alternatives 1password is planning to bring? Just from top of my head...

    a. separate isolated vaults with separate master passwords (I have hard time to believe this would weaken security any way)
    b. encrypted entries inside the vault - in another being asked for a non-master (different) password when opening selected entries

    thank you

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited March 2016

    Please add my voice to those who miss this feature.

    @MetroEast: Absolutely! I'm sorry I missed your post! :(

    I'm accustomed to selecting the vault from the web widget or at app launch, and unlocking only the vault I need.

    I understand that's how you're accustomed to doing things, but this wasn't something we designed for 1Password to do (which was why this "feature" wasn't ever offered to the user).

    I prefer being able to escrow a password with our comptroller, that does not expose my personal accounts.
    Similarly, I need to be able to share a copy of my personal vault password with my spouse… should they need to access info in an emergency.

    Indeed, and this change doesn't prevent you from having a secondary (or primary) vault you share with others. When you setup new vaults for the purposes of sharing, you can (and should) use a different Master Password for them. That way you can avoid giving anyone else your Master Password, which you will still use to unlock 1Password on your own Mac. I've done this myself for a long time.

    Not about multiple users; it's about venue. I rarely need to switch between vaults, but when I do… I don't want to switch OS users to do so. (I'd rather not create another user.) Perhaps those scenarios are intended to be addressed in another manner. I'm willing to adjust, but I'm not liking it as is.

    I think there may be some misunderstanding. There's no need to switch to a different user account if you just want to access another one of your own vaults. Separate user accounts are really only appropriate for someone else to access different vaults (rather than giving them access to all of your user data on the system).

    Is 5.4.3 still an option for us?

    It is! You can download it from our update site if you don't already have a copy. Obviously this means you won't have access to features, improvements, and fixes in the current version, but if unlocking each secondary vault separately is more important to you, 1Password 5 will allow that.

  • AGAlumB
    AGAlumB
    1Password Alumni

    I don't want to beat the dead horse here and certainly do understand if a features compromises overall security, its worth removing it, but so did I purchased 1password and now I am in a limbo

    @OtherGuy: I'm not sure I understand what you mean when you say you're "in limbo". If you can elaborate there may be something I can suggest that would be helpful. At the very least, knowing how folks like you use 1Password now and want to in the future can help us determine what we work on.

    Are there possible alternatives 1password is planning to bring? Just from top of my head...
    a. separate isolated vaults with separate master passwords (I have hard time to believe this would weaken security any way)
    b. encrypted entries inside the vault - in another being asked for a non-master (different) password when opening selected entries

    Rick went into more detail about the background of this change earlier in the discussion, so I encourage you to check that out if you haven't already. But regarding your requests, while security is the priority, usability is right there with it.

    Now, some may scoff at that statement, given the heated discussion that we've been having here about an unintended "feature" being removed, but let's be honest: this wasn't something that most people used, would miss, or even knew existed. So while your suggestions are totally reasonable, they're really coming from a certain perspective that perhaps only folks inclined to participate in this sort of discussion would appreciate. Both would (presumably) fit your workflow (and perhaps others here as well), but neither provides any additional security, and both increase complexity (not only in the code, but also for the user).

    For instance, with multiple vaults with different Master Passwords that must be entered each time separately, or with separate passwords for individual items, how does locking work? Is there a separate timer for each of these? Separate preferences for each and every vault and item? Presuming that we could get that to work correctly and present it in the user interface, I'm not sure how to even to begin trying to explain all of that to the average user, much less make it obvious so it doesn't require explanation (which is really the goal).

    Interestingly, 1Password for Windows, due to the architecture we used at the time of its original development, treats multiple vaults as "isolated vaults with separate master passwords", just as you suggested. Great, right? However, as a member of the team here at AgileBits, I can tell you from firsthand experience that "make vaults work like 1Password for Mac" is consistently one of the most popular feature requests from 1Password for Windows users.

    Even though it certainly came as some surprise to our Mac developers that this change (which removed the ability to unlock a secondary vault separately) has prompted such a passionate debate (by design, we don't know anything about our user, so we can't even try to track how many people might use a particular feature), I was even more surprised by this, given that folks on the Windows side (where I spend considerably more time than the Mac developers do) ask us for just the opposite.

    And regarding security, the most crucial element in any of our security is us as individuals. We can have all the technology and encryption and cool ways of controlling access to our sensitive data, but if we use a weak Master Password or give it away, that's it: we've undone ourselves. Similarly, the goal of 1Password is to have a single Master Password. That way we can make it long, strong, and unique enough to withstand attack...but we can also memorize it!

    Having more than one doesn't, in and of itself, make us less secure, but due to human behaviour (and the limits of human cognition), it effectively does. Someone is more likely to use weaker passwords when required to remember more than one. That is, after all, why 1Password exists in the first place: because that's what we used to do with our logins! We used to reuse passwords, or at the very least use rather predictable, short ones that were maximized for memorability and ease-of-input. Calling multiple passwords "master" is just using a different name for the same thing. So really we want only one. After all, if you can reliably remember two or more long, strong, unique Master Passwords, this is no more secure than combining them into a single awe-inspiring Master Password: you're literally memorizing the same information, but the sheer length can make it uncrackable.

    Now obviously if you're going to share a separate vault with someone else, you don't want to use that same incredible Master Password, since you never wanna give it up. But you can save its Master Password in your own primary vault (for safekeeping), and unlock 1Password itself using the mind-blowing Master Password that only you know. Given that we're all only human, this will continue to be more secure than trying to juggle multiple passwords. And that's why we're all using 1Password in the first place. :pirate:

  • OtherGuy
    OtherGuy
    Community Member
    edited March 2016

    by beating dead horse, I mean describing usage pattern - how I and many of the other users used 1Password in version 5. So did I have Secondary vault with daily normal passwords opened and unlocked and rarely opened and unlocked Primary vault with master password where I stored next to many things also recovery codes for 2FA - google, github etc... I accessed primary vault extremely rarely, well almost never.

    I am in a limbo, because I spent over $50 only and only to get this functionality. I was LastPass long term paid customer and switched to 1password only for this reason.

    I really don't want to argue here. Having two separate vaults with two separate master passwords is not inconvenient at all if you rarely access one of the vaults. Its an optional feature some users might choose (perhaps not default and comes with some restrictions).

    I cannot speak how many users used this feature in version 5 (5 pages long discussion tells me that I was not alone), lets be honest it was so buried inside 1password that not many people knew about it.

  • MetroEast
    MetroEast
    Community Member
    edited March 2016

    The link to sharing vaults, is specific to opening the vaults on another machine (or another account?) via file sync of some sort.

    I am referring to the ability to access the vaults individually on the computer I use everyday.
    It would not be a daily occurrence, only in an emergency.

    The supposition–where I'm sharing a vault file via sync… would require additional accounts (for my spouse and employer) on my computer, or another install on a separate computer.

    I can manage setting up additional accounts on my computer. MetroEast does own 3 installs, but we'd rather not use them all for what was being handled with 1 install previous to this change.

    I'll be making another CPU account for my spouse, and testing this soon.
    I'm interested in how others handle my scenario. This can't be a unique situation.

  • Hi @MetroEast,

    MetroEast does own 3 installs, but we'd rather not use them all for what was being handled with 1 install previous to this change.

    This shouldn't require additional licenses, assuming I understand what you're saying. The licenses are not per-user-account, but per-device (and each license can be used on up to 5 devices in the same family).

    Rick

  • MetroEast
    MetroEast
    Community Member

    Thanks @rickfillion. I think my description got crossed a bit. We're planning to use additional accounts, to avoid using those licenses, and keep the essential function we've been enjoying. We could have an install for the comptroller or another designated PIC. However, an escrowed password for the vault, works best for our policy environment. Another install would mean using a license, and in this case… solely for that special case access.

    If I can get other folks to use the software, we might be looking at teams.
    I will test local user vault sharing and report back.

  • Sounds like a plan, @MetroEast.

    Rick

  • MetroEast
    MetroEast
    Community Member

    I have success. Synced a vault with an account made for my spouse on my own machine.
    In /Users/[name]/Public/Drop Box/[Vault File]

    An extra step, but addresses my use cases. Should be fine for my work account as well.
    I'll get used to it.

  • AGAlumB
    AGAlumB
    1Password Alumni

    Thanks for following up! I'm glad that a separate user account is working for you. Definitely more secure than giving someone access you your main user account too, especially in a business environment. Cheers! :)

This discussion has been closed.