Individual unlocking of secondary vaults gone in 1Password 6

123457»

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni

    @tracedef: It isn't a foregone conclusion. We're continuing to look at ways of doing this securely in 1Password, but, as you can probably imagine, it's a complex thing with a lot of factors to consider: locking, backup/restore, autosave, 3rd party integration, sync, "starting over" — any one of these could pose a privacy, security, or data integrity risk, depending on the use case, and that's just the tip of the iceberg. But, as a user, none of this should be your problem, which is why we need to carefully consider anything we do in this area. Thanks for letting us know that you're passionate about being able to unlock vaults sedately as well!

  • dale_s
    dale_s
    Community Member

    I'm a newer user to 1Password so I never got to use the [mis]feature that is the original subject of this thread, but please put in my vote for separately unlocking vaults. I use KeePassX/LastPass to keep multiple databases with separate passphrases for things like work, real important stuff like banking, and less important stuff like trivial websites. My thinking is that I shouldn't have to open up the creds for my checking account just to log in to Twitter. Mine is definitely not a multi-user use case. I think this may be the one thing keeping me from moving fully to 1Password.

    Thanks!

  • rmpel
    rmpel
    Community Member

    Hello all, especially 1Password developers,
    It has been almost a year and therefore was wondering if this feature is still on the to-do list :)

  • AGAlumB
    AGAlumB
    1Password Alumni

    @rmpel: We don't have any news on this front since there isn't a one-size-fits-all solution that seems like it would work for everyone, but it's something we think about a lot, especially as we hear from users about their specific use cases. It makes a huge difference!

    @dale_s: The bad news is that we really don't want to complicate things too much for normal users, resulting in a 1Password, 2Password, 3Password (and so on) explosion. But the good news it that it sounds like pretty much anything we do in this area will make a huge difference for you, both for your workflow and for simplify your current setup. Thanks for letting us know where you're coming from!

  • lotsofjoy
    lotsofjoy
    Community Member

    Still wanting this... badly. if there is no way to log in to vaults separately, I'm not even sure what the point of having them is in the first place. I actually went through the whole process of setting 4 different vaults up BECAUSE I assumed that they would be accessible separately from the main account. And was confused and shocked once I figured out that it didn't work that way. Pretty irritated that I wasted all that time.

    It's been a while... I know you guys can make this happen. PLEASE.

  • AGAlumB
    AGAlumB
    1Password Alumni

    Still wanting this... badly. if there is no way to log in to vaults separately, I'm not even sure what the point of having them is in the first place.

    @lotsofjoy: I think this is an "eye of the beholder" sort of thing, but for my money it's useful to have separate vaults so I can organize data to share with others. I certainly don't want to share all of the data I have in 1Password!

    I actually went through the whole process of setting 4 different vaults up BECAUSE I assumed that they would be accessible separately from the main account. And was confused and shocked once I figured out that it didn't work that way. Pretty irritated that I wasted all that time.
    It's been a while... I know you guys can make this happen. PLEASE.

    The 1Password apps have never had a notion of "personhood" or multi user support, so while it's something we're interested in doing in the future, it would require some pretty big changes to all of the apps to make it happen. And while it's good to know that you and others would like this feature, saying "make this happen" is much easier than working out all of the interactions and changes that need to be made to accommodate them. :blush:

  • Mavrick3321
    Mavrick3321
    Community Member

    I've been following this too, I haven't updated so we can still unlock with separate passwords. I get that each user on a computer should log in/out, but for our family computer we just always leave it logged in with one user and share it. So it would be nice to have separate users to separate our passwords. Anyway, thanks for considering this.

  • AGAlumB
    AGAlumB
    1Password Alumni

    Indeed. Obviously you probably trust your family members enough to share a user account (but not enough to share 1Password data), but we also want to take into consideration the use cases others have brought up, such as using this in a business setting with coworkers. I can't stress enough that sharing a user account at the OS level negates any perceived security benefit of 1Password supporting something like this, but certainly it would help usability. I'd just hate for anyone to think that 1Password could protect them from a privileged user since it would be trivial to install something malicious, even unintentionally.

  • dale_s
    dale_s
    Community Member

    The bad news is that we really don't want to complicate things too much for normal users, resulting in a 1Password, 2Password, 3Password (and so on) explosion.

    @brenty: Thanks for your reply! I think I get where you're coming from. I'd be happy to have the option well hidden. I am not above running a defaults command to enable it. ;)

    Do you all have any comments on my perception that my security is improved by keeping frequently-accessed but less important logins in one vault, while keeping seldom-accessed but more important logins in a second vault that must be unlocked separately from the first?

    As I said in my previous comment, every day I log into websites such as the AgileBits forum where the consequences of having my credentials to those websites compromised are relatively low. Contrast with my bank's website, where I only log in once or twice a month, but the consequences of having those credentials compromised could be relatively high. So far my thinking is that, even in the case of something like the exfiltration of my vault and master password via local keylogger, my second "high security" vault being locked 99% of the time at least increases the chance that I detect the local compromise before the attacker gets the key to my seldom-used second vault.

    I ask if you all have some thoughts on this because your company has presented some very well-reasoned arguments to contradict proposed threat models in the past, such as when people have questioned the security of the communication between 1Password Mini and browser extensions, or the wisdom of storing TOTP codes in 1Password. Perhaps someone over there has given thought to scenarios such as the one I'm presenting, but you've reasoned out that the improvement in security is too small to care about, or even non-existent? If this is the case, please share! I'm very open to having my mind changed on this point.

    (Having now mentioned TOTP codes, it occurs to me that having a mobile-only vault that holds my TOTP codes might also be nice! I might well trust the security of my iPhone over the security of my Mac, in fact, so maybe my "high security vault" should be only on my phone? But currently I don't think having one synced vault and one unsynced vault is possible on 1Password/iOS.)

  • tompave
    tompave
    Community Member
    edited February 2017

    Please don't lose hope.
    Brenty, August 2016

    Hey @brenty, this my periodic check. I hope that asking every six months is not a problem.
    How is it going with this? Are we any closer to finding an alternative?

    I'm still happily using 1Password 5, but I'm a bit tired of dismissing all the prompts to update to 6.x.y.

    The use case I described last time is still very much part of my daily workflow, and as a consequence upgrading is still not an option for me (and I've found that a few colleagues are thinking of downgrading like me for the same reasons).
    At the same time, I'm starting to worry that 5.x will stop working at the next certificate issue (I've read your company blog) or major macOS update.

    So, any good news?

  • AGAlumB
    AGAlumB
    1Password Alumni

    @dale_s: I'm really sorry I missed the notification for your post! :(

    Do you all have any comments on my perception that my security is improved by keeping frequently-accessed but less important logins in one vault, while keeping seldom-accessed but more important logins in a second vault that must be unlocked separately from the first?

    To me this sounds like you're talking about using a weaker Master Password for some of your "less sensitive" data, since if you're using an equally strong Master Password for each vault, the "less sensitive" stuff won't be any easier for you to access, or someone else to guess. And in either case, why not give all of your data the protection of your best Master Password, and eliminate the need to remember more than one? Certainly your key logger example is a concern, but I think it's far too optimistic to count on discovering it in time before you expose your "high security" data as well. And it seems doubly weird to have that kind of optimism whist simultaneously setting up your vaults based on this scenario. And that contradiction, along with the questionable security benefit and usability issues for the vast majority of users, is why this is something we haven't jumped on.

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited March 2017

    Hey @brenty, this my periodic check. I hope that asking every six months is not a problem. How is it going with this? Are we any closer to finding an alternative?

    @tompave: Thanks for checking in! Never a problem. It's good to know that this is a feature you'd like us to add, even if it isn't something we can offer you now.

    I'm still happily using 1Password 5, but I'm a bit tired of dismissing all the prompts to update to 6.x.y.

    I hear you. It seems like disabling the check in Preferences > Updates would be a better solution to your problem.

    The use case I described last time is still very much part of my daily workflow, and as a consequence upgrading is still not an option for me (and I've found that a few colleagues are thinking of downgrading like me for the same reasons). At the same time, I'm starting to worry that 5.x will stop working at the next certificate issue (I've read your company blog) or major macOS update. So, any good news?

    The only good news I can give you right now is that since 1Password 5 doesn't need the same entitlements as 1Password 6 does for some newer features, it doesn't use that type of provisioning profile — which is why it wasn't affected by that issue. But that was a very good question! I'm glad to hear that you're keeping up with the blog, and while I'm sorry I don't have something more to share, it helps to know that this is something that not only you are hoping for, but also some colleagues of yours, from the sound of it.

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited March 2017

    I just wanted to update the thread with some news. It isn't good news, but I'd rather give it to everyone straight than stringing anyone along with false hope. We've come to the conclusion that this just isn't happening.

    I can't go into much detail, but I'll say that we've spent a lot of time trying to work out how a "profile" feature could work in 1Password to allow it to be truly multi-user. It's something we were really excited about, actually. There were problems — both usability and security-wise — but we believed we'd be able to find solutions. That hasn't happened, and recently we've come to recognize that this just isn't something we can retrofit into an app that's been built from the start with a single user in mind, especially with regard to security.

    So while it remains an idea that many of us are passionate about, at this time it's not something we're going to continue to pursue. Perhaps it's something we'll revisit someday if we have the opportunity, but I want to make it clear that it isn't something we're going to do now or for the foreseeable future. I'm sorry that this is will be a huge disappointment to some folks — many of us included — but it just isn't feasible at this time, and instead of banging our heads against this wall we're going to focus on things that we can actually do to improve 1Password for the majority of users. Thanks for listening, and for your passion for the possibility of having 1Password be a multi-user app.

    R.I.P. OPM-4092

  • Steve6S
    Steve6S
    Community Member

    Hi. I'm late to the party. I wanted to say that even though my wife and daughter use my computer, they don't use 1Password to unlock anything. The use case for me is creating a very strong master password for my iMac and having a separate vault for less sensitive sites that I might want to view on my iPad or Android phone. For the latter devices, especially the phone, I have a lot of trouble entering the long password. Combined with the fact that I don't intend to view those sensitive sites from my phone is why I would like to have this feature. I don't want to beat a dead horse but am posting in case there is another way to address my issue. Overall, I really like the app!

  • AGAlumB
    AGAlumB
    1Password Alumni

    Thanks for letting us know. As I mentioned above, this isn't something we're pursuing right now, but if we revisit this in the future we can take your use case into account.

  • profbiggles
    profbiggles
    Community Member

    Hi @brenty - sad to hear the idea of some sort of profile support is being dropped. I'm still on v5 but maybe v6 with a Family subscription will kinda work for some of my case (sign in/sign out to flip access to different sets of info)... is there a way to run v5 and v6 concurrently so I can test - I'm guessing they'll have conflicting browser plugins, and maybe other bits?

    thanks.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @profbiggles: I hate to be the bearer of bad news, but I'd rather not string anyone along since it's been decided.

    I don't think it's possible to run multiple versions the way you're suggesting, as 1Password 4, 5, and 6 all use the same support folder (and therefore the same database). I've got all of these myself, but they're using the same data.

    That said, you could always use a separate user account at the OS level, and that would allow each user to have their own Master Password and data, along with being able to use the browser extension. A 1Password.com account does offer something that might be useful in your situation though: namely, the web interface. It won't allow the use of the browser extension, but different browsers could be set aside to provide easy access to different 1Password.com accounts' vaults.

  • profbiggles
    profbiggles
    Community Member

    Thanks @brenty. I'll probably give the 1password.com account a go and see if thats workable. The separate MacOS users is somewhat overkill/more overhead that what we'd like for our case at home... we've tried it a couple of times in the past and its always been a bit painful. We'll see how we go.

    cheers.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @profbiggles: I hear you. Personally, I really like having a separate user account from my family, as I'm a bit particular about how I like things setup. ;)

    Anyway, don't hesitate to start a new discussion and @ -mention me if you have any questions. :)

  • dodob
    dodob
    Community Member

    How the hell do you download version 5 then? If you aren't going to fix this might as well provide a link to the latest version of 5 so we can downgrade. There is no link anywhere for this version!

  • dodob
    dodob
    Community Member

    Also instructions on how to move data from version 6 that you don't want to fix to version 5.

  • dodob
    dodob
    Community Member

    @brenty Since you've given up on this issue can you at least link us with instructions on how to downgrade to version 5? How you import v6 data into v5?

  • AGAlumB
    AGAlumB
    1Password Alumni

    As Jacob mentioned on page one of this discussion, you can download pretty much any arbitrary version of 1Password from our update site. To regress to an earlier version, you may need to export your vault(s) and import them. Please keep in mind that this is untested and unsupported. 1Password is not meant to move backward in this fashion, and we have updated the database schema over time. So be sure to backup your data before attempting to do something like this.

  • tobyn
    tobyn
    Community Member

    I just don't want to unlock my online banking passwords in all the contexts where I might be fine unlocking my Reddit password.

  • AGAlumB
    AGAlumB
    1Password Alumni

    I hear you. But please keep in mind that entails brain- and muscle-memorizing multiple Master Passwords. For most people, that means using weaker passwords, since it's more work. So we recommend a single long, strong, unique Master Password — the very best you can manage — to protect all of your data, and we've designed 1Password accordingly since that's how most people use it. That way it's less trouble and the same good security for everything, without the fuss of deciding which level of security to assign to different things.

  • bearahu
    bearahu
    Community Member

    @brenty Can you advise on the best way to give limited access to some users. I don't want them to have their own mac logins nor their own vaults. I currently have a license purchased from agile bits. Do I have to move to a subscription (I'd prefer not to) in order to use guest access?

  • AGAlumB
    AGAlumB
    1Password Alumni

    Do I have to move to a subscription (I'd prefer not to) in order to use guest access?

    @bearahu: Yes. There just isn't any other way to accomplish something like permissions otherwise. The standalone app isn't multi-user, either technically or as far as licensing.

    Can you advise on the best way to give limited access to some users.

    The only way to do something similar with local vaults would be to create separate vaults for them and share them using Dropbox. But the only way they could unlock it is if you give them the Master Password. There's no way to do a key exchange using this method.

This discussion has been closed.