Questions about the effect of changing your Master Password

afwm

Hi, I was reading through the 1Password for Teams Security Design white paper (v.0.2.3) and I am wondering if there is ever any point to changing your Master Password? The section titled "Master password changes don't change keysets" says that even if you change your Master Password, anyone who obtains an old Master Password and Account Key combo can decrypt your data. In fact, it seems to me that changing your Master Password could actually make you less secure because you are just creating one more Master Password and Account Key combo that could be stolen and used to decrypt your data. Am I understanding this correctly, or am I way off base?

That being the case, if you want or need to change your Master Password, is there any way to do so that will render your old Master Password(s) unable to decrypt your data? I am thinking here of scenarios where you have used the same Master Password for a while, or you think of a stronger Master Password, or you think someone else might know your Master Password. What do you do in a situation like one of those where you want to use a new Master Password but you want the old one(s) to no longer be able to decrypt your data?

---

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Megan

Hi @afwm,

Wow! It’s awesome to hear that you’re reading the White Paper. Our security team will be thrilled to hear that - as you can probably imagine, a fair bit of time has gone into that. ;)

And you’re right, generally our advice is to pick a strong and unique Master Password and never change it.

Now, I know that it’s possible to re-encrypt your data using the standalone apps and a bit of a two-step that essentially re-creates the vault, but I’m not 100% sure of the process with 1Password for Teams and 1Password Families. So, I’ll ping one of our security gurus to give you a bit more of an in-depth answer. Someone should have an answer for you here soon.

iamecho

@afwm @Megan Great question & I'm looking forward to reading the answer as I have changed my master password a few times over the years, most recently when I moved to Families in February.

afwm

@Megan thank you! I will keep an eye out for a further response.

jpgoldberg

Excellent observation, @afwm (And thanks for reading the white paper!)

As you've noted, 1Password (like many cryptographic systems such as PGP and SSH) uses the Master Password to decrypt encryption keys instead of the data directly. So even after a change of the Master Password, the encrypted data is still encrypted with the old keys, even though those keys are now encrypted with the new Master Password.

Change can be good

Despite the fact that a Master Password change doesn't guarantee Forward Secrecy, there can be some value in changing it. It depends on what you think an attacker may have captured. Oscar (the Opponent) can only use the "old" Master Password if he has a copy of the corresponding "old" encrypted personal keyset. So changing your Master Password doesn't defend you against an attacker who has already made a copy of the relevant parts of your data (or has some sort of access to old backups). And yes, if Oscar has both the old and the new data it means that he's got two things to take a crack at, so the change can make things weaker assuming that the new Master Password isn't stronger than the old one.

But a far more common threat is where Oscar didn't plan ahead and save old data. If Alice uses the Master Password p@assw0rd123 on Monday, changes that to paradise paneling asunder parrot on Tuesday, and has her computer stolen on Wednesday; Oscar (the Opponent who stole Alice's computer) will be stuck cracking the new, stronger Master Password. So Alice's change of Master Password very very much helps her. (Note that this assumes, plausibly, that Oscar gets the Account Key with the computer he has stolen.)

Forward Security in the rough

Until we have forward secrecy working (something we very much wish to do, but I can't make any promises about), @Megan is right that the general notion for 1Password running locally is to create a new primary vault. It's not pretty, but it is possible.

With Families it is both easier and harder to get the effect of encrypting under new keys. It all depends on what the attacker has from before the Master Password change. If the attacker has a compete history, including the "old" personal keysets, then you can go through the "Recovery" process. If Alice is a Family Organizer, and Bob's keys and password are thought to have been compromised, Alice can "recover" data for Bob. This will set Bob up with an entirely new keyset.

Also keep in mind that whenever you create a new vault in a Family, it gets a new key created for it. So if you suspect that the keys for some particular vault have been compromised, you can create a new vault and move everything over from the old vault to the new one. That will have things encrypted with the keys for the new vault.

So we like to encourage people to pick a good Master Password early on.

iamecho

@jpgoldberg Thank you.

Jacob

On behalf of Jeff, you're welcome. :)

afwm

@jpgoldberg thank you very much for the excellent response!

khad

I'm always glad that jpgoldberg is on our side. :)

mjclemente

Hello @jpgoldberg -

I just want to make sure that I understand you correctly. If I want my data encrypted with new keys (and I'm using a 1Password.com account), the way to do this is:

1. Change my master password
2. Set up a new vault
3. Move the data from the old vault to the new one
4. Remove the old vault

The data in the new vault would be encrypted with new keys, that are, in turn, encrypted with the new Master Password. Is that correct?

jpgoldberg

Hi @mjclemente.

Yes and no. Any time you create a new vault (whether you have changed your Master Password or not) you create a new key for that vault. And so technically speaking the answer to your question is "yes".

But when it comes to what you may be after, the answer is probably "no". This is because changing your Master Password does not change your personal keyset, it only changes how the secret part of your personal keyset is encrypted.

So in your scenario, someone who somehow is

1. Able to get an older copy of your personal keyset (one that is encrypted with the old Master Password)
2. Able to decrypt that (say with the old Master Password and Account Key)
3. Able to to get a copy of the vault key that has been encrypted using your personal keyset
4. Able to get the vault data

would still be able to decrypt a vault that you have created after a Master Password change.

Note that they will not be able to sign in to your account on 1Password.com with the old Master Password. Changing your Master Passwords will create a new SRP verifier. So an attacker with knowledge of your old Master Password would not be able to sign in.

This actually nicely illustrates one of the subtle differences between encryption and authentication. Changing an authentication password has the effects that people expect; but as people are most accustomed to authentication passwords they also come to expect that changing an encryption password has the same sorts of consequences.

mjclemente

Thanks @jpgoldberg ! I appreciate the detailed response.

I guess the root of my question, then, is: how do I change my personal keyset? Is there any way to do this?

That is to say, is there a way to set up a (new) vault where, if unlikely events 1-4 actually happen, the attacker would not be able to decrypt the vault?

jpgoldberg

I should have anticipated your question, @mjclemente. It was the natural next question.

how do I change my personal keyset? Is there any way to do this?

If you are the only member of the Team who is capable of issuing recoveries then no. But if there is someone else who can, then you "forget" yours and go through the recovery process.

During the recovery process you create a new personal keyset. So if you do that and then go and move things to newly created vaults you will get the effect you are looking for. It isn't pretty, but that is how things stand at the moment.

mjclemente

@jpgoldberg ahh. Okay. Thanks.

I have an individual 1Password.com account, so there's no one capable of issuing recoveries.

I suppose the only option I'm left with, if that's what I want to do, is deleting my account and signing up again, correct?

AGAlumB

@mjclemente: Correct. You can delete your account from "My Profile" when logged into 1Password.com (it's all the way at the bottom of the page), and then create a new account. I hope this helps. Thanks so much for asking these questions! :)