Why am I unlocking my vault with the wrong password?

I signed up for Families after being a standalone user, and created a new master password in the process. Somehow after the migration, I continued unlocking my new Personal vault with my old standalone password. My question is, if the encryption is working as advertised, how can it be possible to unlock my vault with the incorrect password!? Notably, on the website it works as expected, requiring the new password and secret key.

I've noticed in the Mac Preferences dialog -> Advanced area, there is an option at the bottom to "Allow creation of vaults outside of 1Password accounts," which also says it will delete my local vault and thereafter require my 1Password account to unlock 1Password.

So it sounds like this is the option I need to use. By now I've almost forgotten my new master password as I so rarely use it (!), so I feel like I need to get this resolved. If anyone has some advice or explanation of what I might have done wrong, much appreciated.

1Password Version: 6.8
Extension Version: 4.6.6
OS Version: macOS 10.12.6
Sync Type: Not Provided


  • john_mjohn_m

    Team Member
    edited July 2017

    Hi @luv314159! It sounds like you still have a "local" vault on your Mac - this is a standalone vault that only exists locally on your Mac, and is not part of a subscription account. The "Primary" vault from a standalone licence setup is one of these. When a copy of 1Password for Mac has one or more local vaults present, it'll ask for the master password of the first local vault ("Primary") when unlocking. Removing all of the local vaults will switch the app over to the master password of the first subscription account membership that was signed in instead.

    If you've already migrated all of your standalone vault data over to your Families account, and are happy that your Families account now has everything you need, then unticking that "Allow creation of vaults outside of 1Password accounts" option you mentioned will start the process of removing the "Primary" vault. Unticking it, 1Password will ask for the master password you currently use to unlock the app; if that password is different than the master password of the first subscription account membership added to the app, you'll then also be asked for that membership's master password. The app will then switch over to using that membership's master password to unlock in the future.

    I hope that all makes sense! Let me know if there's anything else I can do for you :chuffed:

    (and regarding your username - who doesn't love pie?!)

  • Thanks John, I'm going to try that. Still not clear how it's possible for the local vault to decrypt the new vault -- does it have my password and secret key stored as a hidden entry?

  • john_mjohn_m

    Team Member

    I'm glad I was able to help, @luv314159! :+1:

    Being able to use a single master password to decrypt the access required to multiple other vaults is one of our best tricks! Essentially, a primary local vault will contain encrypted keys, which in turn are used as part of the decryption mechanism to secondary and tertiary vaults. I'll hold my hand up and say that personally, I know enough about the technical details of security to know that I'm not a security expert! So instead, let me refer you to a blog post written by one of our actual developer experts, which dives into the details behind a closely related trick with local vaults - how we "sync" master password changes, when we never store or transmit master passwords - it'll give you a good idea of some of the encryption key stuff that goes on between vaults inside 1Password: https://blog.agilebits.com/2015/04/28/how-1password-syncs-changes-to-your-master-password/

    Also, you may find this more recent blog post interesting as well: https://blog.agilebits.com/2017/06/07/be-your-own-key-master-with-1password/

    If you have more technical questions about our implementation here, let me know and I'll ask one of our qualified security folks pop in here to answer for you! :chuffed:

  • Thanks again John... I was able to transition to the new vault and delete my old local vault. Thanks for the links -- this stuff is super complicated!

  • john_mjohn_m

    Team Member

    No problem @luv314159, I'm always happy to help! :chuffed:

This discussion has been closed.