Master Password Sync Issue

Hi @robbski,

It looks like you've done some great research here, so I'm not sure I can say anything that you haven't already read. I do apologize for the frustration here, and I wish I had a more definitive answer for you.

At this time, we are investigating reports of changes to the Master Password not syncing properly across devices. Our developers have a few ideas of where things are getting tangled up, but we haven't quite gotten it solved just yet. A workaround that has been suggested is the following:

• Use old Master Password on iOS
• Make sure you're up to date sync-wise (do an item change on your Mac and make sure you see it on iOS)
• Background the iOS app (but do not terminate it!)
• Foreground the app, such that it asks you for a Master Password
• Use the new Master Password

The reason that this works is that: on start up of the iOS app, the sync system doesn't have the context needed to know to go looking in the agilekeychain for the new Master Password. We only swap the password in your local profile after you have tried to use the new Master Password and we've been able to validate it against the remote profile. If it works there we swap the local password for the new one.

If this workaround does not work for you, you will need to manually update your Master Password on your devices - we want the Master Password to be the same everywhere.

We'll do what we can to have this issue properly resolved for you soon!

ref: CSI-5

2old4fun is correct in that the actual Master Password is not ever synced anywhere. This is not anywhere near a perfect analogy, but: it is the lock, not the key, that is synced.

Hi @robbski‌

I think it's about the precise terminology and how we use it here. Only you know your Master Password - it isn't stored. So bwoodruff isn't misleading you when he says your actual Master Password isn't synced anywhere. Your Master Password though doesn't actually decrypt all of your data in the strictest sense. In terms of the agilekeychain, your Master Password decrypts a single, small file called encryption.js and this small file holds several strong keys. These internal keys don't change when you change the Master Password, but 1Password encrypts the contents of this file using your new Master Password and overwrites the old version. Now these keys are stored both locally and in the sync copy as without them you couldn't decrypt your vault. What should happen (I know, I've used the word should) is that each copy of 1Password should test to see if it has changed and here is where the bug most likely is (I say that as an outsider to the actual development). It doesn't stop you synchronising though as the keys that encrypt your synced data haven't changed and the local version will work. So when Megan said:

we are investigating reports of changes to the Master Password not syncing properly across devices.

She was merely trying to avoid a much longer post describing encryption.js and it's role, which for many people may be just too much information. So while your Master Password isn't synchronised, a file that has been encrypted using it as the key has been and if all the devices recognise the change then the keys locally will be encrypted using the new Master Password and essentially your Master Password has synchronised (in a way).

Manually changing your Master Password on each device is just a workaround until the bug can be neutralised. If you were to erase all data and settings from within 1Password and set up syncing you would find it would require the new Master Password.

Why do we have the encryption.js file at all? It's all about key strength. The more data you need to encrypt with a single key, the stronger you need the key to be. So we encrypt your data (which is always going to be larger in size) using randomly generated, strong keys and then encrypt the much smaller file that holds those keys with your Master Password. I won't lie, I'm no expert in encryption so if you need something in more depth I'll have to ask somebody else in on this discussion. I know just enough though to know this is a good system.

Does that help?

Hi @robbski‌ I know it should seem simple but sometimes synchronisation is just a pain in the ass. Our devs are working on isolating exactly why it isn't working and getting it working, if for no other reason than it not working annoys them :wink:. So at some point in the future the synchronised encrypted keys will work as intended and you shouldn't need to manually change each device. As far as bugs go though at least this one has a reasonable workaround until that day. I hope you keep enjoying 1Password :smile: