Individual unlocking of secondary vaults gone in 1Password 6

12467

Comments

  • seehadley
    seehadley
    Community Member

    Like others in this thread, I find the benefit of having multiple vaults shareable within a family limited by the fact that we all need to use the same password.

    -

    Could you help us understand a bit better? In my experience, one benefit of sharing a vault means that it can be setup as a primary or secondary depending on each person's preference.

    @brenty I have a single 1Password account for nearly every login my wife and I use, ranging from quite important to not that important. I spend more time at the computer and don't mind typing the long, complicated master password, but it's a chore for my wife and she doesn't use it frequently enough to remember it. So I set up a secondary vault with the 3 or 4 logins we share, gave it a secure but less complicated password she can remember and set it up on her Mac profile and her phone so she could use them.

    My use case is a primary vault with an extremely secure password, plus secondary vaults with less secure passwords. If my wife just needs access to 3 out of the 175 logins I have saved, and I have the ability to give her access to that subset, why is she subject to the same level of security as I am, having to remember (or write down!) a password that is overly complicated on purpose?

    I suppose I could buy my wife a license and then share logins with her. I don't mind paying money for a useful service, but I migrated to and purchased 1Password primarily for the ease of sharing, and I'm not happy about possibly having to purchase it again in order to reinstate the convenience that got me to sign up in the first place.

  • dszp
    dszp
    Community Member

    @seehadley [unofficial response] Your license is good for up to 6 users in the same household including the named user (for the Mac or Windows versions), so no need to buy an additional license. Also, if your wife uses a different Mac profile, she could simply unlock your secondary vault for herself, while you use that vault you share as a secondary that opens along with your primary. You'd use your primary password to unlock the primary and that secondary after adding it the first time (because the key to the shared vault would be stored in your primary vault). With your description, I don't see how this would fail to work just fine even with the feature change being discussed here, since your wife uses a secondary Mac profile; it would be an issue if she were to try and unlock just the secondary vault within your profile, unless I'm misunderstanding something.

  • ekontrec
    ekontrec
    Community Member

    I have mentioned earlier that I was affected by this change, and would like the functionality to return. However I didn't elaborate much on my use case. Very similar to others:

    I have a 8+ year old MBP that is running Yosemite (go ahead, laugh away - I am :)). It is a laptop with only one OS X profile/account that is shared by myself, the missus, and the kids. The reason for the single account is because it can get brutally slow to switch or open windows/apps/workspaces etc - thus not terribly efficient to even consider using fast switch user accounts.

    With the above in mind, I wanted to be able to implement a password manager solution primarily for my wife. I've been trying for months to get her on board because her password habits were atrocious. I was already at the time using LastPass premium to manage my own passwords but decided to cancel the annual renewal with them. Reason being that since I'm in Canada, my annual premium subscription of $12 USD (in today's lovely exchange ~$500 - jokes!) is only rising faster by the minute. The only thing that seems to be rising faster is Donald Trump's popularity.

    So I decided to take a stab at 1password. At the same time I finally started to get my wife on board. She was groaning at the first two websites that I made her change her passwords too. Then something freaky happened - she actually started enjoying logging into her various accounts and changing the passwords to something resembling alien text. I almost shed a tear! By the end of the night and a couple of hiccups where 1Password didn't detect a password change, she had mostly changed all her accounts that she regularly uses.

    I showed her how to log into 'her' master password by using the shortcut of ⌘2 (mine was ⌘1). It was a golden moment in my wife's frustratingly long journey in password hygiene. Passwords were changed. A process had been established. I could finally sleep at night. Life was good.

    Not long after that it all unravelled. I discovered one morning that the Mac App Store had detected a brand spanking new version of 1Password. The computer had to know that new always meant better right? So off we go to the store and automatically get the new version. I got a phone call later that day at work. The wife was flustered -

    Wife: "Husband, why can't I get into 1Password? The ⌘2 doesn't work"
    Me: "Wife, what do you mean it doesn't work? Are you pressing ⌘2 like I showed you?"
    Wife: "Husband, yes I am but it isn't switching to my vault. Only the primary vault shows"

    I started to get the sweats. I think I was eating my lunch at the time. I put my lunch down. It all started turning into a blur. I read that 1Password was now at v6. My pulse started to race. In my head the only thought I had was "Oh, here we go...". So at that moment, I did the only thing one in this predicament could do. I said to my wife "Sorry honey, I'm really busy at work - I gotta go". Click.

    So please guys, please, for the sake of my marriage (and every other dude's marriage who is in a similar predicament) and for sleepless nights - please try to get this functionality back securely and allow us to live in harmony :)

  • AGAlumB
    AGAlumB
    1Password Alumni

    @bdesham: Thank you so much! I'm trying to get a sense of how people are trying to use this for two reasons: 1 to recommend another workable option, and 2 to see if we can offer another option in the future.

    Here’s my use case: I use 1Password on my work computer. I have a personal vault and a work vault. It’s very important that my boss have access to my work vault in case I am “hit by a bus”, as the saying goes. Under 1Password 5 I could give my boss my work-vault password and he would be able to log in to just that vault. Now there’s no way for me to grant him access to my work passwords without also giving him access to all of my personal stuff! There’s no way for me to continue to use 1Password without either neglecting my professional obligations or else giving my employer all of my most sensitive personal information.

    The difficulty I'm having with use cases like this is it sounds like you're expecting your boss (and in other cases, family members) to access your physical computer, instead of simply having access to a shared vault in Dropbox for emergency purposes. This seems like a terrible idea to me for a few reasons:

    1. In order for them to get at anything in 1Password, they also need access to the computer itself
    2. This also gives them access to everything else stored on the machine that isn't encrypted separately
    3. At that point, there's nothing preventing them from getting into your computer even if you're never "hit by a bus"

    After all, you probably have some personal information that is not stored in 1Password (browser history, system logs, etc.) Anyone who could use 1Password the way you describe (by unlocking only a secondary vault) would also have access to all of this, and that just seems like a bad idea. Even if you trust this person, they are also now another potential attack vector (phishing, social engineering, manipulation, etc.)

    It seems that this behavior isn’t for everyone, but I would love it if my personal and work vaults could be completely separated: each has its own password and can only be unlocked by typing its password. I think it would be a mistake to lean on the “one password” branding so heavily that you push away the users who really do need to use multiple passwords for the multiple facets of their lives.

    This really isn't about branding. As Rick and I mentioned earlier, this was just not working as intended previously. It is much more secure to use a stronger single password that you never share with anyone than to memorize multiple weaker passwords. And if you're memorizing multiple strong passwords, you're at risk of either forgetting one or more of them, or if you can actually remember multiple strong passwords, they could be a single longer, stronger password instead, since that would make it more difficult to brute force. Separate Master Passwords do not strengthen each other. Only increasing the strength of any given password will help you better protect the data that it secures.

    So I guess what I'm saying is that for data that must be shared, using Dropbox* to share an individual vault with another person and giving them the Master Password only for that vault accomplishes what you're describing, and more securely. This way, they can access it on their own machine, which is more secure for you, and more convenient for them. They don't need your login credentials.

    *Even better would be sharing a vault using 1Password for Teams. Then they'll have their _own_ Master Password and Account Key (which makes it impossible to attack the Master Password), so you don't even have to give them yours. And access can also be easily revoked if needed.

    I guess my point is that vault charing continues to be an option, and is more secure than app-, device-, and account-sharing.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @brenty I have a single 1Password account for nearly every login my wife and I use, ranging from quite important to not that important. I spend more time at the computer and don't mind typing the long, complicated master password, but it's a chore for my wife and she doesn't use it frequently enough to remember it. So I set up a secondary vault with the 3 or 4 logins we share, gave it a secure but less complicated password she can remember and set it up on her Mac profile and her phone so she could use them.
    My use case is a primary vault with an extremely secure password, plus secondary vaults with less secure passwords. If my wife just needs access to 3 out of the 175 logins I have saved, and I have the ability to give her access to that subset, why is she subject to the same level of security as I am, having to remember (or write down!) a password that is overly complicated on purpose?

    @seehadley: Your wife isn't what you're trying to secure in 1Password; it's your data. That probably sounds like a silly thing for me to say, because of course you know that, but I think it's important to think of it in these terms. Security is no less important when your wife accesses something than when you access it. Having the Master Password written down in a safe place (literally, locked up) in case it is forgotten is much better than using a weaker password. After all, if you both use the same Master Password and vault, your data is secured, and you're covered if something happens to one of you. And give your wife some credit! I bet she can do it. ;)

    I suppose I could buy my wife a license and then share logins with her. I don't mind paying money for a useful service, but I migrated to and purchased 1Password primarily for the ease of sharing, and I'm not happy about possibly having to purchase it again in order to reinstate the convenience that got me to sign up in the first place.

    As dszp pointed out, a single 1Password for Mac license entitles you and up to 5 other family members in your household to use it. Definitely don't buy another license if you don't have to. I wouldn't! :pirate:

  • AGAlumB
    AGAlumB
    1Password Alumni

    +1 from me as well. My "master" vault is my own, and I have a secondary vault that is only for work. Unless doing personal business online at work, I much prefer to just limit myself to my work vault. For one thing, my master password is quite long and easy to mis-type, intentionally, but my work vault password is shorter. Still secure, but shorter.

    @jhhartley: This is a really difficult issue, because I know it's interrupted some folks workflow in an unpleasant way, and I'm sorry for that. However, the more I hear this use case, the more it affirms my belief that we did the right thing. Using a separate, weaker Master Password is not more secure than using a single long, strong, unique Master Password, with appropriate auto-lock settings to prevent someone getting into your vault, period. The alternative is just scary.

    Having a separate vault (and therefore its own Master Password) is crucial when sharing information that you've intentionally isolated. After all, if you're isolating 1Password data in a separate vault for security, you don't want to compromise by allowing access to the system itself, but you seem to be quarantining it from...yourself. In your case, someone would have to already have full access to the system in order to get into either vault, even knowing the Master Password.

    I don't think that I would consider 1Password for teams at the moment. Non after seeing how this issue is being handled: "we won't try to reintroduce it, but we might add something similar".

    @tompave: I'm sorry to hear it, but that's fine. Keep in mind that you can use 1Password 5 for as long as you wish if you prefer the old way of doing things and have no interest in 1Password for Teams. Your license will never expire. It's an option, but I don't want to encourage anyone to do this...

    I see what Rick was saying. However, if there were some "theoretical" and unexploited security issues in the way how you internally handled application state, perhaps a better solution would be to fix the problem rather than kill a popular feature. I only want to believe that the rework on this won't get deprioritised in order to give us more reasons to sign up for 1password for teams subscriptions...

    @Mirek Petricek: This is a totally understandable concern. And I'm sorry that this change has disrupted your workflow and given you the impression that this is some kind of scheme to move people to 1Password for Teams. That is absolutely not the case. In fact, secondary-vault-unlocking was never a feature we'd designed, but an unintended consequence of how locking worked in 1Password — in short, a bug. And now that we've fixed it, folks are letting us know that this is something they now miss. :(

    I don't think one needs a lot of imagination to figure out what is wrong with your suggestion. Obviously, when I set separate passwords to keychains and keep things separate it's done for a purpose. It doesn't really matter which keychain is the master - what we want is to be able to use them separately. Unlike phones, Macs are often shared devices in a family. Or event at workplace. It is very common that browser sessions are shared. Or I keep my private stuff separate from work-related vault (so that I can give emergency access to my colleagues when I am on vacation), etc.

    I really appreciate you elaborating, as I'd rather not make assumptions about anyone's setup if I can help it. Knowing the reality can help us offer suggestions and determine how we can improve things. While Macs are often shared, you clearly don't want to share everything or you'd be using a single vault. Because Macs (and PCs) are often shared devices, they have a built-in facility for separate user accounts, which allows not only customization, but also avoids some of the technical and security pitfalls of sharing all data. After all, if you're giving someone access to your account, they could do some damage, both accidentally and on purpose, and also pose a security risk. 1Password works great in a multi-user environment, since each user can have their own vault setup, and vaults can also be shared between them if needed — only the one(s) you want.

  • AGAlumB
    AGAlumB
    1Password Alumni

    I have mentioned earlier that I was affected by this change, and would like the functionality to return. However I didn't elaborate much on my use case. Very similar to others:
    I have a 8+ year old MBP that is running Yosemite (go ahead, laugh away - I am :)). It is a laptop with only one OS X profile/account that is shared by myself, the missus, and the kids. The reason for the single account is because it can get brutally slow to switch or open windows/apps/workspaces etc - thus not terribly efficient to even consider using fast switch user accounts.

    @ekontrec: I'm not going to laugh at this; I think you should get a medal or something. Maybe Guinness will be calling soon... :eh:

    This is actually an interesting case that I hadn't considered. I can only imagine that user account switching would be sluggish on that old Mac.

    With the above in mind, I wanted to be able to implement a password manager solution primarily for my wife. I've been trying for months to get her on board because her password habits were atrocious. I was already at the time using LastPass premium to manage my own passwords but decided to cancel the annual renewal with them. Reason being that since I'm in Canada, my annual premium subscription of $12 USD (in today's lovely exchange ~$500 - jokes!) is only rising faster by the minute. The only thing that seems to be rising faster is Donald Trump's popularity.

    You're killing me! :lol:

    So I decided to take a stab at 1password. At the same time I finally started to get my wife on board. She was groaning at the first two websites that I made her change her passwords too. Then something freaky happened - she actually started enjoying logging into her various accounts and changing the passwords to something resembling alien text. I almost shed a tear! By the end of the night and a couple of hiccups where 1Password didn't detect a password change, she had mostly changed all her accounts that she regularly uses.

    This is really beautiful. Perhaps only folks of a certain breed can get choked up about stories like this, where someone is enjoying the process of increasing their security. I think you've found the right audience here. :chuffed:

    I showed her how to log into 'her' master password by using the shortcut of ⌘2 (mine was ⌘1). It was a golden moment in my wife's frustratingly long journey in password hygiene. Passwords were changed. A process had been established. I could finally sleep at night. Life was good.

    Ut oh. I see where this is going now... :(

    Not long after that it all unravelled. I discovered one morning that the Mac App Store had detected a brand spanking new version of 1Password. The computer had to know that new always meant better right? So off we go to the store and automatically get the new version. I got a phone call later that day at work. The wife was flustered -
    Wife: "Husband, why can't I get into 1Password? The ⌘2 doesn't work"

    Me: "Wife, what do you mean it doesn't work? Are you pressing ⌘2 like I showed you?"
    Wife: "Husband, yes I am but it isn't switching to my vault. Only the primary vault shows"

    I started to get the sweats. I think I was eating my lunch at the time. I put my lunch down. It all started turning into a blur. I read that 1Password was now at v6. My pulse started to race. In my head the only thought I had was "Oh, here we go...". So at that moment, I did the only thing one in this predicament could do. I said to my wife "Sorry honey, I'm really busy at work - I gotta go". Click.
    So please guys, please, for the sake of my marriage (and every other dude's marriage who is in a similar predicament) and for sleepless nights - please try to get this functionality back securely and allow us to live in harmony :)

    Jeez. Well, I'm not even sure how to respond to that, other than to say it breaks my heart a little — especially after the earlier triumph. :cry:

    Thank you so much for sharing your story. I honestly wish that we hadn't allowed for this use case previously. It was a mistake, and it's upsetting that changing this is affecting people in this way. We have to try to be a bit detached about it, because it's unwise to make decisions based on emotion — especially when it comes to security — but you're making it real hard!

    1Password wasn't designed to be a multi-user application (it didn't even support multiple vaults for the first half of its existence). It was, however, designed with things like user switching in mind. And while it pains me to say this, I'm not sure it would be a good thing to design it to accommodate a case like yours, where the hardware effectively precludes the use of that function.

    It's important to remember is that while 1Password is a huge factor in our security, it is not the only factor (and shouldn't be). Secure practices are even more important, as it is possible to have all the right tools and not receive the full benefit if they are not utilized as part of an overall strategy. I think that it's easy to miss the bigger picture when focusing on the smaller details.

    Even when it's infeasible to use separate user accounts or share vaults with other people externally, that doesn't change the reality that it's less secure in general for everyone to use the same app in the same user account on the same Mac instead, and it's our job to help people be more secure, not enable insecure behaviour. I realize that you weren't doing this because you wanted to, so much as out of pragmatism, but it still applies.

    I sincerely hope that we'll be able to find other ways to help with this in the future, but for now the most realistic options are

    • Share an individual vault with someone else — whether that be on another computer or just a different account on the same one
    • Use 1Password 5, which allowed for secondary vaults unlocking separately

    I'm sorry that I don't have a more palatable suggestion — for you or anyone else here. :(

  • ekontrec
    ekontrec
    Community Member

    @brenty:
    I realize that my use case is one that can be considered an outlier. While similar to other folks in some aspects, both ⌘1 and ⌘2 vault passwords are strong. The secondary vault in my case is not intended to be a 'less' secure vault for sharing. They are the equivalent of the 'His' and 'Hers' bath towels hanging in the bathroom. I shouldn't touch hers, and she don't dare touch mine! HAHA

    Sure, one can argue that my security practices with regards to sharing one OS X or Windows profile on a computer is far from best practice. After 8 years I consider this laptop 'out to pasture'. However it still serves a purpose for our situation. It allows us to jump on it whenever we need to look something up or a quick poke around the internet. It is, for lack of a better term, a disposable machine. I don't keep sensitive data on it. Any data on there is at best transitory. If the hard disk died tomorrow, another would go in it's place and I would restore from Time Machine. If it were dropped and not salvagble, the only person that would probably be upset would be Lady Gaga in my iTunes library - boy I regret redeeming that Bad Romance song from the innards of a Coke bottle cap now!

    I happened to jump on the 1password bus just as the picking was ripe to take advantage of the multiple independent vaults. So that's what I've come to know in the product. And it worked for us.

    I reverted to using v5 the other day and the wife is happy that the switcheroo trick is back! Someone might be getting a foot massage/back rub tonight LOL.

  • F30
    F30
    Community Member

    And if you're memorizing multiple strong passwords, you're at risk of either forgetting one or more of them, or if you can actually remember multiple strong passwords, they could be a single longer, stronger password instead, since that would make it more difficult to brute force. Separate Master Passwords do not strengthen each other.

    Of course they don't, I don't see anybody suggesting that. But if people use different passwords for "multiple facets of their lives", as proposed by @bdesham, this at least limits the impact of a compromise to one of these facets.
    With your "single longer, stronger password" suggestion, you're omitting an important practical aspect: You don't just have to remember that one, you also have to enter it every time.

    However, the more I hear this use case, the more it affirms my belief that we did the right thing. Using a separate, weaker Master Password is not more secure than using a single long, strong, unique Master Password, with appropriate auto-lock settings to prevent someone getting into your vault, period. The alternative is just scary.

    Multiple levels of security don't make sense if you can have the maximum level for everything at no cost. The thing with passwords is, they do cost something – you have to enter them over and over (and also remember them).
    So I think it's perfectly reasonable to have a vault with a high security level (because of a strong password) for sensitive and seldom-needed items, and one with a lower security level (and weaker) password for everyday items. This of course doesn't provide the highest possible security for these items, but after all, practical security is all about trade-offs.
    The obvious practical alternative would be to use the weaker password for all items, which clearly weakens overall security.

  • AGAlumB
    AGAlumB
    1Password Alumni

    And if you're memorizing multiple strong passwords, you're at risk of either forgetting one or more of them, or if you can actually remember multiple strong passwords, they could be a single longer, stronger password instead, since that would make it more difficult to brute force. Separate Master Passwords do not strengthen each other.

    Of course they don't, I don't see anybody suggesting that.

    @F30: I think you may be referring to the last sentence there. I've seen folks implying this, and of course many others are talking about using weaker passwords for secondary vaults (so they don't have to memorize multiple strong ones). That's mainly what I'm getting at; and that's why we're encouraging people to use one really good one.

    But if people use different passwords for "multiple facets of their lives", as proposed by @bdesham, this at least limits the impact of a compromise to one of these facets.
    With your "single longer, stronger password" suggestion, you're omitting an important practical aspect: You don't just have to remember that one, you also have to enter it every time.

    If you only have to remember and enter one, it becomes much easier. You can get the muscle memory down and enter it quickly. With multiple passwords (especially strong ones, which are critical to security), you're going to have misfires: times where you're entering a password correctly, but it's the wrong one. That slows things down just as much as anything else, and is also frustrating.

    Multiple levels of security don't make sense if you can have the maximum level for everything at no cost. The thing with passwords is, they do cost something – you have to enter them over and over (and also remember them).

    Exactly. Which is why having a single one to remember and enter over and over is great.

    So I think it's perfectly reasonable to have a vault with a high security level (because of a strong password) for sensitive and seldom-needed items, and one with a lower security level (and weaker) password for everyday items. This of course doesn't provide the highest possible security for these items, but after all, practical security is all about trade-offs.

    The obvious practical alternative would be to use the weaker password for all items, which clearly weakens overall security.

    I understand the appeal, but really you're making more work for yourself when you're asking your brain to remember more than one, and asking your fingers to be at the ready to enter either depending on the context.

    I can't speak for anyone else on this last point, but what you're describing is essentially what 1Password saved me from doing in the first place: remembering and entering multiple passwords, some more secure than others based on their use.

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited January 2016

    I realize that my use case is one that can be considered an outlier. While similar to other folks in some aspects, both ⌘1 and ⌘2 vault passwords are strong. The secondary vault in my case is not intended to be a 'less' secure vault for sharing. They are the equivalent of the 'His' and 'Hers' bath towels hanging in the bathroom. I shouldn't touch hers, and she don't dare touch mine! HAHA

    @ekontrec: Ah, understood. Thank you again for this extensive feedback! It helps tremendously! :chuffed:

    Sure, one can argue that my security practices with regards to sharing one OS X or Windows profile on a computer is far from best practice. After 8 years I consider this laptop 'out to pasture'. However it still serves a purpose for our situation. It allows us to jump on it whenever we need to look something up or a quick poke around the internet. It is, for lack of a better term, a disposable machine. I don't keep sensitive data on it. Any data on there is at best transitory. If the hard disk died tomorrow, another would go in it's place and I would restore from Time Machine. If it were dropped and not salvagble, the only person that would probably be upset would be Lady Gaga in my iTunes library - boy I regret redeeming that Bad Romance song from the innards of a Coke bottle cap now!
    I happened to jump on the 1password bus just as the picking was ripe to take advantage of the multiple independent vaults. So that's what I've come to know in the product. And it worked for us.
    I reverted to using v5 the other day and the wife is happy that the switcheroo trick is back! Someone might be getting a foot massage/back rub tonight LOL.

    I can't decide who's doing the massaging in this scenario, and can only hope it's reciprocal. :lol:

    Anyway, I'm glad to hear that all is well using 1Password 5 again, and I really appreciate you following up with that description. I'll sleep better at night knowing that you've considered the risks for your particular situation and tailored your security setup accordingly. I think that's perhaps the most important thing, but also the most difficult, because it's situational.

    Much like there's information we don't store in 1Password at all (in the extreme case) because its exposure is not deemed disastrous (but perhaps merely an inconvenience), using an old "disposable" Mac in single-user mode to store non-critical data for easy access is a sound strategy that manages risk. I like it.

    And of course you'll sleep better now that you're wife's happy. ;) :+1:

    I talked with a few of my colleagues about all of this yesterday, and there are some good possibilities. Again, we're not talking about bringing back the secondary vault unlock "feature" so much as filling the need with something better, which may also be useful to even more people.

    In the mean time, 1Password 5 is still available for you and anyone else that wishes to use it. We're simply not willing to move forward with that bug intact because it isn't without its risks. But you won't be any worse off using it now than you were previously, so it's your call. It's just not something we want to encourage.

  • F30
    F30
    Community Member

    I understand the appeal, but really you're making more work for yourself when you're asking your brain to remember more than one, and asking your fingers to be at the ready to enter either depending on the context.

    Which works fine for me, as I have to remember and enter multiple passwords anyway: 1Password won't work for everything, so my login password, iPhone passcode, SSH key passphrases, root passwords for different servers etc. are all entered from my head during every-day usage.
    I don't use 1Password as my guarantee for really only having to remember one single password, but rather as a tool for not having to remember hundreds of passwords for every website.

  • battlesman
    battlesman
    Community Member

    @brenty My wife has passwords I can't/don't want access to. Yet I'm the main user on my Mac; she only uses it occasionally, since she uses her iPad primarily. What's the best way to accomplish this, you think? It worked perfectly under version 5. Maybe I should go back to 5? Wait, it's no l

    @Mirek Petricek gets the idea. We use and need separate accounts.

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited March 2016

    Which works fine for me, as I have to remember and enter multiple passwords anyway: 1Password won't work for everything, so my login password, iPhone passcode, SSH key passphrases, root passwords for different servers etc. are all entered from my head during every-day usage.
    I don't use 1Password as my guarantee for really only having to remember one single password, but rather as a tool for not having to remember hundreds of passwords for every website.

    @F30: Well, I prefer to have 1Password remember these for me even if it can't fill everything, but I see your point. :)

    My wife has passwords I can't/don't want access to. Yet I'm the main user on my Mac; she only uses it occasionally, since she uses her iPad primarily. What's the best way to accomplish this, you think? It worked perfectly under version 5. Maybe I should go back to 5? Wait, it's no l
    @Mirek Petricek gets the idea. We use and need separate accounts.

    @battlesman: Indeed! Having a separate user account to switch to is a great idea. There are other benefits there for you and her too (preferences, bookmarks, other apps, Dock, etc.), in addition to having the preferred vault setup for each of you. For example, it sounds like your wife only needs one vault (which would be her primary); whereas you may have yours and then hers as a secondary — or only yours in this scenario. Alternatively, you can download the old version from our update site. I just know that my wife and I enjoy having completely different setup from each other and not worrying about the other moving things around. ;)

    Edit: Fixed a typo.

  • chinamax
    chinamax
    Community Member
    edited January 2016

    Another vote here to return the functionality discussed here to 1Password ASAP. Like others here I will be downgrading to the Agilebits store version, which will screw up the synching on my office computer. But at least my staff there will not have access to my passwords.

    Agilebits has been a great software company, and even with this misstep I'm a loyal 1password user. And I hope you guys will get this fixed soon.

    I need this as I have my personal passwords in one vault, and passwords for sites related to my business in another. I want my front desk person to have access to the passwords for the business.

    I know you now have a Teams approach as well for 1password. But I don't need that kind of complexity. I simply need a vault that is a small subset of my passwords.

  • udowski
    udowski
    Community Member

    @brenty (in response to January 26):

    My usecase is as follows: We have one Mac. We are 3 family members. I am responsible for administrating the Mac. For each family member I installed one account on the Mac.

    Each family member is using 1Password and has his own (primary) vault in his Mac account. Passwords and software license codes which are necessary to know for all family members, I put in a secondary vault "For all". This secondary vault is synchronized across all Mac accounts, leading to following structure:

    • My Mac account: My primary vault (I know that password) - "For all" secondary vault (I know that password)
    • Mac account of my wife: My wife's primary vault (I don't know that password) - "For all" secondary vault (I know that password)
    • Mac account of my child: My child's primary vault (I don't know that password) - "For all" secondary vault (I know that password)

    When administrating the Mac, I often face the situation that I need to have access to software license codes or some passwords while being in the account of my wife or my child. Some examples:

    • I installed a software, were I cannot enter the license code on the Mac level but have to enter it for each Mac account.
    • I want to change the password of our family's email account. Then I will have to change the password in the Mail application in each Mac account.
      In these situations, I go to the Mac account of my wife or my child and open the "For all" secondary vault, and then I have access to all passwords and software license codes which I need for administration. I cannot open this secondary vault via the primary vault, as I don't know the password of the primary vault.

    As seehadley said, 1Password for Teams may be a solution, but I would not pay a monthly fee for a family size team.

  • AGAlumB
    AGAlumB
    1Password Alumni

    Another vote here to return the functionality discussed here to 1Password ASAP. Like others here I will be downgrading to the Agilebits store version, which will screw up the synching on my office computer. But at least my staff there will not have access to my passwords.
    Agilebits has been a great software company, and even with this misstep I'm a loyal 1password user. And I hope you guys will get this fixed soon.

    @chinamax: Thanks for the encouragement and feedback! We're looking at some options there.

    I need this as I have my personal passwords in one vault, and passwords for sites related to my business in another. I want my front desk person to have access to the passwords for the business.
    I know you now have a Teams approach as well for 1password. But I don't need that kind of complexity. I simply need a vault that is a small subset of my passwords.

    I do also want to reiterate though that this gives someone else access not to only a single vault, but the computer itself. 1Password for Teams is useful in scenarios like this because you could share a single vault with another person without them needing to install an app, and without giving them access to anything else — they can simply access it on their own computer using just their web browser.

  • AGAlumB
    AGAlumB
    1Password Alumni

    My usecase is as follows: We have one Mac. We are 3 family members. I am responsible for administrating the Mac. For each family member I installed one account on the Mac.
    Each family member is using 1Password and has his own (primary) vault in his Mac account. Passwords and software license codes which are necessary to know for all family members, I put in a secondary vault "For all". [...]
    As seehadley said, 1Password for Teams may be a solution, but I would not pay a monthly fee for a family size team.

    @udowski: Thanks for laying that out for me! I can't argue with that. It actually sounds like you have an ideal setup with a single sync-it-yourself license for your family. From your description, it sounds like this setup is working well for you for the most part, since each family member has their own personal vault/password on their own user profile and free access to the "For all" vault...

    In these situations, I go to the Mac account of my wife or my child and open the "For all" secondary vault, and then I have access to all passwords and software license codes which I need for administration. I cannot open this secondary vault via the primary vault, as I don't know the password of the primary vault.

    But this seems to be the crux of the matter. I'm not sure what the long-term solution for this specific use case will be, but we'll continue to explore different options.

  • martin1p
    martin1p
    Community Member

    Bit late to the party but wanted to +1 the other feedback that this is a big regression in functionality. With the amount of data we’re encouraged to include in password managers I’m surprised that ways to segregate and layer security are being removed (and no apparent intention to replace).

    For me it’s simple - I don’t want the password that I use for everyday logins to also be able to unlock bank or other information I deem more sensitive. It's the same way that I wouldn’t want my front door key to open my safe - no matter how secure that key was supposed to be.

    I like the product but this is a breaking change for me. All I need to be able to do is close a vault and open another one, which as far as I know this is how it works on Windows. Now Windows, Mac and Android all have different (or no) support for multiple vaults - the intended direction seems unclear.

  • qw3r
    qw3r
    Community Member

    Hi!

    Using 1Password 5 i was able to choose which vault I want to open (by pressing cmd-1, cmd-2, etc when looking at the password/unlock screen).
    Using the primary master password and unlocking the primary caused all my vaults became opened. By selecting an other vault and typing in its master password I unlocked that (and only that) vault. So at work i opened my "work" vault, but since 1Password 6 I can't do that. It's a little bit of a step back for me, as my private (primary) vault contains all my credit/account/personal information i don't want/need to access at work.
    Is there a way, i'm clearly missing, to make it work like the previous version? Should I downgrade?

    (I hope I managed to explain my problem.)


    1Password Version: 6.0.1
    Extension Version: 4.5.3.90
    OS Version: OS X 10.11.3
    Sync Type: Dropbox

  • Stephen_C
    Stephen_C
    Community Member

    @qw3r as there's a very long existing thread relevant to the issue about which you've posted I merged your post with that thread.

    Stephen

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited January 2016

    Is there a way, i'm clearly missing, to make it work like the previous version? Should I downgrade?

    @qw3r: Sorry for the confusion! The previous 'separate-unlock' capability was actually a bug that turned into a feature that some folks were apparently very happy with. Given the feedback we've received about this these last few weeks, we're exploring ways to enable similar functionality. You can, of course, get 1Password 5 from our update site.

    I like the product but this is a breaking change for me. All I need to be able to do is close a vault and open another one, which as far as I know this is how it works on Windows. Now Windows, Mac and Android all have different (or no) support for multiple vaults - the intended direction seems unclear.

    @martin1p: This is an interesting point, since 1Password for Windows users have been requesting that we do the opposite for years. Obviously, it isn't possible to please everyone, so we need to focus on doing the most good for the greatest number of people. I'm sorry that this change has interfered with your workflow.

    But it's important to note that from the beginning 1Password was designed with a single Master Password in mind. That is, after all, where we got the name originally. Unlocking the app itself to access all data within using a single Master Password is how it will continue to work going forward by default, but we have some ideas on how we might add a clear, secure, and flexible option for those who want to have more separation between vaults. This, however, would be (similar to the relatively recent multiple vaults feature itself) geared more toward power users (or families and businesses), as we don't want to simply keep increasing the complexity.

  • qw3r
    qw3r
    Community Member

    Thank you for the answer @brenty! I'll stick with version 6 and wait for the "bug" reintroduced as a feature! :)
    @Stephen_C Thanks for moving my question, sorry i didn't notice that there's already a relevant topic open.

  • AGAlumB
    AGAlumB
    1Password Alumni

    Indeed. I'm really sorry that an issue we introduced had this second life, and that addressing it has left you and others in a bind. And no need to apologize about the organizational issue. That's our job. I know Stephen_C just didn't want to move it without mentioning why. ;)

  • martin1p
    martin1p
    Community Member

    Thanks @brenty - I’ll downgrade for now too. I’m very happy for the the nested Vault approach to be the default but don’t see why it should be the only option. I know you’re called 1Password but once you start using multiple vaults across devices I can’t see how you can avoid remembering multiple passwords.

  • tjparnell
    tjparnell
    Community Member

    Hi. Just registered an account now so that I too can add my name to the list of requests to have separate vault unlocking. Like others above me, I have a personal vault shared with my spouse and a work vault for professional stuff. I don't like unlocking personal stuff at work; I like to keep things separate. If only you guys offered "2Password" to maintain v5 functionality (even if it was a bug, it was an incredibly useful and handy bug!). I'll deal with it for the time being, but please consider re-implementing this feature!!!! Looking forward to that future 6.x release!

  • AGAlumB
    AGAlumB
    1Password Alumni

    Thanks @brenty - I’ll downgrade for now too. I’m very happy for the the nested Vault approach to be the default but don’t see why it should be the only option. I know you’re called 1Password but once you start using multiple vaults across devices I can’t see how you can avoid remembering multiple passwords.

    @martin1p: I couldn't agree more. "Password creep" can really get me down sometimes too, and that's one of the things I like most about 1Password for Teams: I truly have a single Master Password for all of my vaults there. :pirate:

    I'll deal with it for the time being, but please consider re-implementing this feature!!!! Looking forward to that future 6.x release!

    @tjparnell: Glad to have you join us in the forums! I only wish it were under happier circumstances. Rest assured that we've been having a lot of discussions about this. While I can't promise anything yet, we're keen on finding a good solution for folks. Thanks for your patience! :blush:

  • josbigorange
    josbigorange
    Community Member

    +1 for restoring this functionality somehow as soon as possible

  • Thanks for the feedback, @josbigorange.

    Rick

  • LRT
    LRT
    Community Member

    Hi, I used this feature as a way to separate my personal and work logins on the same mac. So I would use my main password and vault on a personal user account on the mac and the secondary vault and secondary password on my work user account on the same mac. That let me and others use my machine to log in to the work user account and work 1Password vault and only have access to work related passwords.

    I would welcome the feature coming back.

    In the meantime I want to keep using a similar workflow if possible. What I'm thinking is that I'll delete 1Password from the work user account and set it up again as a fresh install, with my work passwords now in the primary vault in that user account. I believe my licence allows this right?

    Can you please tell me how to safely uninstall 1Password from the work user account without deleting the app for all users on the mac and reinstall it as a new separate instance of the application in the work user account.

    Thank you.

This discussion has been closed.