Changing Master Password

tommyent
tommyent
Community Member

If I regenerate my account key and change my master password I assume it just re-encrypts the encryption keys.
If so how are backups of the encrypted encryption keys handled? Or I should say how long are they kept for?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • Hi @tommyent! Great question. Changing the Account Key or Master Password only updates the Master Unlock Key, which isn't backed up anywhere since it's generated from the combination of your Account Key and Master Password. If you'd like to learn more about the Master Unlock Key and how this works, we have a Security White Paper detailing everything. You're welcome to read that, or ask any other questions you have here. It's a lengthy read, but you'll find more details about this subject on pg. 48. :glasses:

  • tommyent
    tommyent
    Community Member

    Sorry I understand perhaps my question was not worded properly or technically enough. So yes the key and pass make up the MUK which encrypts the keys. Now if I change the master pass and regenerate a key I have a new MUK for the keys. My question is your system backups would cover encrypted key pairs. How long would they be kept for 30 days? A year? My concern is old backups with encrypted keysets using the old MUK sitting around somewhere. However I know you need to have backups. Hope that makes more sense.

    Anyway in reading page 48 I found this

    Thus an attacker who gains access to a victim’s old personal keyset can decrypt it with an old Master Password and use that to decrypt data that has been created by the victim after the change of the Master Password.

    Hope this is not right. Technically they would need the MUK which is both the Master Password and Account Key. Right?
    Anyway the example is kind of what I am talking about. I'm concerned about old encrypted keysets.

  • AGKyle
    AGKyle
    1Password Alumni

    Hi @tommyent

    We keep backups for 35 days. So, if you change your master password, which generates a new Master Unlock Key, the keyset is encrypted with the old Master Unlock Keys will stick around in the form of database backups for ~35 days.

    The quote you provided is correct.

    We don't store the Master Unlock Key anyway, remember it's derived from your Account Key and Master Password. Someone would need to acquire those two pieces, or brute force the Master Unlock Key. Both of which is going to be difficult since literally none of that is ever sent to us. So, assuming someone were to acquire an old copy of the keyset, encrypted with an older master unlock key, they'd still need to get the other two pieces from you.

  • tommyent
    tommyent
    Community Member

    The quote would actually be incorrect from what you are saying. The master password is one piece of the MUK. The quote from the docs says

    can decrypt it with an old Master Password

    implies it's as simple as the master password. However you would need the account key as well. So the docs would be wrong. Without the account key there is no MUK so it would come down to brute force.

    That being said it looks like you have a different policy for keysets and actual password data. The last I remember getting and answer it was that password data was stored indefinitely until you figured things out. Do you separate tables on backups?

    I'm not trying to be difficult but if I see something I want to ask to make 1Password stronger for everyone.

    My opinion would be keeping old encrypted key pairs for 35 days seems extreme. I can see why but it would be nice to delete them right away even though it may be a rare case.

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    Thank you. Yes. It will require both the Master Password and the Account Key to decrypt an "old" personal keyset.

    If, however, the attacker obtains the encrypted personal keyset from your device, we should assume that they also obtain the account key.

  • tommyent
    tommyent
    Community Member

    True but this would not be the case if they were stolen from you production or backup servers. Agilebits is going to be a much bigger target and attack surface than my personal devices.

    Which brings me back to my original concern. Mostly I was just curious because when deleted items were discussed it was (last time I read) indefinite. Unfortunately kids (even adults) do stupid things like share an Account Key and master password or trust the wrong person. Just don't like the thought of old keys sitting on a server somewhere.

    Perhaps a bit paranoid :p

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    True but this would not be the case if they were stolen from you production or backup servers. Agilebits is going to be a much bigger target and attack surface than my personal devices.

    Yep. And after all, that is the primary reason for the Account Key. I will get this fixed in the next release of the white paper. Thanks!

    Just don't like the thought of old keys sitting on a server somewhere.

    I understand. And until we have a master password or account key change lead to actual rekeying, this will remain a concern. But it isn't a big enough concern so as to prevent us from being obsessive about making backups.

This discussion has been closed.