Question regarding multiple accounts with different master passwords

@anonymous20283u90234 - excellent question! You are quite correct in your observation that it requires only one password to unlock all your vaults and accounts.

Is some key to unlock my individual account stored in the teams account?

Sort of. The short answer is: only locally, for that specific installation of 1Password -- and it's not extractable by you or anyone else.

This actually predates the existence of 1password.com accounts by quite some time. Back in the day when there were only local vaults and manual sync, each time you created a new secondary vault, you had to give that vault a unique password, which generated the AES256 key that actually encrypted your data. But because we figured that "1Password" sounded better and simpler than "1Password each for however-many vaults you have" as a product name (and as a practice), we developed a method whereby the process of creating a new vault and giving it a unique password resulted in a copy of the encryption key for that secondary vault being "escrowed" (for lack of a better word, although key escrow is not entirely accurate to describe what is actually taking place) by your Primary's Master Password. Provide the proper Master Password locally within your 1Password app to unlock the Primary vault, and 1Password puts the keys "escrowed" when you created the other vaults into their "locks" as well, and all your data become visible to you. In this way, we can keep calling ourselves "1Password" ;)

To be a little more serious, and to fast-forward to the present, a similar mechanism is in place when you use a native 1Password app with multiple 1password.com accounts. The password for whichever account you add when you first install 1Password on your device becomes the Master Password for that instance of 1Password also...but you can still add other accounts, and the keys to locally decrypt the data in those other accounts will be similarly stored inside that copy of 1Password for Mac, Windows, iOS or Android. So no matter how evil your team administrator becomes, (s)he has no way to snatch the keys to decrypt your data in your own personal account.

@anonymous20283u90234 - If you mean signing out of your individual account in a web browser? Your encryption keys never leave your local device. If you mean removing your individual account by going to Preferences > Accounts and clicking the minus button to remove it, then yes, everything would be removed as soon as you did that. If you meant something else, can you clarify?

If you have a TouchBar-enabled Mac, then yes, Touch ID works quite similarly to what you see in 1Password for iOS when you use Touch ID there. You're essentially allowing the Mac (or iOS) keychain to store an obfuscated copy of your Master Password, meaning you're (more or less) substituting the security of Touch ID for that of typing out your Master Password. It's unquestionably not as strong, at least assuming you have a long and strong Master Password that you haven't shared with anyone. Apple says Touch ID is as good as about 1 in 50,000 (or the equivalent of about 6 digits worth of password entropy -- which is why it's no coincidence that Apple raised the unlock code from four to six digits at the time they first debuted Touch ID). Your long, strong Master Password is much, much more entropy than that.

If you meant what we've been discussing, then no. The keys to unlock your other vaults (or accounts) remain encrypted by a KEK (Key Encryption Key) generated by your primary account (or Primary vault); the one you use your Master Password for, to unlock all data. So the key to your other accounts is encrypted by the public key of your first account. You prove you have the corresponding private key by entering your Master Password, that means you're authorized to unlock those other accounts' vaults as well.

I hope that made sense, but if not, feel free to ask clarifying questions.

@anonymous20283u90234 Glad to hear it! Drop by any time if you have questions or issues. :)

@AdamP In terms of Master Password re-use, it's a matter of personal preference. Yes, having different Master Passwords for each account is probably (though not necessarily) more secure. But it's also more likely to cause confusion or even data loss, if you can't remember the password you used for a particular data-set.

One of the reasons we recommend against password re-use for logins in the web is because potential thieves know what the big banks/credit card companies/email providers are. If you use the same password out "in the wild," one disclosure at some out-of-the-way site could potentially lead to your entire digital life being taken over, with just a little effort on the hackers' part. But re-using a Master Password for multiple 1password.com accounts isn't quite the same thing. To begin with, you should never tell your Master Password to anyone, but - and this is the most-important point here - even in a 1Password Teams setup, your team's owners and administrators don't know your Master Password. They can manage your account - even delete your membership and all your data without warning to you...but they can't reveal or cause us to reveal your Master Password.

In order for you to be vulnerable, someone would have to learn your Master Password, and even then, they'd still need your Secret Key in order to be able to access your data, as that's a second encryption factor. The only exception to this rule would be if someone 1) came across your Master Password 2) had physical access to one of your computers on which you had 1Password X and 3) thought to try the (work-related) Master Password on different accounts you had in 1Password on that device.

Without access to a device on which you have 1Password X installed, an attacker would need to know what other accounts you HAVE. Unlike with regular internet passwords (where hackers would default to checking all major banks/credit card providers, to see if they can leverage password re-use into a payday for themselves), if you have multiple 1Password accounts, how would a thief know under what URLs to look for additional accounts for you? Just some food for thought.