Very confused about changing master password

I have 1P installed on a Mac Mini, a MacBook Pro, a iPad and an iPhone. I use two local vaults, one of which is shared with family. Both vaults are synced through Dropbox.

I changed the master password on my MacBook Pro, while I had 1Password open with "All Vaults" selected. My understanding (from other articles in this forum) is that by doing this, I changed the vault password for the "primary" vault (which is the one that is not shared, if that matters).

When I moved to the Mac Mini and logged in, I opened 1P with the old master password, expecting that it would sync, and from that point on, it would require the new master password in order to unlock the vaults. This does not seem to be the case. The Mac Mini unlocks with the old master password, no matter how many times I sync/lock/exit/restart the 1P app.

Please help me correct my misunderstanding, and more importantly, please help me understand what I need to do to invalidate the old master password everywhere.

Thanks in advance!


1Password Version: 6.8.6
Extension Version: 4.6.12
OS Version: OS X 10.13.3
Sync Type: Dropbox

Comments

  • LarsLars Junior Member

    Team Member

    @chris068 - very smart questions, especially for a dog! ;) Seriously, though, what a great avatar. :)

    What you suggested should cause the Master Password to be changed everywhere, once those other apps have a chance to perform a sync and acquire the new Master Password. I'd recommend restarting all devices in the chain, to make sure Dropbox forces a sync. Restart the ones on which you did NOT change the Master Password and see if that solves the issue for you. Let us know how it goes!

  • Thanks for the kind words about the avatar-- That isn't my dog, but it looks like his identical twin. :)

    I think I figured it out. And this is NOT clear from any documentation I've read thus far.... Please correct any errors or mis-statements below:

    When you change the master password on device/login "A", it does indeed change the vault password on the "primary" vault. In order to get the new password to displace the old one on devices "B", "C", etc..., you have to do this on each of the other devices:

    1) Unlock 1P on the device using the old master password.  This will trigger a sync.  
    2) Lock 1P
    

    At this point, 1P will still honor the old password, even though the vault itself has a new master password, and that has been synced. This next step is the non-obvious one....

    3) Unlock 1P using the *NEW* password.  (It should work.)
    

    Now, the device will no longer honor the old password.

    ==

    This highlights what seems to be a security flaw to me. Imagine that my 1P vault has fallen into the hands of someone who knows the master password. My default reaction would be to change the master password, and then re-key all my sensitive accounts as quickly as possible. This won't solve the problem, though! I can change the master password from another device, but that does not prevent the escaped device from continuing to access my vault-- including any new changes I make! Clearly, the correct way to handle this would be to remove the escaped device from whatever sync services I am using, and then change the master password, and then change all my logins that are recorded in 1P. But if I don't do all that in the right order, it's possible I could allow the holder of the escaped device to capture a changed password for a sync service, and then reestablish the connection, and continue syncing my data, and accessing it with the old master password. I HOPE I'm incorrect here....

    Moreover, my question is: how could this work?? If I change the master password on a vault, I expect the encryption keys to change, such that anyone holding old keys would not be able to decrypt the vault at all. Where is the gap in my understanding, or why are my expectations unreasonable on this point?

    Thanks!
    Chris

  • I just posted a reply, but it DISAPPEARED! Not sure what happened. In my reply, I described what I believe to be a security flaw in 1P -- I hope that has nothing to do with why my comment disappeared... I'll try to re-post shortly....

  • Re-composed comment to follow up….

    I believe I figured it out, but the process I’m going to describe here is not clearly documented in any source I’ve come across thus far. Also. I’m not sure I understand why this sequence of steps is necessary:

    1. On device “A”, change the master password. (This changes the password for the “primary” vault.)
    2. Now, on each of the remaining devices, do this:
      1. Unlock 1Password using the old master password.
      2. Allow 1Password to sync the vaults.
      3. LOCK 1Password
— At this point, it is still possible to unlock 1Password using the old master password!! Seems to work indefinitely.
      4. Unlock 1Password using the NEW master password. (This should work)
— At this point, the new master password is honored, and the old master password will no longer work on this device.

    Please correct any mistakes or misunderstandings in the forgoing….

    My concern about this is that it seems to highlight a security flaw in 1Password, when configured to use synched local vaults in this way. Consider a scenario in which one of my devices falls into the hands of someone who knows (or has discovered) my old master password without my consent. Obviously, I want to ensure that the holder of this escaped device (let’s call this person “The Attacker”) cannot access my data, or use my logins for banks, etc. The first thing that would occur to me would be to change my master password, and then change all of my logins stored in 1Password. But this would NOT WORK. The Attacker can still access my vault using the old master password, even after the vault is opened, synched, locked, and reopened. So, the Attacker can see all my password changes, as well!

    Clearly, the correct solution would involve de-authorizing the escaped device from the sync service (Dropbox, or whatever) first, then change the sync service password, and then change the master password, and finally change all passwords in the vault. But it’s easy and natural to think that if I change the master password, other devices will lose access to that vault until the new master password is entered.

    Where is my understanding incorrect? Why are my expectations or assumption unreasonable here?

    Thanks,
    Chris

  • LarsLars Junior Member

    Team Member

    @chris068 - really? That's the story you're going with? The dog blog ate your post? ;) (OK, I swear, I'll stop with the dog references...). Seriously, I'm really sorry that post was held up -- not sure why that would be.

    Also, we actually dedicated an entire blog post to this very topic a while back. Rather than try to repeat it here, I think it might be more complete to have you read Rick's explanation of the process and then ask any follow-up questions, if you're still wondering. But I think that post should answer all your questions, if I read you right. Let us know! :)

  • Well, thanks Lars. Having read the article you provided a link for, I now see that (a) my observations were entirely correct, and (b) this is a known behavior and has been recognized by many others.

    That does not mean it is "good" or "desirable" behavior, though. Honestly, this changes my gut feel about how safe it is to keep using the same vault, long term, and as such, it lessens my enthusiasm for 1Password a bit. I've been a huge fan of 1Password for many years, and I expect I'll continue to be-- but I won't be as quick to tout the security model 1Password offers for long term use.

    In any case, thanks for the link.

  • @chris068: If one of your devices plus Master Password falls into the wrong hands, you’re going to have problems no matter what. The “attacker” just has to make sure your device doesn’t connect to the Internet while he retrieves all your secret data and changes your passwords to lock you out from your accounts.

    In defense of AgileBits I have to say I am impressed with the clever mechanism for changing a Master Password without storing it anywhere. Yes, the consequence is that the old MP will work as long as the new MP hasn’t been entered. That takes some due diligence on the part of the user: once you change your MP, you have to force a sync and then enter the new MP on all of your other devices to ensure the old MP is truly gone.

    A secure MP is PARAMOUNT. If your MP falls in the wrong hands all bets are off. The consequence of the convenience of having all secret information in one place is that the lock that guards the secrets must be very very good.

  • @chris068: I don't believe there is any security flaw at all. You imagine a situation where an attacker already has your vault and your Master Password. First, let's recognise that this is a very bad situation to be in no matter what happens next. It means the attacker has all of your data in 1Password that was current at the time they stole your device. Nothing can change that.

    So what do you do when you discover the theft? You immediately de-authorise and erase that device and then change your Master Password. You can read more about that here: https://support.1password.com/lost-device/

    There is no reason why the attacker should be able to keep syncing with your vault if you do the above.

  • Whether or not one might consider this a security flaw is a matter of opinion, I suppose. My point is that it is natural to expect that if you change the password on something, anyone who has the old password would be out of luck. I'd wager that the average 1Password user would think that changing the master password on a vault re-keys the vault (re-encrypts everything). I understand this is not the case at all (though I did not understand that until today, despite being a fairly heavy user of 1Password for many years, and, if I can say it without sounding arrogant, being a fairly savvy user of most technologies-- above average in most respects.) So, this arrangement of managing the vault key and the master password creates a scenario in which it's EASY to misunderstand what changing the master password does and does not accomplish, and thereby have a false sense of security in the scenario I described, even if you are certain you beat the "attacker" to the punch and changed each and every password in the vault. If nothing else, the interface should take great pains to make this MUCH clearer, so that a user that finds himself in this scenario would not make this natural but naive (and disastrous) mistake. This scenario is not really that unrealistic or rare -- think of a soured personal relationship (acrimonious divorce, e.g.) in which the other person was previously entrusted with the master password.

    I get that there are support articles to help folks avoid this mistake, but most folks don't look for support articles until they know they have a problem. This is a problem that a person could have, and never realize it. It should be far more obvious across the board.

    Just my two cents' worth.

  • LarsLars Junior Member

    Team Member

    @chris068 I'm sorry to hear you feel as if this makes you less secure in your use of 1Password. In my opinion, it shouldn't (but of course, your mileage may vary), for two reasons: first, nothing's actually changed: it isn't as if this is something new that's been recently added (or taken away from) our code, or even recently discovered. And second: in nearly 12 years of 1Password, we've yet to have a breach of users' encrypted data -- or if there has been such, it's never reached our ears.

    From the very beginning, one of the cornerstones of using 1Password (second only to perhaps our urging users to choose a long, strong Master Password), has been this follow-on advice: ...and never share your Master Password with anyone, ever. Not your flatmate. Not your girlfriend. Not your brother-in-law. Not Santa Claus. Nobody (OK, well maybe Santa :) ). For the scenario you're envisioning to have even be possible, you've already posited two things that shouldn't happen:

    1. Someone got hold of your Master Password (and how did they get that?), and then
    2. That same person also got hold of one of your devices (or your keychain from Dropbox).

    An attacker needs both your Master Password and a copy of your data for anything like this to be an issue. And, if someone does gain possession of both those things, as others have pointed out, you're in deep trouble under any circumstances. You might be able to remotely lock or erase the entire device itself; Apple gives you tools to do this, as does Android. But, just as we (AgileBits) would also have to admit that yes, if an attacker has gained the ability to execute arbitrary code running as root on your computer, then they will be able to capture your Master Password as well as do nearly anything else they like, so too do we have to admit that in the case you're envisioning, where both your Master Password AND one of your devices with a copy of your data have fallen into attackers' hands, standalone 1Password cannot protect you via its Master Password-change mechanism.

    However, @sylath is correct - the largest problem there isn't that 1Password can't protect you via its Master Password-changing process. 1Password can serve very well as the central component of a good online security setup...but it's still only one part, and it can't do everything. If it - or any other product - could do so (and could also replace the most important part of all: a cautious, informed and consistent approach to online security from the user him/herself), then everyone would already own that product and we'd all be secure, in all cases.

    Clearly, the correct solution would involve de-authorizing the escaped device from the sync service (Dropbox, or whatever)...

    Dropbox doesn't work like that; at least, their APIs don't allow us to do that kind of intricate remote (de)authorization. This is likely to be the case with any third-party sync solution.

    But you know what does offer that and more? A 1password.com account. Because we control both ends of the communication, we're able to write much more integrated code for sync as well as provide secure mechanisms for situations just such as the need to remotely deauthorize a device. If you create a 1Password Families account, each member will have his or her own Master Password, and access to the family-wide Shared vault (plus any other vaults you create and grant them access to). Devices can be deauthorized remotely from the web, and Master Passwords can also be changed similarly. You as account owner have much more control than what third-party sync APIs like Dropbox or iCloud allow us to provide you. Give it a try -- especially if you have an intimate partner, housemate or family member to whom you've already given your Master Password and who can access your devices. Thanks for the discussion! :)

  • LarsLars Junior Member

    Team Member

    @pervel

    So what do you do when you discover the theft? You immediately de-authorise and erase that device and then change your Master Password.

    It's important to remember that the instructions for deauthorizing your device's ability to use 1Password are only intended for 1password.com accounts. In standalone 1Password, where each application is essentially an island unto itself, there's no way to deauthorize a device's use of 1Password. There IS such a mechanism with 1password.com accounts, but if a user has been using standalone 1Password, their best bet would be to use the manufacturer's tools to remotely lock or erase the entire device.

  • @Lars:

    It's important to remember that the instructions for deauthorizing your device's ability to use 1Password are only intended for 1password.com accounts.

    Well, the link from your support site does actually cover more than just 1Password accounts. It also covers erasing iOS and Android devices as well as unlinking Dropbox. Just to be pedantic. :)

  • LarsLars Junior Member

    Team Member

    @pervel - fair enough. ;) Thanks for your replies here. :+1:

This discussion has been closed.