Invalid master password after updating from Windows 1Password 4 to 1Password 7 beta

DBO
DBO
Community Member

Hi,
Yesterday I took the plunge and updated my aging version 4 of 1Password for Windows to the latest beta version of it (7.0.541).
The process went well, it converted my vault to the new .opvault format and everything works on the two desktops I use it on.

The problem arose when I deleted the data for my 1Password app on my Android phone. Pointing to the new vault it tells me that my master password is invalid.

I wrote down what it tells me and in order this happens:

  • Found vault
  • Loading profile /someprofilepath/somethingsomething.js
  • Validating password
  • Invalid password

The same password perfectly works on my desktops.

Thinking it could be a problem of the stable app, I joined the beta program to also update my Android app. Nothing has changed.

I think the issues stems from some of the characters that I use in my master password, since they are not ASCII (not even extended). Could it be that in the new opvault format you have issues with those characters?

I may roll back to 1Password 4, change my master password to something different, and try again. Before doing so I would like to know if this is something that is known or if I just (my luck) discovered a new bug.

Thank you for your assistance.


1Password Version: 7.0.BETA-6
Extension Version: Not Provided
OS Version: Android 8 - March security patch
Sync Type: Dropbox

Comments

  • DBO
    DBO
    Community Member
    edited April 2018

    OK, I tried rolling back to version 4 and changing my master password to only use ASCII characters. When upgrading the vault to the new format it also works on Android.

    I think this is a bug or a deficiency in the new vault format, since it worked perfectly with the old version.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @DBO: Thanks for reaching out. I’m sorry for the trouble! We've always recommended using only standard ASCII characters in the Master Password for a number of reasons, but a big one is that encoding can cause issues like this — especially between platforms.

    Obviously don't tell us your Master Password, but could you share the specific characters which may be causing your trouble? That way we can test it to see if there's something we can improve on Windows and/or Android with the way they're handled.

  • DBO
    DBO
    Community Member

    I have several in it, but after some tries (by downgrading, upgrading again and testing) I pinned it down to the Euro sign €.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @DBO: Thank you so much! To be clear, the Euro symbol works fine for you on Windows, and you were only having trouble with that on Android, correct? We'll see if there's a way we can work around that in the Android app as well. :blush:

  • DBO
    DBO
    Community Member

    No problem.

    There are issues with the euro symbol. It only works on the first device you use. Afterwards on every device except for the first it doesn't accept it. This only happens with version 7. Version 4 didn't have this problem.

    If you need anything from me to help, don't hesitate to ask.

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited May 2018

    @DBO: Thank you for the offer. I think I might have to take you up on that after all. I'm very sorry for taking so long to get back to you. I was hoping to have some more information to share from testing this, but I just don't understand what the problem is. I'll break down what I have tried, and perhaps you can fill in some blanks for me.

    First, I've created brand new OPVault and AgileKeychain vaults using 1Password for Windows version 4, using a in the Master Password. My plan was to open these in the Windows and Android apps to confirm or deny what you're finding, but I'm not clear on exactly the steps you're taking, and I'm hitting a significant roadblock: I am unable to even get to the point where I would be able to sync the data to Android from Windows, because the new Windows app will not unlock the test vault using the Master Password, rather than the Android app having trouble with it.

    So I guess the questions I have are these:

    1. What is the format of your original vault, OPVault or AgileKeychain? It sounds like the latter.
    2. When was the original vault created, and with which version of 1Password?
    3. If AgileKeychain, were you able to successfully decrypt it using the Master Password to add it to 1Password for Windows version 7, and also unlock the app using that same Master Password? This is where I'm getting stuck no matter what I try.
    4. If OPVault, wouldn't you have been using the same vault on both devices already, with the same Master Password?
    5. Are you certain that you're opening the correct thing in 1Password for Android? For example, you would need to select the 1Password.agilekeychain or 1Password.opvault directly, not a subfolder or file within it. I suspect there is no problem with this, but I want to confirm just in case.

    I guess what I'm trying to figure out is why (if?) you're able to unlock an AgileKeychain using a Master Password with a in it in the new Windows app in the first place since I am not.

    Thanks again for your patience and willingness to work with me on figuring this out. I'm certain there's something we need to fix here, but at this point I'm at a loss to say which platform is the culprit to even begin to work on a solution. :dizzy:

  • DBO
    DBO
    Community Member

    Hi Brenty, no problem at all.

    I've been a sys admin for twenty years by now, hopefully I have been thorough enough with my tests. :)

    1. The original vault format is, as you correctly assumed, AgileKeychain.

    2. It was created on 1Password version 4 for Windows.

    3. When originally converted from AgileKeychan to OPVault it works perfectly on the Windows client that converts the original vault. Doesn't work from either another Windows or Android client though.

    4. Not OPVault. :)

    5. Positive. I have been using the same single vault since the 28th of March 2015 when I bought 1Password (possibly before due to the trial period).

    One thing that I noticed: if I change my master password to something that works on all the clients and then use my regular password with the € sign in it, in the client where I changed the password it works but not on the others. I can replicate this behaviour with two Windows and two different Android clients.

    "I guess what I'm trying to figure out is why (if?) you're able to unlock an AgileKeychain using a Master Password with a € in it in the new Windows app in the first place since I am not."

    No clue, but I also use a European keyboard layout. Maybe that has something to do with it? If you want, I can create a video where I show a dummy password with the € in it and how it works.

  • AGAlumB
    AGAlumB
    1Password Alumni

    Hi Brenty, no problem at all. I've been a sys admin for twenty years by now, hopefully I have been thorough enough with my tests.

    @DBO: I appreciate that. I just feel bad having you test things. I really thought I'd be able to narrow it down by now! :blush:

    The original vault format is, as you correctly assumed, AgileKeychain.
    It was created on 1Password version 4 for Windows.

    Any idea on the time frame? It's okay if not, but there are definitely issues with some legacy data structures, so I wonder if this is related.

    When originally converted from AgileKeychan to OPVault it works perfectly on the Windows client that converts the original vault. Doesn't work from either another Windows or Android client though.

    Okay, this is where I kept hitting a wall. 1Password for Windows version 7 simply won't even add the original AgileKeychain vault I select. I'm literally copying and pasting the Master Password there by it doesn't work. Works fine in version 4 though. So definitely some issue with the (I just used euro€ as the password), just trying to narrow down what it is.

    Not OPVault. :)

    Thought so, but thank you for confirming. One less thing to fight with! :lol:

    Positive. I have been using the same single vault since the 28th of March 2015 when I bought 1Password (possibly before due to the trial period).

    To be clear, it sounds like you created your AgileKeychain vault (which was then recently converted to OPVault in version 7) roughly 3 years ago. Is that correct? If so, that's kind of a bummer, since it's going to be something very different from a legacy data issue. :ohnoes:

    One thing that I noticed: if I change my master password to something that works on all the clients and then use my regular password with the € sign in it, in the client where I changed the password it works but not on the others. I can replicate this behaviour with two Windows and two different Android clients.

    I may have been misunderstanding this from earlier. Just to summarize, you had the password originally in version 4 with AgileKeychain, you changed it in version 4 with AgileKeychain, converted it in 1Password 7 to OPVault, and now it can only unlock in the Windows beta? I think part of that is wrong, but if you'll correct me I think we can get on the same page. :crazy:

    "I guess what I'm trying to figure out is why (if?) you're able to unlock an AgileKeychain using a Master Password with a € in it in the new Windows app in the first place since I am not."

    No clue, but I also use a European keyboard layout. Maybe that has something to do with it? If you want, I can create a video where I show a dummy password with the € in it and how it works.

    Hmm. That's a good point. I don't have a European keyboard. And I'm also not super hip to Windows character coding. So what I'm doing is opening Character Map and copying it from there. Helpfully, this displays the following information:

    U+20AC: Euro Sign
    Keystroke Alt+-128

    You probably have no idea what scan code your hardware keyboard is producing when you type the (or maybe you're way ahead of me here), but are you able to reproduce the same issue using that code? For example, you could try entering the that way instead of using the hardware keyboard, and/or change your password again to use that specific code to produce the to see if that makes a difference with regard to compatibility. Let me know if that's doable.

  • DBO
    DBO
    Community Member

    Again, no problem. I’m in the beta test and that means helping each other out. :)

    Any idea on the time frame? It's okay if not, but there are definitely issues with some legacy data structures, so I wonder if this is related.

    Here is a picture of my original vault (I keep backups!) just before converting to OPVault.

    I am not sure why it says that the folder has been modified (in the properties it also has the same values for the creation date and time) after I bought it. The .ws.agile.1Password.settings file in the root folder shows the 3rd of May, 2015.

    I may have been misunderstanding this from earlier. Just to summarize, you had the € password originally in version 4 with AgileKeychain, you changed it in version 4 with AgileKeychain, converted it in 1Password 7 to OPVault, and now it can only unlock in the Windows beta? I think part of that is wrong, but if you'll correct me I think we can get on the same page.

    Correct. But to add to this, if I change the password to something like “sadmasterpasswordwithouteurosign” from the Windows client and go on the Android client to change the password back to “ilovemy€sign”, it works on Android but not on Windows.

    Hmm. That's a good point. I don't have a European keyboard. And I'm also not super hip to Windows character coding.

    You should be able to do the € sign by using CTRL+ALT+E or CTRL+ALT+5.

    You probably have no idea what scan code your hardware keyboard is producing when you type the € (or maybe you're way ahead of me here), but are you able to reproduce the same issue using that code?

    The scan code should be 1179648 (standing to what the key tester says).

    I spun up a quick VM and made a video for you with version 4. You can watch it here: https://streamable.com/rhkrc. :)

  • DBO
    DBO
    Community Member
    edited May 2018

    Just a quick errata corrige. I wrote that in version 7 I change the password from the Windows client. That is wrong. I change it from the Android client since you can't change master passwords on the Windows beta yet.

    The rest still stands.

    Edit: whoops, I also forgot to reply to this part of your message.

    U+20AC: Euro Sign
    Keystroke Alt+-128

    On my keyboard ALT+128 stands for the capitalized cedila Ç.
    The Euro sign is ALT+0128.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @DBO: Ah! Thank you for those details! With that though, I think maybe we've been barking up the wrong tree here. Can you answer this for me?

    You said that after changing the Master Password on Android you're unable to unlock with that new password on Windows. Correct?

    If so, are you able to unlock with the "old" Master Password on Windows still?

    Let me know!

  • DBO
    DBO
    Community Member

    If so, are you able to unlock with the "old" Master Password on Windows still?

    Yes. If I am catching your drift (and I had a few beers yesterday night, so pardon me if I am not...), the issue is not the sign in itself, but the inability to sync the new master password when it's present. Is that correct?

    If so, if you need any other tests just ask me and I'll be glad to provide. :)

  • AGAlumB
    AGAlumB
    1Password Alumni

    @DBO: Following up on your earlier comment:

    On my keyboard ALT+128 stands for the capitalized cedila Ç. The Euro sign is ALT+0128.

    You're right. I must have mistyped it in my earlier post.

    Yes. If I am catching your drift (and I had a few beers yesterday night, so pardon me if I am not...), the issue is not the € sign in itself, but the inability to sync the new master password when it's present. Is that correct?

    I don't think that's the issue we're dealing with here, but I'd still like to know if the "old" Master Password still works. Based on my findings, I suspect it won't. But it's something that comes up fairly frequently because 1Password doesn't sync Master Password changes, as it doesn't save the Master Password; rather, the encrypted data syncs, and the Master Password is used as an input to decrypt it. And in most cases, 1Password needs to unlock using the existing Master Password — the old one — in order to update the database, which would then allow it to be unlocked with the new Master Password going forward.

    Back to this, I'm not able to properly test the varied input aspect (producing the in different ways) of it because the Alt codes don't work without a numerical keypad, and, as much as I'm embarrassed to admit this as a nerd, I don't have any keyboard with one. (That is, I'm sure I have one somewhere, but I haven't used it in years and haven't been able to find it yet.)

    Nevertheless, I think I've been able to narrow it down to a test that's easily reproducible, and I've created test vaults to share with the rest of the team to see if there's something we can improve in this regard. This is what I've found:

    AgileKeychain with euro€ as the Master Password:

    • Opens successfully in 1Password for Windows version 4
    • Fails to open in 1Password for Windows version 7 beta ("1Password was unable to upgrade this vault. Check the password was correct or contact 1Password support.")
    • Opens successfully in 1Password for Android version 7 beta

    *Windows: Euro Sign U+20AC / Alt+0128 copied from Character Map; macOS: beta does not support opening AgileKeychain

    OPVault with euro€ as the Master Password:

    • Opens successfully in 1Password for Windows version 4
    • Opens successfully 1Password for Windows version 7 beta
    • Fails to open in 1Password for Android version 7 beta ("Invalid master password")
    • Opens successfully in 1Password for Mac version 7 beta

    *Windows: Euro Sign U+20AC / Alt+0128 copied from Character Map; macOS: produced using ⇧ ⌥ 2

    So ultimately there is a similar issue in both the Windows and Android apps, just the opposite result depending on the vault format. It may affect other special characters too, but I think we need to figure out why there's a difference between the same input on the same platform with different vault formats, and that may lead us to more answers. Arguably these characters just shouldn't be used because they can cause these kinds of problems, but I think we can also do better here with how this is handled. Thanks again for bringing this to our attentions, and your patience and willingness to work with me on this! :)

    ref: OPW7-2163, OPA-1551

  • DBO
    DBO
    Community Member

    Hi Brenty,

    I don't think that's the issue we're dealing with here, but I'd still like to know if the "old" Master Password still works.

    It works, but only on the client that converted the vault to the new format. If I didn’t have multiple clients I wouldn’t have noticed.

    Arguably these characters just shouldn't be used because they can cause these kinds of problems, but I think we can also do better here with how this is handled. Thanks again for bringing this to our attentions, and your patience and willingness to work with me on this! :)

    No problem at all. I generally agree regarding other non ASCII compliant characters, but I am a bit in doubt about the in itself.
    I understand you are an American company and rarely use it, but here in Europe it’s fairly standard and ingrained in people’s lives. I wouldn’t be surprised if you happen to have other customers with this specific issue in the future.

    Regardless, I would like to thank you for putting up with me and helping me out. Very much appreciated. :)

  • AGAlumB
    AGAlumB
    1Password Alumni

    @DBO: I won't disagree about € being fairly common these days, but I don't believe it existed when the ASCII standard was created. ;)

    But I digress. Likewise, thanks for your patience with me while tracking down this issue. I'm not convinced that I've cracked it, but I'll leave it to others here to see what I may have missed or misconstrued. Either way, it's no good not to have consistency between platforms when it comes to the Master Password! There's a limit to what we can do since character encodings will differ, but I don't think we've reached that limit yet and should therefore ensure that we do all we can. Cheers! :)

This discussion has been closed.