Master password – Private vs. Primary Vaults

franklyfrankly Junior Member

I am a longtime 1Password user. I have a Primary Vault that I used to use for many years that would sync between all of my devices. This vault had a master password associated with it and that would sync between devices as well. No matter whether I was on one of my Macs or iPhone or iPad, I could enter that master password and access my passwords. About a year ago I upgraded to the 1Password Families annual subscription. This created a Private Vault, to which I transferred all of my items. This account has an email address, secret key, and master password associated with it and I use it to sync between devices and access via the web.

After I transferred all of my items from my Primary Vault to my Private Vault, the Primary Vault still exists in my list of vaults and I have turned it off so I no longer see its contents in All Vaults. Also, on my computers and iOS devices, when I am prompted to enter my master password, I still use the old one that was associated with my Primary Vault. However, when accessing via the web, I use the new master password.

I changed my master password on one of my Macs the other day. When I went to open 1Password on another Mac the next day, I tried using the new master password. It did not work. The old master password does work. This continues to be the case. I now have three different master passwords.

I am logged into my 1Password account on all machines for sync. Under the Sync tab in preferences, it is turned off.

Is that where the master password used to sync for the Primary Vault?
If I deleted my Primary Vault, would the master password switch to the one associated with my 1Password subscription account?
If so, how do I delete that old Primary Vault?

What am I missing?

1Password 7
Version 7.1.2 (70102000)
AgileBits Store

I am using 10.14.1 on the machine where I made the change and 10.13.6 on the other machine.


1Password Version: 7.1.2
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: 1Password Families

Comments

  • LarsLars Junior Member

    Team Member

    @frankly - I'm sorry for the confusion! However, you've already figured out where you need to be headed: you need to remove your Primary vault.

    If I deleted my Primary Vault, would the master password switch to the one associated with my 1Password subscription account?

    Bingo. 1Password for Mac (and iOS) will use the password of the FIRST vault that's created or synced, when you first launch it, as your Master Password for that device. Because you're a long-time user, that would be your Primary vault. When you created your 1password.com account, you added it to 1Password for Mac and 1Password for iOS...but it did not change your Master Password to the new one because (at that time) you didn't remove the Primary vault. If you had done so, it would've required your new Master Password. So let's do that now.

    First, make sure you have a COMPLETE and up-to-date copy of your 1Password data in your Personal vault. My worry here is that if you've had the Primary vault hanging around on various devices, you may have been inadvertently saving new items to it, or updating existing items in it, instead of in the Personal vault. Make sure that's not the case, and if it is, move any data over from Primary into Personal in order to give you a complete, up-to-date copy of your data in Personal. Then (in 1Password for Mac), head to Preferences > Advanced and UN-check the box marked "Allow creation of vaults outside 1Password accounts." This will require you to enter your old (Primary) Master Password, then it will remove your Primary vault and require you to enter your new Master Password for the Personal vault. Once this is done, you'll have only your 1password.com account's Personal vault.

    On any other Macs (or PCs), you can repeat this process, but on iOS, it's just as easy to simply delete 1Password altogether, then re-install it from the App Store and sign into your account on first-run. Alternatively, you can open Settings > Vaults and tap your Primary vault, then "Delete Vault" to remove Primary, if you wish. Let me know how you get on! :)

  • cyberzeuscyberzeus
    edited January 2

    UPDATE

    I was able to answer my own question here but decided to leave the original comment just in case others might have the same question\issue.

    It appears as long as the setting mentioned above: "Advanced > Allow creation..." is enabled, then local vault master passwords are used to unlock the app regardless of whether or not those vaults are accessible via the app. Uncheck this option and go through the steps to remove local vaults and your online master PW becomes the app unlock password as well.

    Suggestion: It might be a good idea to make this more explicit at least for those migrating from local to online vaults. Or, if it is explicitly spelled out, my apologies for I have not yet seen it yet.

    Thanks for what continues to be an indispensable and awesome product.

    ORIGINAL QUESTION \ COMMENT

    Ok - so a bit confused here...on the Mac app, which master password is used to unlock the app?

    Some quick background...I started with 1PW a few years ago using a local vault which had a shared master PW and was sync'd via Dropbox. This worked great until a few months ago when I decided to purchase a 1PW subscription. This, of course, also has a master PW but it is separate and distinct from the local vault master PW described above. However, even though I set the Mac app to only use my online account vault (which was setup using the newer online master PW), I have still been using the older local vault master PW to unlock the Mac app. I thought this was by design because I liked the idea of having a different local password to unlock the local app but I'm now wondering if this is just a bug...here's why...

    It doesn't seem to make sense that I can point the Mac app to use only an online vault, which is accessed using the online master PW, but then still need to unlock the app using a master PW of a vault that is no longer in use, not being referenced by the Mac app, and not changeable.

    This became an issue earlier today when, as part of my new year security processes, I went to change my local 1PW app unlock password and discovered no such option exists.

    Thanks in advance for your insights and assistance.

  • LarsLars Junior Member

    Team Member

    @cyberzeus - I'm sorry for the confusion. The 1Password app for Mac (or any platform) is set to use the vault password of the first vault it's set up with the first time you use it, as the Master Password that unlocks that app. That's how we get to be ONE password, instead of "one password each for however many vaults you happen to have" (also, that didn't look nearly as cool on the company letterhead, in our mock-ups ;) ): all additional vaults/accounts you add subsequently have their encryption keys "escrowed," for lack of a better word, in the main vault. So, when you enter your Master Password, you're silently unlocking everything else in the background without having to enter passwords (or encryption keys) for each one.

    What this means in practice is that if you have a standalone setup, there will be at least one vault, and the first vault is always called Primary. The password for this vault is your Master Password for 1Password. If you later add a 1Password account that has a different Master Password, and you don't remove the Primary vault after moving over your data, then you will still be using the old, standalone Master Password to unlock the app.

    In your case, it sounds as if this is what you did -- only you said you "set the Mac app to only use my online account," it sounds like what you may have done is emptied out that older Primary vault and perhaps even set it to not appear in the All Vaults view, but not actually removed it. If the box you're mentioning in Preferences > Advanced (Allow creation of vaults outside 1Password accounts) was still checked, then you still had a Primary vault, even if it was empty. For the record, you can also remove vaults by switching to them in the Vault menu and then clicking Vault > Delete (name) vault. Hope that helps, and let us know if you have any further questions. :)

  • @Lars: Thanks for this great explanation and feedback - very much appreciated. And also, thanks to you and your colleagues for this incredible product - without exception one of the very few apps I cannot live without...

  • brentybrenty

    Team Member

    On behalf of Lars and the rest of the team, you're very welcome, and thank YOU! We're grateful to be able to do what we love, day in and day out. :chuffed:

  • LarsLars Junior Member

    Team Member

    @cyberzeus - I see brenty has already replied, but wanted to add my own note of thanks. You guys - our awesome users - are one of the best parts of this job. Thanks for the kind words, and for being a 1Password user. :)

  • gkgriffithgkgriffith Junior Member

    Thanks so much, @frankly, for initiating this discussion. I too am a long-time 1P user and have experienced your same frustrations since adding my 1Password Families account when that product was introduced. Since adding 1P Families, I've been really confused as to how 1Password is structured. I knew I need the 1Password account in order for my family members to use 1Password, but I chose to ignore confusion by restricting my own use to the local 1P app on my devices. ... At one point, when 1PasswordX was introduced (is that still a thing?), I played around with it a bit, but the confusion only multiplied! It seemed that, in order to use 1PasswordX, I had to copy my 1P entries from my Primary vault to a Personal vault, which I began to do. (I had not used a Personal vault after adding Families, I just stuck with my Primary vault -- Why did I need another vault?) However, when I added entries to my Personal Vault, I discovered that I had double entries, and whenever I tried to use the Quick Fill keyboard shortcut, 1P asked me which entry I wanted to use, and it showed me two identical entries to choose from. I quickly scrapped trying to use 1PasswordX and began deleting entries from my Personal vault, which I was careful to do one by one, in case I had stored any entries there which were not in my Primary vault....

    I love 1Password, but as I've tried to understand how 1Password works and have tried to picture how the folks at 1Password envision me using the product, I finally concluded that perhaps I was supposed to get rid of the local "Primary Vault" on my computer, although I could not find a discussion/explanation of how (or why) that would be helpful. And I was very reluctant to delete the Primary Vault, fearing that perhaps that was the only place all my entries were actually secure, and if I deleted it, I'd loose everything. I hadn't considered that the vault called "primary," which is the original vault I'd set up for using 1Password would be something I should delete. ...

    Until reading this discussion today, I've remained confused about the differences between a 1Password Family Account, which is synced through the 1Password servers, and 1Password (with a "Primary" vault) running locally on my Mac and synced through Dropbox. I think what adds to the confusion is that it is possible for both options to co-exist (which, ironically, at least for me, changed the product to "2Passwords" because I needed one pw for accessing my 1P account, and my original master pw for accessing 1p on my Mac.)

    I share my frustrations for the sake of others who may have had a similar experience. I think that I now understand that the best solution is indeed to move to using only the 1Password account version, and to remove my Primary Vault from my Mac.

    Perhaps the help for the confusion I experienced is documented somewhere, but if it is, I have not been able to find it. In any case, it would be quite helpful to have an explanation of the plusses and minuses of using the local 1Password Primary vault arrangement vs using an online 1Password account, and whether there is any reason to maintain a combination of the two. Thanks!

  • LarsLars Junior Member

    Team Member
    edited January 17

    @gkgriffith - I'm sorry for what sounds like a bit of a rocky path so far!

    but I chose to ignore confusion by restricting my own use to the local 1P app on my devices

    and

    I had not used a Personal vault after adding Families, I just stuck with my Primary vault -- Why did I need another vault?

    ...are where the problems began, I think. The traditional way of using 1Password (standalone) is different from a 1password.com account (including 1Password Families). In standalone 1Password, you create vaults on your own local device, and then (and only if you want to), you can sync that data using one of our 3rd party services (Dropbox, iCloud, even WLAN) to other devices on which you want to use 1Password. With a 1password.com account, you create a vault on the 1password.com servers, and WE act as both your data host and sync provider (which frees both us and you from having to use limited, advanced 3rd party sync solutions). You sign into your account within 1Password on your local device, and your data syncs automatically. But that's why a standalone-created vault ("Primary") is and always will be different from a 1password.com vault ("Personal").

    If you're already a standalone user with a Primary vault, and you create a 1password.com account and add it to your local 1Password for Mac app (or 1Password for Windows, 1Password for iOS, etc), you'll be prompted to move your data over from Primary into Personal, and then remove the older Primary vault. The assumption here is that you wouldn't create a 1password.com account unless you intended to use it. However, we're aware that some people want to continue using both, so it's possible to dismiss these steps -- which is what it sounds like you did ("I just stuck with my Primary vault -- Why did I need another vault?"). That means you were not really using your 1Password Families account at all (or perhaps only accidentally). Instead, you were creating and modifying and using data only in your standalone Primary vault.

    In order to fill your data into websites, etc, the 1Password browser extension needs to be able to access the data. The extension itself is a conduit for the data, which must be stored somewhere. In standalone 1Password, where you create the data locally on your own device, that data is...on your device. Which means you need a desktop 1Password app for it to work. But, with the debut of 1password.com, we were able to build a browser-only extension that did not require a desktop app because it could communicate securely and directly with your account on the 1password.com servers. This is 1Password X. That's why, when you installed 1Password X, you discovered it could read your Personal vault at 1password.com, but not your local vault -- because that's how it's designed.

    ...perhaps I was supposed to get rid of the local "Primary Vault" on my computer...

    Yes. If you have no separate need for standalone vaults, that's the expectation.

    I could not find a discussion/explanation of how (or why) that would be helpful.

    The how (to do it) is discussed here, and many of they whys are discussed here, but that's also why we staff these very forums as well as our email support -- so if people have questions or worries or run into problems, we can help. :)

    I was very reluctant to delete the Primary Vault, fearing that perhaps that was the only place all my entries were actually secure, and if I deleted it, I'd loose everything.

    Indeed, this seems to be a somewhat common worry. :( As it exists right now, we give users the choice of whether to migrate their data and delete the now-redundant Primary vault because part of good design is not making too many assumptions about what the user should do or even wants to do. However, we're in the process of rethinking this, partly because there appears to be this persistent reluctance to remove the standalone portion of a user's setup even after successfully migrating data to a 1password.com account's vaults, and that winds up in confusion, duplicated entries and other frustration down the road for some users. It's worth pointing out that users who are completely new to 1Password virtually never have such qualms about their account; it's what they are introduced to first, so they don't question whether something called "standalone" or "Primary" would be more secure or even necessary. It's only users who've grown accustomed to doing their 1Password things a certain (standalone) way who are reluctant to leave behind what they're familiar with.

    I think that I now understand that the best solution is indeed to move to using only the 1Password account version, and to remove my Primary Vault from my Mac.

    Yes. But you now may have a more intricate job than you would have had if you'd migrated your data initially, because from what you're saying, you've not been using your 1password.com account's vaults -- except that you DID use them, when you tried experimenting with 1Password X and found it only worked with your Personal vault. The result may be (depending on how you did things, and when) that you now have two sort of identical sets of data, in each location. Do you remember when you transferred your data? And in which vault any of the changes have been made? Or is it likely to be a little of both vaults (Personal AND Primary) where changes have been made? If you're not sure, then it's likely to be the latter - some in both places. One way to really get a handle on it would be to switch to each vault in turn, and set the Sort Order at the top of the item list to "Date Modified" -- this will give you a good image of what's been created/edited in recent weeks/months. Let me know what you discover.

    ...it would be quite helpful to have an explanation of the plusses and minuses of using the local 1Password Primary vault arrangement vs using an online 1Password account...

    The link I posted above to the "Explore" page about 1password.com memberships covers much of that, but not in a side-by-side, pluses and minuses way, for a few reasons. First, there are quite a few differences, and an exhaustive list like that is likely to cause at least as much confusion as it solves/alleviates. The most important reason, though, which we DO make clear everywhere we can, is that for the vast majority of users, a 1password.com account is by far the better option, for, well, all the reasons we list in that "Explore" document and a few we don't cover there. It's easier. More secure (for most people). More feature-rich and powerful (because we're able to create a purpose-built sync engine specifically for your 1Password data). And it includes all our apps on four platforms (Mac, Windows, iOS and Android) at no extra charge, so you don't have to worry about maintaining licenses and purchasing upgrades and potentially being out of date - PLUS web access directly at 1password.com.

    ...and whether there is any reason to maintain a combination of the two.

    If you can't think of any that don't boil down to "just in case," then the answer for you is almost certainly no. I don't mean that in a snarky way, but sincerely. Fear of missing out on something is real, but it's not always well-founded. Considering that 1Password when used with a 1password.com account will work for you in exactly the same way as it always has - storing your most important and sensitive data and securing it behind a Master Password only you know - only better, in the ways I mentioned above, I'm hard-pressed to imagine what you expect me to answer here. We still offer standalone licenses for those who want them, but unless a user articulates to me a use-case for why they prefer standalone, I'm going to recommend 1password.com accounts, because they are simply the best way to use 1Password today. You've already seen the kinds of problems that trying to maintain both standalone and a 1password.com account can result in, so let me ask you: what problem do you think keeping a standalone vault around solves, that isn't solveable any other way?

    Let me know what you discover in terms of duplicated data, and how much has been added/changed/deleted in each place (Primary and Personal), if you need further assistance.

  • gkgriffithgkgriffith Junior Member

    Thanks so much @Lars for taking the time to give me this detailed and helpful explanation! I think I now have a good grasp on the differences between the standalone vs 1password.com account setups. So, on my Mac I have now selected all of the entries in my Primary vault and copied them to my Personal vault in preparation for deleting the Primary vault. (The procedures mentioned in the support articles you referenced seem to make it sound more difficult than this. Is there more that I need to do?) I did have some entries remaining in my Personal vault (25-30) before copying from my Primary vault -- Is there an easy way to locate duplicate 1P entries?

    Now that I understand 1Password better, I have a few more questions:

    1. After I remove my Primary vault, my Personal vault is kept in sync through 1Password.com so that I have all my data on my local computer, right? I travel a lot overseas and often don’t have internet access, but from what I understand, once I have a current sync of my 1P data, it’s only when using 1Password X that I’m dependent on the internet, right?
    2. Does 1Password X now work on Safari as well as Chrome? As I recall, when initially introduced, it only worked in Google Chrome.
    3. It seems that more recently (over the past year?) that on my iOS devices, my 1P data does not sync in the background, even though I have Background App Refresh turned on for 1Password. I frequently try to enter a (recently created) pw from 1P on my phone, only to find that I need to first go into 1P settings and manually perform a sync in order to access the recently-created PW. Should I be experiencing this? … Again, for me this is particularly an issue when I’m traveling and don’t have internet or cellular data, so I want to ensure that the 1P data on my phone is always up-to-date.

    Thanks again, @Lars for your help! This weekend I'll be revamping my 1Password set up. I'm a bit embarrassed to say that even though my wife and I are both on the Families account, we nonetheless have continued to share our 1P data with each other through Dropbox sync! :| ...No more! :)

  • LarsLars Junior Member

    Team Member

    @gkgriffith

    I did have some entries remaining in my Personal vault (25-30) before copying from my Primary vault -- Is there an easy way to locate duplicate 1P entries?

    Not in this case, no. 1Password does have a "find duplicates" feature, but it will not make human-level heuristic-based value judgments for you about what constitutes "duplicates," it can only find and positively identify TRUE duplicates (same UUID, etc). What you'll have is items YOU know are duplicates but which, by virtue of having been doubled up (the original item, plus the copy which was then transferred back) will have different UUIDs and potentially other data you changed in one copy or the other. You'll need to identify those yourself, because we don't ever want 1Password making potentially destructive choices about which is "redundant" or which version is correct. Only you can do that.

    After I remove my Primary vault, my Personal vault is kept in sync through 1Password.com so that I have all my data on my local computer, right?

    Right. The "canonical" version is the version on the 1password.com server, but you have a local cache on your own device(s) that is as current as the last time that device's copy of 1Password was opened and allowed to sync with the server.

    I travel a lot overseas and often don’t have internet access, but from what I understand, once I have a current sync of my 1P data, it’s only when using 1Password X that I’m dependent on the internet, right?

    1Password X does include a cache, but it's much more dependent on the internet than the native application since it interfaces directly with 1password.com. Also (for your next question) there is currently no Safari version of 1Password X, because of the differences in how Safari works with extensions (as opposed to the way both Firefox and Chrome do it). If you're a big Safari user, you'll want to stick with the traditional native app plus "requires-native-app" extension.

    It seems that more recently (over the past year?) that on my iOS devices, my 1P data does not sync in the background, even though I have Background App Refresh turned on for 1Password. I frequently try to enter a (recently created) pw from 1P on my phone, only to find that I need to first go into 1P settings and manually perform a sync in order to access the recently-created PW. Should I be experiencing this? … Again, for me this is particularly an issue when I’m traveling and don’t have internet or cellular data, so I want to ensure that the 1P data on my phone is always up-to-date.

    How are you noticing that your data is not syncing? It actually should sync in the background, but it may not be available to the app itself until you unlock. What I mean is: if you make changes on another device, those will sync as you make them. But on an iOS device, if you are using Safari and try to use that new data you know you input on the other device before you unlock the 1Password app itself, that may not work. Is that what you're referring to?

  • gkgriffithgkgriffith Junior Member

    Ongoing thanks! ... Regarding my 1Password iOS issue, I'll have to see if what you are describing is what might be happening. I know that I've had the experience more than once of opening 1Password, searching for a password that I had recently added on my computer, and the 1P does not find it. So I open settings, do a sync, and when I search for it again, it's there and available to be used.

    Another question has come up. As I'm migrating me and my family members to the 1Password.com account scheme, I'm wanting to share my vault with my wife. My wife and I use like having a common vault of passwords rather than each having our own vault. So I thought I would just share my Personal vault with her. To do this I logged in to my 1password.com account but I cannot see how to share my vault with my wife. I'm sure it's something simple I'm overlooking, but if you could help me out, I'd appreciate it!

  • LarsLars Junior Member

    Team Member

    @gkgriffith - 1Password Families isn't designed for people to share the exact same set of data. You COULD do it that way, I suppose, but that would sort of defeat the purpose of having a 1Password Families account. The idea is that even for people who share "everything," you still have considerably more "unique" data/passwords/accounts than you probably think you do at a casual glance. For example, both my wife and I have at least a couple of gmail accounts, for various purposes. It isn't that I'm "hiding" any of them from my wife (or she from me), but if we had only a single vault in common, there would be probably five or more accounts in there, all labeled "gmail." That gets confusing, when 1Password offers you all four (or five, six, etc) as choices when you're on the sign-in page, because it doesn't (can't) know which one you want to use. The same goes for things like Facebook, Instagram, any other accounts that are unique to you. There ARE a lot of accounts that I share with my wife, where we have a single login for both of us. Things like the family Netflix account, even sensitive/important stuff like financial accounts -- these have shared credentials. In a 1Password Families account, those would go in the "Shared" vault, so both of us can use them, while items that are individual/unique go in our own Personal or Private vaults, to avoid confusion.

    You can't just share your own 1Password account with your wife, unless you give her your Secret Key and your Master Password, and have her sign into the same account you do. If she has her own sign-in, in your 1Password Families account, you each can keep individual records, as well as share whatever you like. Let me know if you have any questions.

  • gkgriffithgkgriffith Junior Member

    Gotcha! ... OK, we're getting closer to that perfect solution! ... It seems that anything I put in the "Shared" vault in my 1P account is viewable/accessible by everyone in the family. So, if I want to have a set of password/entries that only my wife and I share, is the best solution to create a new vault, then share it between the two of us, and for me to move the entries we want to share from my Personal vault to that new vault?

    (One of the reasons our current set up has been helpful is that since I'm the IT guy in the family, my wife likes it that I have access to all her passwords, etc., in case I need to address any issues with her accounts, etc. I suppose she could share her master password with me and then I could just log in to her account if I needed access to non-shared passwords in order to help her resolve an issue...)

    Unless you have any other suggestions, I'll just proceed with what I mentioned above re. setting up a new vault to share between just the two of us....

  • BenBen AWS Team

    Team Member

    Gotcha! ... OK, we're getting closer to that perfect solution! ... It seems that anything I put in the "Shared" vault in my 1P account is viewable/accessible by everyone in the family. So, if I want to have a set of password/entries that only my wife and I share, is the best solution to create a new vault, then share it between the two of us, and for me to move the entries we want to share from my Personal vault to that new vault?

    Yep, exactly. :+1:

    Ben

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file