How can I change a standalone vault password that's not my primary vault?
My primary vault is for personal information and I have a second vault with work information. It seems that I originally set up both vaults with the same passwords, but I'd like to use as different password for my work vault. It seems that I can only change the Master password, which is tied to my primary (personal) vault. How can I change the other vault password on a Mac?
Thanks,
John
1Password Version: 6.8.9
Extension Version: Not Provided
OS Version: macOS 10.14
Sync Type: Drop
Referrer: forum-search:change vault password
Comments
-
@duetjohn - in an existing setup, you can't change secondary standalone vaults' passwords, because those vaults' keys are "escrowed" in the Primary vault. So you can change the Primary vault's password (which is also the Master Password for your 1Password for Mac setup), but not the secondaries. If you absolutely must change it, you could sync the secondary vault to a folder located on a USB flash drive, install 1Password for Mac on a different Mac, create a new standalone vault there, sync it with the vault on the USB flash drive, (which would make it the Primary vault on that device), then use that Mac's "change Master Password" feature to change the vault password there, sync it back to the USB flash drive, take the USB flash drive back to the first Mac, and perform a sync again -- that should do it. You might have to remove the vault in the first Mac's install and then re-add it from the sync keychain on the USB flash drive...but it should work.
Needless to say, I don't actually recommend doing the above, since it involves quite a bit of manual fiddling...but without testing it, I think that should work.
0 -
Can you not simply create another secondary vault with the desired password, copy the contents of the original secondary vault into the new secondary vault (then delete the old secondary vault)?
I guess technically this is not the same thing as changing the secondary vault password but should accomplish the same goal.
0 -
@1pwuser31547 - sure, you could do that as well.
0 -
Hi Lars,
It appears that with the new update one can directly change the password of secondary local vaults.Also on this topic let me ask/clarify another question.
Even though 2* vault master PWs are escrowed into the 1* vault, a remote attacker (that has access to exported data through malware for example) would still need to know the master password(s) for the 2* vaults to access their data.In this case I am assuming that 1 PW was locked at the time of device compromise with nothing having remained in memory, and discovery of compromise was made prior to any subsequent unlocking of the native client.
Otherwise, the attacker would need physical possession of the device and bypass it's passcode and then know the 1 * vault MP to unlock the app and access the 2* vault contents.
This is correct, right?
What about the local backups automatically generated and saved on the device (iMAC)?
If an attacker had possession of those files, would knowledge of the 1* vault MP give access to the 2* vaults?
(I've never had to restore from from back ups so I don't know have any experience with this)I ask these questions because I would like to create extremely strong 2* vault passwords, (like 256 bit, equal in strength to the cryptographic keys) while still being able to conveniently unlock my 1 PW native client with my 1* MP that I have already well memorized. My 1* vault MP is strong but not 256 bit strong (or 128 bit for that matter).
I know that I would need to remember these 2* vault MPs when trying to restore them, when saved as OPvault files, to the native client.
My plan would be store these 2* vault master passwords securely as I do the secret key (and primary master password.)I'm trying to replicate at the local level, kind of/sort of, what 1 PW accounts (which I also have) do with strengthening encryption by combining one's MP and secret key.
Thanks and Happy New Year!
0 -
Sorry to comment again before your reply but I wanted to ask how escrowing of the 2*vault MP actually works as this may help me better understand this topic.
Does the MP derived MUK of the 1* vault also encrypt/decrypt the key set for all 2* vaults? Is this how unlocking the 1* vault automatically opens the 2* vaults?
(I know this local vault "MUK" is technically not the same as the 2 key derivation MUK of accounts but let me call it that for brevity)Thanks
0 -
Hello.
I wanted to reach out again since I haven't received a response to my questions that I asked over a week ago.
Thanks0 -
Also on this topic let me ask/clarify another question. Even though 2* vault master PWs are escrowed into the 1* vault, a remote attacker (that has access to exported data through malware for example) would still need to know the master password(s) for the 2* vaults to access their data.
I'm having trouble with your usage of
2*and1*which is not terminology or naming I've ever seen so I may be misunderstanding, so I'll reword to try to explain it from my side with names/terminology I understand. Hopefully it'll make sense for you as well.How you answer this depends on what an attacker has.
If the attacker has copies of the sync files (generally referred to as a sync store, like an OPVault file), they need the Master Password to access the data of that vault.
If the attacker has a copy of the 1Password local data store (this is a SQLite file stored locally and used by the app directly, it is not synced directly anywhere) then the attacker would have access to the second vault by way of the first. The keys necessary to unlock the secondary vault is encrypted by the primary vault, so having access to the first would grant you access to the secondary vaults.
What about the local backups automatically generated and saved on the device (iMAC)? If an attacker had possession of those files, would knowledge of the 1* vault MP give access to the 2* vaults?
Local backups are the same as the second above. On Mac specifically we zip the local data store folder up and that's the backup.
I ask these questions because I would like to create extremely strong 2* vault passwords, (like 256 bit, equal in strength to the cryptographic keys) while still being able to conveniently unlock my 1 PW native client with my 1* MP that I have already well memorized. My 1* vault MP is strong but not 256 bit strong (or 128 bit for that matter).
You could do this, but that's so severely overkill I wouldn't even recommend it. Just create a unique and strong Master Password that you can remember well enough and that's all you need to do. Going beyond even 20 characters (for say a character password, not a dice ware password) is overkill, too.
Hope that helps a little though.
0 -
1= primary 2= secondary
Sorry about not making that explicit. I thought the context would make it unambiguous. My apologies...@AGKyle
"If the attacker has a copy of the 1Password local data store then the attacker would have access to the second vault by way of the first."
That's what I thought- thanks for confirming.
Where is the local data store folder? ( I see the backups)0 -
It'll be in
~/Library/Group Containers/2BUA8C4S2C.com.agilebits/Library/Application Support/1Password/DataBen
0 -
To add to what Ben said ^^, if your copy of 1Password 6 for Mac was from the Mac App Store instead of purchased directly from us, then the data will be located not in Application Support, but in the following location:
~/Library/Containers/2BUA8C4S2C.com.agilebits.onepassword-osx-helper/Data/Library/Data/0 -
Thanks to all who replied.
0 -
:) :+1:
0 -
Hello again.
I’m trying to understand the back up process for iOS.Regarding iOS and standalone vaults, it appears backups are not automatically done.
Does this mean that there is no local cache or that simply the local cache is not automatically zipped up to create a back up?When I create a back up, where in the iOS device are backups and local caches stored?
Also to clarify, there is no direct way to sync or restore from a local OPVault (i.e, on flash drive) to iOS, correct? I would need to folder sync to MAC then WLAN sync to iOS, correct?
With the new updates to Apple and 1PW, is there a direct “cable sync” option to and from Mac and iOS or is WLAN sync still the only option?
Thanks
0 -
Regarding iOS and standalone vaults, it appears backups are not automatically done.
Does this mean that there is no local cache or that simply the local cache is not automatically zipped up to create a back up?The database for standalone vaults is stored on the iOS device but it is not automatically backed up.
When I create a back up, where in the iOS device are backups and local caches stored?
Ostensibly within the app. Removing the app will also remove the local database and backups.
Also to clarify, there is no direct way to sync or restore from a local OPVault (i.e, on flash drive) to iOS, correct?
Correct.
I would need to folder sync to MAC then WLAN sync to iOS, correct?
Folder sync in and of itself is not a solution for syncing 1Password data between two or more devices. Arguably we really shouldn't even call it a "sync" as that causes confusion. All it does is create a sync file, so that you can use a 3rd party sync solution to connect multiple devices with that data. As is outlined in the folder sync guide folder sync should not be used to store a sync file on a network volume.
With the new updates to Apple and 1PW, is there a direct “cable sync” option to and from Mac and iOS or is WLAN sync still the only option?
There is no way to sync over a cable. The sync options available are outlined here:
Sync your 1Password data
I hope that helps!
Ben
0 -
Thanks Ben.
@Ben: Ostensibly within the app. Removing the app will also remove the local database and backups.One follow up- what is your experience on the reliability of restoring the 1PW local vault data (primary and other secondary vaults) after an iOS restore from iCloud or restore from Mac?
(I would have the 1 Pw option clicked “green” under the iCloud back up setting).Can you comment, in general, on how Apple stores this 1PW iOS app data within the device back up versus at the vault level when syncing Primary vaults to iCloud?
For context, I have both an account/ personal vaults and local standalone vaults.
Thanks
0 -
My experience is that iCloud does not reliably back up 1Password data except when syncing with iCloud is enabled. iCloud can only sync a single vault, so that is a limiting factor as far as utilizing it for a backup strategy when using multiple vaults.
Ben
0 -
Thank you.
0 -
You're welcome. :)
Ben
0
