Password change requires old password
Hiya π Pretty new to 1password, but noticed an odd behaviour on the windows client when changing password. For some reason, I have to enter my old password to get into 1password for windows first... this then unlocks, exposing all my passwords before prompting to login with the new password as its changed.
This concerns me a little, as if my password was exposed then say for example on my work PC which is domain controlled a sys admin would be able to access my account with that old password even if I'd changed it?
1Password Version: 7.3.657
Extension Version: Not Provided
OS Version: Windows 10 Pro
Sync Type: 1password
Comments
-
Hi @Dfects,
Thanks for writing in.
Are you referring to changing your master password for your 1Password account/vault?
If yes, that is normal, 1Password does not know anything about remote changes since it is locked. Once you unlock with your master password, it'll perform a sync and detect the remote password changes to update its local unique encryption key that'll require the new master password to unlock it.
This concerns me a little, as if my password was exposed then say for example on my work PC which is domain controlled a sys admin would be able to access my account with that old password even if I'd changed it?
Generally, any computer you don't have full control over with is technically compromised. The same sys admin can just block network traffic and anything you do to change your master password would never reach that computer. Not to mention; they can still install keyloggers to capture new password you type in.
If you're not using 1Password account, local vaults are the same way, they can't be updated without a sync and local backups can be used to restore to previous password. This is assuming there are still backups left before they're replaced with newer backups that is protected with the new password.
Keep in mind that 1Password is not exposing anything since you still have to unlock with your old password. If your password is compromised, they still need to know your secret key to log in remotely and you'd get new emails for any devices on your 1Password account. If you suspect your computer is fully compromised; you'll have to sign in to your 1Password account on the website, regenerate your secret key, change your master password and then de-authorize the computer immediately.
0