Can't login into 1Password on Windows with new password
When I change my 1Password master password I can't login into the 1Password Windows application. I first have to provide the old password and then after a minute or so 1Password recognizes, that the password has changed and wants me to input the new one. First of all if my old password was somehow leaked people could theoretically access my passwords saved in 1Password on my PC even if I change my password, which is not really secure... This is now the third time this happens and it happens across all of my Windows devices. I updated my password like one month ago and the application on my desktop PC still wasn't notified about the change. It works fine on my MacBook when I change the password. This is especially annoying when I don't know my old password anymore, so I can't login into the Windows app. I know 1Password has a password history, which in fact saved me the trouble of reinstalling the application, but still troubling and dangerous. Please fix this
1Password Version: 7.3.712
Extension Version: Not Provided
OS Version: Windows 10
Sync Type: Not Provided
Referrer: forum-search:windows new password
Comments
-
I don't want to say this is working as intended, @ImSmail, as the user experience here is something we want to improve so that Windows handles things like Mac, but this actually is how it works under the hood regardless of appearances. Even on Mac, if you tried to use your old Master Password, it would unlock and prompt you for your new Master Password, just like on Windows. You can learn more about how this process works in this old, but still very relevant, blog post written by our lead server developer:
https://blog.1password.com/how-1password-syncs-changes-to-your-master-password/
The post references the old ways of syncing – with Dropbox and iCloud – but it's still informative about how things are handled today with 1Password memberships.
The reason for this is that your Master Password isn't exactly like a traditional password – it's part of your encryption key. When you change your Master Password on the web, your encryption key is updated and your data is re-encrypted with the new one. From that point forward, no one can access your 1Password data on a device other than one you've already set up without that new Master Password. As soon as you have unlocked 1Password on each of your devices and given those devices your new Master Password – either by using it out of the gate or providing it when prompted – those devices will require the new Master Password as well. I find an example is most helpful.
When you sign in to a normal account, all you're doing with your password is proving that you know a secret that indicates you have the right to access the information contained within that account. You don't have any of that information yet – only when you authenticate with your password are you given access to that information.
With 1Password, you have your 1Password data at all times. It's saved locally on your PC (and other devices) so that you're able to access it offline. That data is encrypted, so no one is able to see anything useful without having your Master Password, but the data is there nonetheless. It would be possible to do this differently – we could make 1Password online only so that you always need to authenticate before accessing that data rather than just decrypting it, but that would leave you without access to any of your 1Password data without an internet connection.
Now, some may say the online-only option is the more secure choice, but one thing our Chief Defender Against the Dark Arts said to me a while back has stuck with me – security that's so good even you can't access your data isn't doing you any good at all. Offline access is only one scenario and might be a worthy trade-off for some, but I live fairly close to a hurricane prone area so the scenario that always comes to my mind is what I would do without access to anything I've stored in 1Password after a hurricane when services tend to be spotty, even outside of directly impacted areas. Even if there's nothing you can think of that might make offline access important to you, the attack surface for this is extremely small. In order to get access to your data, someone would need to either have access to your PC itself, or the data stored on it, and if that's the case changing your Master Password isn't going to protect you on its own anyway. They could install a keylogger or intercept your passwords as you sign in to sites.
If your device isn't itself compromised, then your data is protected from a leaked Master Password just as soon as you change it since your remote data – what's on our servers – has already been re-encrypted with the new one. If your device is compromised, then that is trouble indeed, but there is nothing 1Password or anyone else can do to make using a compromised device safe.
I hope this helps explain some of how this works and why it is as it is and also helps you feel a bit more comfortable about the security of that process. Of course, if you have any questions still, I'm happy to help, and again – we don't want to eliminate that step of having to unlock with your old Master Password on Windows. While it doesn't necessarily change anything security-related in the end, it's annoying and not the user experience we want there. As a final tidbit, if I may, I'd also like to note that we don't recommend changing your Master Password frequently at all. The general guidance is that passwords should be changed if and only if you believe they've been compromised or exposed. Otherwise, all you're doing is increasing your risk of forgetting it. With most passwords, of course, 1Password has your back and you don't need to remember them, but your Master Password is that one special case where ensuring you can remember it is still important.
Thanks for taking the time to reach out, let me know if I can do anything else to help, and all the best in the new year. :chuffed:
0
