1pw asking for OLD version of master password.
About three weeks ago I changed my master password at my.1password.com but 1pw for mac beta has not been recognising it, instead only unlocking when I type in the previous master password. I ignored this at first assuming it was slow to update and I rarely type the master password as I use touch-id. However the problem persisted, despite rebooting my mac on a several occasions.
This bug is a security concern, because a master password might be changed due to being compromised and access can be gained with a different password.
The updated master password works fine on the web (where I changed it) and on my other devices (two iPhones). It's as if 1pw for mac hadn't got the message.
I thought I would have one last try at restarting it, this time force-quitting all the 1password processes in activity monitor. This resulted in the 'beta expired' errors reported elsewhere causing me too downgrade to the latest stable release. However, on the stable version neither old nor current password are accepted.
What are my next steps to get 1password running again and with the correct mp? (I'm assuming I need to delete some files in Library), and if this is a bug you're not aware of, can I provide you with any useful information?
1Password Version: 11.5.2
Extension Version: 2.1.0
OS Version: 11.5.2
Comments
-
Hi @fursday!
The updated master password works fine on the web (where I changed it) and on my other devices (two iPhones). It's as if 1pw for mac hadn't got the message.
In your 1Password for Mac app, do you perhaps also have a vault called Primary? The way 1Password unlocks is:
- If a Primary vault exists, then it unlocks using the Master Password for that vault, regardless of what, if any, memberships are signed in
- If a single 1Password membership is signed in, then it unlocks using the Master Password for that membership account
- If multiple memberships are signed in, then it unlocks using the Master Password of the first added membership
So I wonder if the old password is actually coming from this additional Primary vault.
0 -
I can't help but wondering whether this behaviour is a potential security weakness though. Surely after resetting a password for a membership account all authorised devices should ask for the new password as it might have changed due to being compromised.
I know you can manually de-authorise devices but it's not mandatory, especially if this behaviour is not well understood by users. I know it's similar to touch-id which will continue to work after a password is changed but touch-id at least asks you for your master password after a period of time/restart etc. and this can be configured in settings. Plus its harder to steal fingerprints.
Also, if it's not sufficiently obvious to users that a membership account and stand-alone vault have separate passwords (and allowing one password to log in to both makes this less obvious) then a user might forget to modify the password for the stand-alone vault as part of routine security hygiene.
0 -
Also, if it's not sufficiently obvious to users that a membership account and stand-alone vault have separate passwords (and allowing one password to log in to both makes this less obvious) then a user might forget to modify the password for the stand-alone vault as part of routine security hygiene.
This is indeed one of the reasons why we recommend removing the Primary vault after switching to a 1Password.com account. Our developers built this so users don't need to enter multiple passwords, one for each vault or account, but only need a single Master Password. The new 1Password in the browser extension works as you wish, for example: if you have multiple 1Password accounts, you will need to unlock them separately all the time :+1:
0 -
@ag_ana That was useful to know how 1Password chooses which master password to ask for. If I am signed in to multiple membership accounts, is there a way to configure which master password I have to enter, instead of it just choosing to ask for the oldest one?
In my case, I'm signed in to a work and a personal account. I happen to have added my personal account after my work account, but I would rather enter my personal master password to unlock 1Password. I don't see any way to configure that though.
0 -
If I am signed in to multiple membership accounts, is there a way to configure which master password I have to enter, instead of it just choosing to ask for the oldest one?
You cannot configure this: in case of multiple accounts, the Master Password is the one of the account you added first.
The only way I know to do this is to sign out of your accounts, and add them again in the right order, so that will work :+1:
0