All accounts unlock is not consistent

extensioncord
extensioncord
Community Member

I have many accounts (21 currently added to primary). When I signed in to my main account, all other accounts would be unlocked in previous versions of 1Password 7.x and 8.7.

With 8.8, sometimes they all unlock, but mostly they do not, and I need to unlock each account individually manually, and then sometimes I come back after a while and find them all unlocked, perhaps after unlocking from a timeout.

How can I have all of my active accounts unlocked upon unlocking my main account?


1Password Version: 8.8.0
Extension Version: 2.3.3
OS Version: 12.5
Browser:_ Safari

Comments

  • Hi @extensioncord:

    Great question! 1Password 8 will unlock each account that shares the account password you've used to unlock the app. For example:

    • Account 1 with a password of Molly&Patty2
    • Account 2 with a password of Molly&Patty2
    • Account 3 with a password of Sally4th
    • Account 4 with a password of Sally4th

    Using Molly&Patty2 to unlock the app will result in accounts 1 and 2 being unlocked, with 3 and 4 staying locked. Using Touch ID or Apple Watch unlock will unlock all accounts that have been previously unlocked with the account password. Unlocking accounts 1,2,3, and 4 using Touch ID or Apple Watch unlock would require entering both account passwords at least once.

    Generally speaking we'd recommend using the same account password across any 1Password accounts you may have.

    Jack

  • extensioncord
    extensioncord
    Community Member

    That is not the behavior of the past, and it's not the behavior I see. All of the account passwords for the other accounts are stored in the primary account. Is that a possible explanation for how it was able to work before? Perhaps there some caching that lasts until an update?

  • extensioncord
    extensioncord
    Community Member

    Also, advocating for the same password for different accounts seems more than a bit antithetical to 1Password's purpose.

  • Hi @extensioncord:

    This unlock behavior (where only the accounts with the account password entered) unlock has been a part of 1Password 8 from the beginning. We changed it with 1Password 8. The previous unlock behavior allowed for situations where enforced password requirements by a team or business administrator would be ignored if the first account added was a different account. Additionally, because the password used to unlock 1Password 7 was dependent on which 1Password account was added first, it would be possible to have different unlock passwords on different devices.

    It's important to note that this isn't quite the same as reusing a password for a regular website login, as not even a hashed form of your password leaves your device ever. Secure Remote Password (SRP): How 1Password Uses It

    Jack

  • extensioncord
    extensioncord
    Community Member

    Whatever the intention or policy, it has not and does not work the way you describe all of the time for me. I have been using 1Password 8.7 and then 8.8 beta, and now 8.8 for several months now. It seems that it only locks all of the accounts after an update (frequent when on the beta channel) and maybe also on restart. It also seems that it does unlock ALL of the accounts just from unlocking the main account in one or more circumstances.

    I have just experienced one of these moments. Before I left my computer, I had unlocked four additional accounts by using their password. The remaining seventeen accounts were still showing as locked when I left the computer. I returned to my computer after being away for an hour. Upon opening 1Password.app, I was prompted to unlock 1Password with my Apple Watch, and after doing so, an animation that showed a green check on ALL of the account icons appeared, and all accounts were unlocked when the 1Password window was revealed.

    Secondly, when I am required to unlock all of my accounts individually, I use Quick Access to access the password for the account, but it doesn't auto-enter into the 1Password authentication. If I copy the password, the focus afterward is not on the 1Password account unlock password entry, even though it was when I typed the Quick Access key combo. Tabbing does not select that field. If I Command+Tab twice to switch out of 1Password and back, then the focus is on the password field, unless there is a biometric method active, then the focus is on that button, and a Shift+Tab moves focus to the password field to paste.

    Assuming there isn't some biometric exception to the intended behavior, once you "fix" the behavior that sometimes allows me to unlock all of my accounts, I'll be left with having to unlock all 21 accounts individually all the time, with a very inefficient process. Does it not make sense that a user with a large number of accounts might want a way to unlock all of them efficiently? It seems to me that a method to respect specific account password policies could be implemented, or associate an item in the primary account with unlocking subsequently added accounts.

    Please note that I reported both of these issues (multiple accounts unlock and unlock password focus) in the beta forum, and received no responses.

    Some other significant issues with 1Password 8 that are ongoing are:

    • VERY slow to enable browser autofill after unlock. Sometimes more than a minute before the options menu appears below login form fields in Safari or Chrome with the current extensions installed and enabled. Much slower than 7.x with the same number of items/accounts.
    • Serious instability issues. The app regularly crashes (all windows disappear - but no crash reporter window), locks up (Application Not Responding) or shows a blank white window.
    • Cosmetic issues - selection highlights, menu highlights
    • Feature regressions from 7.x - field order, searchability, account icons (important for identification when you have 22)
  • extensioncord
    extensioncord
    Community Member

    I guess you described the Touch ID/Apple Watch exceptional behavior in your reply, but I didn't follow it, because it didn't completely jibe with what I was seeing. What privileges biometric unlock over password unlock in the context of your justification for needing to individually unlock accounts? It seems that there is still the potential to override business account credential policies in that situation.

  • chrisjaffe
    chrisjaffe
    Community Member

    I second extensioncord's comments on v8 vs v7. V7 was much more user friendly and intuitive to use. One example not mentioned is that search now defaults to the first entry in the list and not finding all. For example, if I type gmail and click enter I used to see all of my gmail accounts, now I have to click ctrl + enter to see that.

    But more importantly, I strongly disagree with the notion that 1password is now advocating for reusing passwords. And, no, the justification:

    "It's important to note that this isn't quite the same as reusing a password for a regular website login, as not even a hashed form of your password leaves your device ever."

    is not adequate. If someone were to crack, steal or otherwise compromise one of my accounts they would all be compromised. The whole point of 1password is to keep people from reusing passwords. 1password should not be advocating differently.

  • Dave_1P
    edited August 2022

    @extensioncord

    When you enable Touch ID or Apple Watch unlock for 1Password, 1Password stores an encrypted secret on disk. The secret is encrypted using an encryption key stored in the Secure Enclave which is a security component built into your Mac. This secret allows the 1Password app to unlock all of your accounts at once which makes enabling Touch ID or Apple Watch the best option for when you wish to conveniently unlock all accounts at once.

    1Password removes that encrypted secret from disk if your fingerprint isn't recognized three times in a row and when you haven't entered your account password into the app for 2 weeks.

    @chrisjaffe

    If someone were to crack, steal or otherwise compromise one of my accounts they would all be compromised. The whole point of 1password is to keep people from reusing passwords. 1password should not be advocating differently.

    1Password works differently from other accounts for two reasons:

    1. As Jack mentioned, we use Secure Remote Password (SRP) to ensure that your account password never leaves your device.
    2. Each of your accounts is protected by not only your account password but by a unique Secret Key as well. An attacker would need both your account password and unique Secret Key in order to access your account.

    Our Principle Security Architect wrote in more detail on this subject in this thread: Two accounts - now needs two different passwords every time you login? — 1Password Support Community

    -Dave

  • chrisjaffe
    chrisjaffe
    Community Member

    @Dave_1P

    I appreciate your response though I disagree with you adamantly.

    Point 1 is not related to my objection. Let's assume that I use the same password for two 1pass accounts and also for my login at Target.com. While 1pass keeps my password on my computer, not all services do.

    And how is it true that my password is always kept on my computer when I am logging in to 1password.com., which I have to do monthly to manage users or other account information. There is no way that you are never sending that password across the internet.

    Point 2 is understood. Hopefully my users are not printing the secret keys out or writing them down in the same place as their password.

    As an IT professional I spend most of my time worrying about my users passwords. Where have they written them, how secure are they, where are they reusing them...

    There is absolutely nothing you can say that will convince me that reusing passwords is a good idea.

    One day we will not need passwords, until then I rely on services like 1pass to help me keep my users secure.

    cj

  • Hi @chrisjaffe:

    We do not recommend using your 1Password account password anywhere else. As I mentioned earlier, we use Secure Remote Protocol to authenticate to the 1Password servers from the 1Password clients. When you enter your account password on my.1Password.com, it is not sent anywhere. The client (your browser with my.1Password.com open), and the 1Password.com servers both arrive at a shared session encryption key. my.1Password.com in your browser and the server both perform some derivation from secrets they already have to arrive at this session key, and neither your account password or Secret Key are sent over the internet during the process. The session key isn't able to be reversed into either your account password or Secret Key.

    Jack

  • chrisjaffe
    chrisjaffe
    Community Member

    Jack,

    Thanks for the reply but I think you are still missing the point.

    How do I teach users that it is ok to reuse passwords sometimes?

    As I stated before...

    There is absolutely nothing you can say that will convince me that reusing passwords is a good idea.

    I hear your responses, I hope you hear my strenuous objections and you change this policy.

    cj

  • extensioncord
    extensioncord
    Community Member

    I am satisfied that the Touch ID/Watch unlock behaves as expected, and is a way to unlock all the accounts efficiently. Thank you for that explanation.

    Would you confirm that if I return after a two-week timeout and enter the primary password to unlock 1Password, if I then lock it and use Touch ID/Watch unlock subsequently, all of the accounts will unlock again? That's an effective workaround to this situation.

    I still disagree that using the same password for every 1Password account is a good practice to recommend. I do understand that these passwords are local, and there are more factors, but it's an inconsistent policy. What if 1Password were able to apply saved 1Password accounts passwords from the primary account? It already reads these to present the information when adding an account, so would it be possible to read them when unlocking?

    It seems that 8.8 now more consistently provides the Touch ID and Watch button (and it more consistently works) to unlock that way after a timeout or manual lock.

    Still, what's with all the crashing or just plain disappearing app window? Just happened to me again.

  • extensioncord
    extensioncord
    Community Member

    Well, I don't need confirmation now. 1Password 8.8 does not offer the Touch ID/Watch option to unlock after a 2-week week authorization or manual lock. However, if I wait for the 1Password timed lock, it does offer the Touch ID/Watch unlock when waking the app. Basically there is no all account unlock option in the time span between a hard lock and the timeout lock. I guess I can change the timeout to 1 minute and change it back to 10 minutes later, but again, why, and why is this experience so much worse than 7.x?

  • thekrew
    thekrew
    Community Member

    I would be okay with this feature change IF when I go to unlock and am required to enter my password, the 1Password app would at least offer to allow me to enter passwords for ALL accounts. As is, I unlock and forget this change has happened and then am frustrated because the app isn't finding the password I know is there.

    It seems bizarre to me that the team would choose to make this change, and then NOT offer an easy way to know you need to enter all of the account passwords.

    This is poor app behavior (ease of use), and the idea that I should change my account passwords to be all the same is poor security since it is antithetical to the concept of one password to one account (the basic premise of this app).

This discussion has been closed.