How to setup a local 1Password unlock password that is different from the 1password.com password
I have 1Password7 configured on my MacOS and iOS devices. This configuration has a local master vault on each device configured with an unlock password. For the purpose of illustrating this description, this master vault has the password "simplePassword".
This master vault is not used to store any password records. Instead, 1Password7 is configured to register with my 1Password.com account and sync vaults from the online service. For the purpose of this description, assume that the online service password is "AVeryComplexPassword".
This setup allows "simplePassword" to be used to unlock 1Password on the local device, but requires "AVeryComplexPassword" when logging into the online web service.
How can this configuration be migrated or replicated with 1Password v8?
I do not want to reduce the strength of the password that may be entered to login to the online service.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided
Comments
-
Hello @mrichmon! 👋
With 1Password 8, your account password unlocks your account. This is done for security reasons so that only your account password can ever give anyone access to your data.
Unlike with old standalone vaults, your 1Password account is protected using both an account password and a Secret Key. You can think of the protection that they offer in the following terms (from our support article):
- Your 1Password account password protects your data on your devices. Someone who has access to your devices or backups won’t be able to unlock 1Password without your account password, which only you know.
- Your Secret Key protects your data off your devices. Someone who attempts a brute-force attack on our servers won’t be able to decrypt your data without your Secret Key, which we never have.
You can learn how to create a memorable and secure account password here: How to choose a good 1Password account password
In order to make unlocking 1Password more convenient, without having to type in your account password each time, you can use your fingerprint or Apple Watch instead:
I hope that helps!
-Dave
0 -
Thank you for the response. At least you have laid out the 1Password v8 behavior clearly.
Nett-nett is that 1Password8 makes it less convenient for users to maintain a more secure password via the web interface where there is a greater attack surface compared to a personal physical device.
TouchID still requires a password to be entered when the device or application is restarted. (Or the device is locked.)
As a result, using a random password per your linked recommendation is no longer practical due to the removal of functionality in 1Password8. Please consider this post an additional customer request for this functionality to be added to the product.
0 -
Thanks for the reply. Can you clarify the threat that you're trying to protect against? As mentioned, your Secret Key protects your data off of your device and this includes the web interface. The Secret Key (which does not have to be memorized) adds 128 bits of entropy which makes it impossible for someone to guess the Secret Key in order to sign in to your account.
There aren't any plans to go back to the previous system for three reasons:
- Many users mistakingly believed that their "local" password was their account password and ended up permanently locked out of their accounts if they lost access to the device with the "local" password because they no longer remembered their their account password.
- IT departments at businesses often require employees using 1Password to set an account password with a certain level of strength and complexity. The old system allowed someone to workaround those requirements to unlock their 1Password account using a weaker password than the one required by their IT department.
- 1Password 8 does not support old standalone vaults.
TouchID still requires a password to be entered when the device or application is restarted. (Or the device is locked.)
If you've enabled Touch ID unlock, 1Password for Mac does not require that you enter your account password after restarting either your Mac or the app itself. Nor does the app require your account password after locking the device. You can choose how often you're prompted for your account password by following these steps:
- Open and unlock 1Password for Mac.
- Click on 1Password next to the in the menu bar.
- Click on Settings.
- Click on Security.
- Set "Require password" to the desired value.
Are you using Touch ID unlock with 1Password and being prompted for your account password after locking or restarting your Mac?
-Dave
0 -
@Dave - a sorta related question I was wondering about. I know my vault is encrypted using my secret key and password, and that I need those two items plus my email to login, plus some flavor of 2FA if that's been setup. Is the email address also used as part of the vault encryption? That is, do you need all three to decrypt? Or only the secret key and password?
Thanks
0 -
No, your email address isn't used in any part of the encryption process – it's only used as an identifier.
The Secret Key and account password are used in combination to derive the keys that are required to encrypt your 1Password data.
Additionally, 2FA is used to restrict access to your 1Password account's encrypted data during a new sign-in. It means that even if someone did somehow have your email address, Secret Key, and account password, they still couldn't sign in with those details on a new device.
Hope that clarifies things. :)
— Grey
0 -
Dave_1P,
Thank you for the additional detail.The hashing of the secret key with the user password to effectively provide 2-credential authentication via the web interface makes sense.
Are you using Touch ID unlock with 1Password and being prompted for your account password after locking or restarting your Mac?
That is correct. With 1Password v7.9.11, with the settings:
- Preferences->Security->Unlock using Touch ID: enabled
- Preferences->Security->Lock on sleep: enabled
- Preferences->Security->Lock when screen saver is activated: enabled
- Preferences->Security->Lock after computer is idle for X minutes: enabled, X=5
I find that I am required to enter my Master vault password to unlock 1Password at least once a day on each Mac. Since your message indicates that this is not the expected behavior I will scan the system logs to see if there is any indication of what might be causing this.
0 -
Thanks for the reply. To clarify: I was specifically referring to how auto-lock and Touch ID works in 1Password 8.
1Password 7 did indeed work a little differently. With the launch of 1Password 8 for Mac, 1Password 7 for Mac is no longer supported and will only receive important security updates. We strongly encourage you to update to the latest version as soon as possible.
Let me know if you have any questions.
-Dave
0
