Change Master Password doesn't sync?
More than a week ago, I changed my Master Password on one of my machines.
The help files say "You can change your master password here and if you sync your data, the password change will also sync across to your other 1Password 4 for iOS apps, including the 1Password apps on your computers." So I expected to need to enter that new password when accessing my other 2 machines and 2 iOS devices, which are synced using Dropbox.
That never happened - the other machines continued to need the old password, even after rebooting. The sync itself is working, as new passwords are being updated, but the changed Master Password doesn't seem to sync over.
I've now manually changed each computer/device to the new Master Password, but something feels buggy there. Am I doing something wrong perhaps?
Comments
-
I'm having a similar issue, sort of. You may want to compare logins across the machines. I found that somewhere in October sync was lost, then regained. That's when the passwords were changed. One uses its own whereas the other was (for reasons I don't recall now) changed to the admin password on my Mac. Now I'm afraid to change my master password...
0 -
Hi @v.bampton,
I do apologize for the confusion here. Normally, your Master Password will sync to all devices when you have changed it on one. However, it is a Known Issues that currently:
Changing master passwords do not sync to other Macs or your mobile devices. Once you change it on one Mac, you'll need to change it manually on the other Macs and mobile devices.
Again, I'm sorry for the trouble here, our developers are working on getting this working more smoothly soon!
Hi @vicagreda,
I'm not quite sure what could have happened there, but if you'd like some help sorting things out, could you please send us a Diagnostics Report?
Download the 1Password Troubleshooting utility and follow the instructions to generate the report.
Then attach the entire file to an email to us: support+forum@ agilebits .com
Please do not post your Diagnostics Report in the forums, but please do include a link to this thread in your email, along with your forum handle so that we can "connect the dots" when we see your Diagnostics Report in our inbox.
Once we see the report we should be able to better assist you. Thanks in advance!
0 -
I'm having the same "known" issue, EXCEPT that the new master pwd has transferred to all my mobile devices, but not to my laptop. Whether this results from your work revising the app, or is a variant on the known issue, I thought I'd report it FWIW. I'll now change it manually for the laptop.
0 -
Sorry for the late reply. I changed the passphrase in 4.1, running on a late 2009 Mac Pro, under Mavericks. The change registered on my iPhone and iPad (the latter running iOS 7, the former iOS6), but not on my Mac Airbook, also running under Mavericks.. I use Dropbox for syncing, and use just the primary vault. The sync folder is named 1Password.agilekeychain
0 -
It is really nice to see how quickly I could find on the discussions that the problem that I have experienced is being worked on by the developer. I changed my master password on my iMac and it did sync to my iphone but did not syn to my laptop. I did initially panic this morning when I tried to access my passwords on my laptop but quickly found the problem and the solution. Thanks
0 -
Is this still an ongoing issue? I have my vault synced through Dropbox to two different logins on the same machine, and to an iPhone and iPad. I changed my master password on one login on my MacBook Pro, and it has only taken effect in that login. The other login on the same machine still accepts the old password. The logins on the iPhone and iPad also still accept only the old master password.
What really troubles me the most about this is that I modified some login information in the vault under the main account, where the master password was changed. I can SEE those changes in the other accounts (unless I mis-read or mis-remembered the evidence), where the password has not changed! How is this even possible, unless each client machine caches the encryption keys, which I thought were supposed to always be locked tightly behind the master password??? This feels like a huge security hole to me. I hope I'm misunderstanding something really fundamental.
Worried and confused...
0 -
I think I just found my own answer: http://discussions.agilebits.com/discussion/20236/why-doesn-t-a-master-password-change-make-it-to-my-mac
If this is the article you would have directed me to, let me know. Otherwise, I'd still appreciate some education. Even this article leaves me scratching my head a bit, though. Seems like it would be an easy thing to propagate information regarding a changed master password without propagating the master password itself, even if the master "key" (encryption key) is cached on each Mac in it's "local" format. I can think of a few ways to do it that should not compromise security. Though-- you guys are far smarter and more experienced than I am regarding security and encryption, to be sure...
Still nervous, but less so...
0 -
Hi @chris068,
I'm so sorry to hear you've been having trouble with this, but I'm glad to hear that you've found the solution. You're right, that is the article that I would have directed you too :)
Unfortunately, I'm not a developer or a security expert, so I'm not really qualified to comment on your question here. I'll ask @jpgoldberg to pop in here and give you a few more technical details.
But in any case, this is not cause for concern, so please do not be nervous.
0 -
Hi Chris068,
That is a great observation. Yes, there are ways to do this securely. We do do it securely when a Master Password change reaches 1Password on iOS.
We are looking at bringing the same technology to 1Password on the Mac, but there are a couple of annoying details that need to be worked out. None of those annoyances should prevent us from bringing this to the Mac, but it does mean that we need to take additional care.
As always, we really don't like to promise features until they are delivered, but I do hope that this helps.
0 -
After trying to change my master password on my iPhone, it appears my master passwords are out of sync between my Mac, iPhone, and Windows PC. Even the password for my Windows desktop app and the Windows Chrome extension were out of whack for a while. I use dropbox for sync.
While this is annoying to me now (I think I should be able to manually set it everywhere), this appears at first glance to me to be a major security flaw. If I am changing my 1password password due to a security issue and it doesn't actually change my password, people with access to previous devices I've used 1p on will be able to access all my 1p information without issue. Or am I just confused?
0 -
You are correct, @brainb722, that people with access to your earlier data will be able to unlock it with your old Master Password. But this would be true no matter how Master Password changes were propagated.
Consider an opponent, Oscar, who gets hold of your data today. Oscar makes a copy of it on his own system. At some point in the future, you change your Master Password. Even if that change goes through to all of the systems you synchronize immediately, Oscar still has a copy of your old data. So if Oscar gets hold of your old Master Password, he will be able to use that old Master Password against the data that he's stored.
This, by the way, is why we recommend that once you've got a good Master Password that you don't change it frequently.
This is one of the differences between an encryption system versus an authentication system. 1Password works by encryption instead of authentication. This makes it more secure in many respects. (It means that the data is fully yours and that we couldn't break into it even if we wanted to. It also means that the security of the system can be independently verified and that there is very little that you need to take our word for.) But as most people use passwords for authentication (getting let into some service or other) instead of for encryption, the meaning of a password change isn't what people are used to.
We want 1Password to "just work" for people, without them having to understand the subtleties of encryption versus authentication. And for the most part people don't need to understand. But every now and then, the difference does matter.
I'm hoping to attend SOUPS to discuss this, among other things, as part of the process of find ways to address the mismatch between the "user model" and "what is really going on" to not lead to insecure behavior.
0 -
This still seems to be a problem. After rebooting and trying to sync via wifi and dropbox and rebooting again I cannot get the masterpassword to sync between my new macbook pro and iphone 5s. I guess I'll have to do it manually? To quote v.bampton earlier in the thread "something feels buggy here."
0 -
Hi Alex Taft!
Which device is using the old Master Password? You could update it manually on the device, or another option would be to remove the local data on the device, then re-sync from the device that has the newer Master Password.
ref: CSI-5
0 -
From what I understand, your algorithms use the master password to encrypt the vault, and you also need the master password to decrypt it. In one of your blog articles, you explain in details how important is to have a secure master password etc. From that, I would have guessed that the master password is not actually "synced" across the devices, but that it becomes part of the encrypted vault by the very fact that it was used to encrypt it and that you need it to decrypt it again. Hence, after changing the password on one device, I would expect that the vault would be encrypted with this new password, and after pushing the new encrypted vault to dropbox or iCloud, and after a different device retrieves this new vault, the OLD password should not work any more at any device which has picked up the newly encrypted vault.
A related question (whatever the answer is to the above one): After creating a new password, and after it has synced to all devices (say, by manually changing it, or by using the new password at least once on each other device), are all old instances of the vault encrypted using the OLD password deleted for good? If not, changing/improving the password would not add much of security.
0 -
@unvlad there is a very good post here from AgileBits which will answer a number of your questions. You may find that whole thread quite interesting.
Stephen
0 -
@unvlad The post @Stephen_C linked to does a better job explaining it than I could hope to do from scratch. Let me know if you have further questions.
0
