Using Dropbox, but master password not changed on another Mac. Why?
I use Dropbox to sync and maintain my 1Password file. I changed my master password on one Mac. However, I am now using a second Mac and I am able to log in using my old master password instead of the new one. Even the password hint is the old one. Now, strangely, some new login passwords that I created on my first Mac have made it over to the second Mac, so some syncing is occurring.
What is going on? What am I missing? I know with iOS devices there is some manual things that need to be done to use the new master password. However, I would have thought that Macs would just work.
Thanks.
Comments
-
I have just had the same thing happen. Is there something wrong here that we need to be aware of?
0 -
My wife and I recently decided that our 1 pw was too weak, so we created a new master pw. I noticed the exact same thing. I thought that after I changed my master password on one mac I would need to change the master password on each mac as well as my iOS devices. I didn't. I changed them anyway, but I would not of had to. I also tested a "test" login and with different master passwords between macs and iOS devices. The test login synced flawlessly.
I am also concerned. Does this mean that the 1pw file is sitting unprotected/ unencrypted in the dropbox? If someone hacks my dropbox do they have access to my 1pw file? Can they download my 1pw file from dropbox, then download a trial version of 1pw and my whole life is exposed?!
Very troubled about this. Probably just don't understand how this all works, but until, I have also but a super complex pw on my dropbox.
0 -
I didn't have to change mine either. Makes me nervous because I have an iMac being repaired at an Apple store and I would like to change my password and be sure that they couldn't get in to my account. Don't know how to fix this but I hope we get some help soon.
0 -
What it would mean is possible Dropbox has not synced the "keys" file (the file that represents the password) between the devices. Normally you should no have to change them on each device its all done through the Dropbox keychain.
I am by no means the one to get into specifics regarding encryption. It (keychain) is encrypted on your computer and on the Dropbox servers by your Master Password. I think its best to let the staffs @jpgoldberg describe how all that works.
@LdyPandora The only way you could do this would be if the iMac was connected to the net while they worked on it. This most likely is not the case. If its a software issue maybe, slim maybe. They would need to physically enable it to connect to the given Apple Network. Any hardware issue would certainly have the Mac powered down which you would not be able to change the Password.
Also I am a little confused when you refer to "get into your account" ?
0 -
What I mean is, the iMac is being replaced and I am 2 and a half hours away from the store so I cannot "wipe" the computer. I was just concerned that they could somehow access my 1Password account and therefore get in to any other account I had. Just worried that someone who is angry will steal my stuff. I have been an identity theft victims and it was horrible. I trust 1Password explicitly and when I saw that I could still log in to my 1Password account with my old login on my iPhone, it made me wonder why 1Password did not change my logins across all my devices that are set up. It is probably something that I just am not understanding, but I wanted to be sure I didn't need to do anything additional to secure my accounts on a device or on the web. Sorry if I am a bit of an uneducated encryption person, I don't know the lingo well, I just try to use 1Password to the best of my ability. Thanks for any help you could suggest...it is greatly appreciated.
0 -
An older version of 1Password IOS (v3) could indeed have separate passwords from the desktop app. Might this be your issue ? We never discussed which version you have ?
Also the account clarification is great. :) I am just not accustomed to seeing someone refer to it as an account. No issue just different.
Uneducated No...Its common (to infer something like that when talking about encryption) and I also count myself in that group as it can get very technical well beyond my understanding at times. I leave the heavy thinking to @jpgoldberg and the other staff of 1Password. I am just an average user like yourself whom came to 1Password from Roboform circa 6 -7 years ago now. I never left, I now try to help others by helping the forums.
0 -
I actually have 1Password 4 on all devices. iMac, laptop and iPhone. I am syncing just fine, but I can log in to my iPhone with my old master password. Not sure what to do. Thanks for your help!
0 -
I also have 1Password 4.1 on both of my Mac laptops. This may or may not be related, but, just as a data point, when I use 1Password Reader on my Android device, I also am using the old master password. So the only place my new master password works is on the Mac laptop on which I changed it.
0 -
I am not involved in the Android Reader (iSheep here ;) ) so that may need to be cross posted in that forum or send it in an email to support. I would think it worth of noting in a bug report.
0 -
@thightower: I originated this thread. I care more about my 2 macs master passwords not syncing correctly. I just brought up the Android 1Password Reader as a data point :)
0 -
Yes I know you were the OP. :D Just a recommendation of you may also wish to send an email and include a link to this topic.
Suport has stated they have many more individuals whom can respond to email's as a first basis of contact for bug reports etc.
The forums is OK but many many more folks hit the mail apps. A lot of the time the forums are us users and some of the Admin staff. Hence my recommendation of sending an email also. Though its not necessary. Below is a Snippet from one of khad's posts regarding email.
Our primary support channel continues to be email (support@ agilebits .com), and we have a lot more folks available to help via email than in the forums, so we do intentionally direct most folks to email for support. Of course we are always available to help right here in this community forum,
Either way the choice is yours.
0 -
Just found this in the "Known Issues" section of the forum.
"Changing Master Passwords do not sync to other Macs or your mobile devices. Once you change it on one Mac, you'll need to change it manually on the other Macs and mobile devices."
Seems to be a known issue, I do not know if it has been resolved (seems to not have been).
0 -
@LdyPandora: Thanks for sharing that. I guess that implies that master passwords are stored locally on a machine, outside of a Dropbox folder. Being a "known issue", I suppose that means that the 1Password folks thinks this is kinda weird too.
0 -
or at least some sort of master password correlation is stored locally somewhere. Because if I have brand new Mac and install 1Password with an existing data file, I do use an existing master password to access it ... I don't create the master password again on a new mac. So, yeah, something is out of whack here.
0 -
I can confirm that new devices will use the new master password (just set up on a new device). It is existing devices where the sync does not happen.
0 -
Just got around to reading all the comments. Seems like a pretty big freaking issue and a little disappointing that it has not been addressed. Lot more concerned about this than version releases that allowed better icons. I thought the whole name of the game with a PIM was security. Oh well, I had already gone to all devices and macs and manually changed the master password.
0 -
Hi all,
I do apologize that there hasn't been an official response here earlier. I'm so sorry to hear that this issue has been so frustrating for you all!
As @LdyPandora noted, it is a Known Issue that Master Passwords aren't syncing correctly to all computers after they are changed. Our developers are working on getting this to behave correctly, but I do want to assure you that this does not put your data at risk.
Here's a quick rundown of how your data is protected in 1Password:
- You choose a Master Password
- This password encrypts a key
This key, then, is used to encrypt your data
So, the key is what encrypts your data, not the Master Password, the Master Password simply protects the key.
When you change your Master Password it re-encrypts the key with the new Master Password, but the key itself stays the same. So even if the change in Master Password is not synced to all devices, your data remains encrypted behind your old Master Password, and any changes to your database will continue to sync correctly.
Until our developers manage to squash this bug, if you do change your Master Password, please confirm that it has updated on all computers and devices, and update manually if it has not.
I hope this helps to explain the situation, but I'd be happy to help if you do have any further questions.
0 -
I think someone else already mentioned this, but actually I think my data is at risk now. One of my laptops died and had to go away for repair. I changed the master password on a working machine assuming that it would sync to the broken one. I made a mistake of having my logon password the same as my master password and the apple repairer needed my logon password to verify everything was working ok. As I thought I had changed the master password to something else I was feeling happy about giving them this information - now potentially they could have accessed everything. Not so happy now !!!
0 -
This is a rather important flaw, no? Seems like Agilebits should notify all users of this serious problem so others like davegarratt don't run into trouble because of it.
0 -
Just a question to davegarratt, is the computer in for repair a Mac? I went ahead and used Find My iPhone ( which covers all devices) and remotely wiped my Mac. Kind of inconvenient but better than the alternative of having anything breached. Just a thought for you.
0 -
I didn't think of that - it might have upset the repairer but I would have done it if I had known about the problem before now. It was away for 1 week and was returned today. I will change critical passwords but as you say - not good - not good at all. Should warrant a very quick fix.
0 -
I didn't think of it until a few days after my situation either. I hope all is well and you get everything changed. Probably not a bad idea anyway to change passwords...lol. Something we should do more often...
0 -
Hi, I'm sorry that I didn't join this discussion earlier.
First let me reassure everyone that that your data is encrypted with (one of) your Master Password(s) even the you find the "old" one still working in 1Password 4 on the Mac. Furthermore, when you changed your Master Password, that change applied quickly to your 1Password data stored on Dropbox or iCloud.
Please see this Knowledge Base posting on Why doesn't a Master Password change make it too my Mac that explains what is going on in these cases.
I know that that is a long article and a lot to digest, but the short version is that your data is encrypted with a random key. The key is created when you create your data set the first time, and that key is what is encrypted with your Master Password. 1Password on the Mac has its own "local" data format and it also has the "synchronization data format" which is either the Agile Keychain Format or the 1Password 4 Cloud Keychain Format, depending on lots of different stuff that changes over time.
When you change your Master Password that change is reflected in the data on Dropbox. The master key is encrypted with the new Master Password, and the old one will not work. But that change doesn't make it into the local data format used on another Mac. 1Password on that other Mac is still able to manage synchronization because it still can get the master key (from its local format with the old master password) and can manage the sync with that key without having to know the new Master Password.
I really wish there were an easy way to explain this and why it is secure. I attempted to do so in that other posting I linked to, but it does get complicated. (I'll see if I can find a way to draw a picture or diagram that explains it better.)
I'm really sorry for the confusion. Normally, people shouldn't have to understand the detailed inner workings to be able to use 1Password securely and understand that it is secure. But this issue with the Master Password change is one of the cases where people are confronted with the complexity of the security design.
Cheers,
-j
0 -
Thanks for the explanation. It is confusing and I appreciate your reply trying to clarify. I have used 1Password for quite a while and trust it completely. I do understand the confusion and when I had my issue I admit I was worried. Although I don't completely understand, I trust my data is secure as long as I take the appropriate precautions using your program. I hope your post helps us all feel more secure. Thanks again!
0 -
Thanks. I'm struggling to find a better way to explain it. I need to come up with the right analogy (or diagram).
0 -
Good to know that data on another device is still protected, but now the user has to remember two master passwords and remember which password to use on which device! Needs to be fixed.
0 -
@ozarkcanoer, you don't need to remember the two passwords. You just need to manually change your Master Password to the new one.
But you are right that this needs to be fixed, but a fix will may not be pretty. In particular, it might involve prompting the user on the second Mac for both the old and the new Master Password when 1Password detects the change. It will then be able to update the local data with the new Master Password.
0
