Sharing items from secondary vaults when primary vault is locked

bogomil22

Hello,

i have different vaults. With 1password4 i can share individual items via the small share-button next to the favorite-button. But i only can share/send an item from the primary vault to a different vault. I can't share an item from a non-primary vault to the primary vault. Is that a bug or do you integrate this in the next version of 1password?

Thanks

thightower

@bogomil22

You should be able to share to any vault. What version of 1Password are you experiencing this on ?

bogomil22

Hello,

sorry this was my fault. I can't share items to another vault if i only login to ONE vault. I have to login to both vaults (enter master password) and then i can sent items across any vaults :).
I noticed that too late^^ :)

Thanks

khad

I'm not sure what you mean, @bogomil22. Did you not add your additional vault as secondary within your primary vault? Are you switching between two primary vaults? If so, you will probably find life to be a lot easier if you just add the additional vault as a secondary vault. :)

bogomil22

Hello,

(1) I think i add secondary vaults, not two or more primary vaults :)

But I mean the bug you see on the image below.
I click the share-button on an item in a non-primary-vault and i cant share this item across ANY vault. This happens when i start my mac, open 1password and switch directly to a non-primary vault and enter the specific password for this vault. I dont login to the primary vault yet. This is what i mean. For me this is annoying because somethimes i only want to use a non-primary vault and want to share/send an item to another vault. If i want to share/send any item across vaults i have to login to the primary vault ONCE. After that i can share any item through any vault until i reboot my mac.

(2) Can i edit the color and icon from vaults after i create them?

(3) Currently 1passwordAnywhere can't display correctly umlauts like "Ä, Ö, Ü, etc". Some languages contain many "umlauts". Can you fix that?

thanks

Image:

khad

1. I see what you mean. This is however, not a bug. 1Password simply can't share an item with a vault that is locked. If you haven't unlocked the primary vault then it will not be accessible. Even if we wanted to do it, it is impossible to read or write data to a vault without you entering its Master Password. I suppose we could put the vaults in that Sharing list and if the vault is not already unlocked prompt you for its Master Password. I'll mention this to the devs.

   That said, it never even occurred to me to try to switch vaults before unlocking. I just know my Master Password [to my primary vault] so well [because I have been using it since long before multiple vault support was added] that it's much easier for me to unlock my primary vault and then switch. In fact, I don't even know my secondary vault passwords. I would have to unlock my primary vault to look them up if I needed to type them in. Thankfully, 1Password stores the keys for your secondary vault inside the primary vault. So as long as you unlock the primary vault first you will have access to all of the vaults.

2. Editing a vault’s details after creation

3. Character encoding is pretty complicated (and often annoying). Not being one of the developers myself, I can't speak to the specific details, but I will certainly make sure the developers know you are interested in improvements in this regard if at all possible. Thank you for letting me know!

bogomil22

Thanks for the answer.

1) Yes, it makes sense that i/you can't write/read data into vaults before they are unlocked :)

I suppose we could put the vaults in that Sharing list and if the vault is not already unlocked prompt you for its Master Password

Good idea, thanks!

1Password stores the keys for your secondary vault inside the primary vault

a) Is that true? Because i enable dropbox sync and each vault has its own folder like "vaultXY.agilekeychain" -> So every vault is in a different folder i think.

b) You are right that ALL vaults are open/unlocked after i unlock the primary vault. That is indeed comfortable but not quite secure right? I mean if some people share different vaults with each other and one of them has a bad/weak primary master-password all shared vaults are as unsecure as his master password (no matter how strong/secure the passwords of the shared vaults are). Or in other words: If you know/crack the primary master-password you know all master-passwords of the shared vaults (respectively you have easy access to them).

2) So i have to "export" the vault and then "re-import" the vault with a different color/image?!

3)

but I will certainly make sure the developers know you are interested

Thanks!

khad

1. (a) is true because of (b). :) I'll have our resident Defender Against the Dark Arts follow up on any security-related aspects of this.

2. Not export, no. That is a different process (File > Export) and places the data in an unencrypted format. The process described in the User Guide for editing a vault's contents after creation does not involve using the export feature at all. Please be sure to carefully follow the steps. You're just making a copy of it and adding it back to 1Password.

sjk

Hi, @bogomil22.

If instructions for editing a vault's details don't work for you please give these a try:

• Configure Folder Sync with the original vault to create a keychain for it, then disable Folder Sync with it (leaving Delete data from the folder disabled).
• With the primary vault active, create a new secondary vault using the details (e.g. new password) you want.
• Configure Folder Sync with that new vault using the keychain for the original vault (you'll need its Master Password), merging the keychain data into the vault, then disable Folder Sync (optionally enabling Delete data from the folder to trash the keychain).
• Optionally select and delete the original vault.

That's my personally preferred method. :)

Ianski

Re @bogomil22's in comment #7 ("b)"):

I had thought the same thing about shared vaults and security weakness when considering starting up a secondary vault for our company's extensive password portfolio.

It only takes one developer to use 'password' for their primary vault password and the complete secondary vault is at risk.

@khad – did you progress the conversation with your Defender Against the Dark Arts? :)

Megan

Hi @lanski,

I've asked our security guru, @jpgoldberg‌ to weigh in here with his thoughts. :)

jpgoldberg

Hi @Ianski‌ and @bogomil22‌!

I'm sorry that I haven't had a chance to chime in here sooner. You are both right in that a shared vault then only becomes as secure as the weakest Master Password that is protecting the vault keys. Indeed, I refused to share a vault with a certain family member until she improved her Master Password.

Keep in mind that this problem isn't tied to how 1Password keeps the keys to secondary vaults within the primary. If we didn't do this, we assume that post people would just store the Master Password for a secondary vault in their primary vault as an item. And so exactly the same problem would exist. Likewise, if you give someone the Master Password to a shared vault, you can't prevent them from writing it down on a note and putting it under their keyboard.

So yes. As soon as you share a key or access, then the security becomes as weak as the weakest practices of those who you share things with. But this is a general fact, and isn't specific to our sharing mechanism.

Sharing secrets is a risky business. You are trusting other people to keep the secret well.