Multiple Vaults: unlocking one unlocks the other?
I have two vaults, a Primary (personal) vault and a Work vault. Both are synced with Dropbox. Both have passwords, which are different.
I'm on Version 4.1.3 (413002) on 10.8.5.
The following behavior surprises me.
- Open 1Password and type the master password for the Work vault. It unlocks.
- Click the Lock button in the title bar. It locks and shows me the prompt to unlock my Primary vault.
- Enter my Primary password. It unlocks.
- Select Switch to Vault -> Work. It switches to an unlocked (!!!!!!!!) Work vault.
This really surprises me. I would expect that if I lock the Work vault, there's no way to get back into it without typing its password again!
Is the idea that the master passwords for all of the non-primary vaults are stored inside the primary vault or something? If so, that's kind of surprising. They don't seem to show up anywhere as an explicit item.
For example, it makes me anxious that the reverse might be true: that somebody who has access to my Work vault (eg a coworker) would also be able to get into my Primary vault without knowing my Primary password. Since the one direction is clearly true (and not for reasons that I can find documented), how can I feel comfortable believing that the other direction is not true?
Comments
-
Hi David,
When you unlock the primary it unlocks both. The Primary vault knows the other vaults passwords just like you say. Knowing the password is not really a good term but thats the closes I can get to it. It knows more the hash of the password not the password itself, would be a better way to put it. Its not anything thats readable to you etc. So its not shown anywhere within 1Password.
It was designed so that you as the primary user would have unfettered access to all your vaults. If you just want to open one then you would do just as you indicated by entering the password for just that vault at that vaults login / opening prompt.
Thats how it has been explained here in the forums. If you want a more technical orientated chat then I am afraid your have to wait for those Agile folks.
Cheers,
0 -
Hi David,
I just wanted to confirm what @thightower has said here and hopefully calm some of your anxiety. The primary vault does hold the encryption keys for all secondary vaults (to make your life as the primary vault-owner easier), but the reverse is not true.
For example, it makes me anxious that the reverse might be true: that somebody who has access to my Work vault (eg a coworker) would also be able to get into my Primary vault without knowing my Primary password.
Sharing a secondary vault does not allow a person any access to your primary vault. Please let me know if you'd like some more technical assurances here and I'll call in one of our security gurus. :)
0 -
Thanks. Is this mentioned in the docs anywhere? It sure would be a shame if people happened to set up their vaults in the opposite way where they shared their first vault with others!
0 -
Hi David,
we've tried to make it clear in our documentation that sharing is for non-primary vaults, but I'm happy to pass your thoughts along to our documentation team to see if we can polish things up a bit more.
Just as a further clarification: although the encryption keys for secondary vaults are held by the primary vault, these keys are stored only locally on 1Password and do not get synced. So, even sharing your primary vault will not inadvertently give users access to your secondary vaults. :)
0
