Master password & Sync

Electrologos
Electrologos
Community Member

I have 1Password 4.3 on my MacBook and 4.5 on my iPad and iPhone. Yesterday I changed the 1Password Master password on the MacBook. That was the beginning of my adventure sharing of which I believe will be helpful to other similar "victims".

I assumed, falsely with hindsight, that this change, like other edits, will sync as before with the other IOS devices via Dropbox. Not so. Typing the new master password did not work in either nor on the Mac. I restored the Mac from a backup and changed the master password again. This time it worked on the Mac but not on the IOS.

I went to the iPad and after opening 1Password with old password I changed its master password to the new one. Now the new master did work in both devices but they did not sync. Looked at this forum and gathered that there are synching problems. Following the advice of various entries I went on settings>sync, selected Dropbox and chose the 1Password folder. It asked for the password. It did not accept either the new (same now on both devices) nor the old.

After many hours of frustration and experimentation I solved the problem as follows.

  1. On the Mac I stopped syncing (Preferences>Sync>Disable Sync), moved the 1Password folder from the Dropbox and restarted Dropbox syncing. This gave me a new clean sync.
  2. On the iPad, I removed the 1Password app and re downloaded it again from the App Store.
  3. After the download I chose the Dropbox folder. After a while it asked for the password, displaying the hint from the iMac. This time it accepted it. and it synced.
  4. Repeated the same procedure for the iPhone.

I hope this can save some time to other users. But AgileBits auth to fix these problems.

Comments

  • Good afternoon, @Electrologos. I'm sorry for the trouble that you experienced getting sync set up with the new versions of 1Password. There was a bug that surfaced after 4.5 became available in the App Store, which you experienced by way of your Master Password change not syncing.

    I'm glad that you're up and running again. Please be sure to update to 4.5.1 on your iOS devices.

    Also be sure to grab 1Password 4.4 for Mac, which we just released today. It brings amazing integration with our 1Password Watchtower service. You can read more here: http://blog.agilebits.com/2014/04/30/1password-mac-watchtower/

  • Electrologos
    Electrologos
    Community Member

    Thank you MrRooni for your reply

  • You're welcome! Don't hesitate to post again if there's anything else I can do for you.

  • harryharryharry
    harryharryharry
    Community Member

    How about some hints for choosing a master password?

  • Megan
    Megan
    1Password Alumni

    Hi @harryharryharry‌

    Great question! Here's one of my favourite articles by our security guru: Towards Better Master Passwords. It explains how to create strong Master Passwords that are easier to remember (and type) than the gibberish generated in our password generator. :)

    Keep the questions coming - we're here to help!

  • photog
    photog
    Community Member

    Ok. I have read all of the recent posts on syncing the master password. My devices are running the latest updates of 1password. I have two macs and two iOS devices. It is still not clear to me if I must update the password on each device or if it should sync as do all log in data. A clear yes or no will help.

  • Hi @photog,

    A master password change should sync across your devices. This means you need to take no action at all.

    However, some users have reported that this doesn't always happen. If your new master password does not automatically unlock your data on your other devices, then yes, you will need to update the password manually to match on each device.

    Please let us know if you have any other questions. We're always happy to help! :)

  • photog
    photog
    Community Member

    Ok Jasper. If 1password should sync my master password across my apple devices and it does not, why does it not? That suggests an unknown flaw in the program may be a weakness in the security of the vault. This seems to me to require more consideration than a simple work around.

  • Hi @photog,

    It's definitely a problem, and our developers are looking into why the Master Password isn't syncing in all cases, however it is not a security issue.

    How is it possible for this to occur? The explanation requires a bit of an understanding about how 1Password works behind the scenes.

    Your data is encrypted with a randomly chosen encryption key when you first set up your 1Password data for the first time - this is your "master key". Your master key is what gets encrypted with your Master Password. When you change your Master Password, you are changing how the master key is encrypted. You are not actually changing the master key.

    If you are syncing using the 1Password 4 Cloud Keychain/opvault format (iCloud sync uses this format), then a Master Password change only changes the profile.js file within the opvault data. If you are syncing using the Agile Keychain format (Dropbox sync uses this format currently), then a Master Password change only changes the contents of the encryptionKeys.js file within your 1Password.agilekeychain bundle. There are good reasons for designing things this way. You will find that other high security systems, such as PGP, SSH, SSL certificates, and disk encryption systems all work the same way. A random key is generated when people first set things up, and then their passphrase is used to encrypt that key.

    1Password 4 does not use the Cloud Keychain/opvault format directly for its regular operations; instead it uses a local data format (encrypted SQLite database) that is optimized for quick searches and so on. 1Password 4 does "import" and "export" changes to and from this local format to your 1Password.agilekeychain or Cloud Keychain. The local and sync formats will use different parameters for encrypting the master key that are best suited for their different environments. So the encrypted key can't simply be moved from one to the other.

    When you change your Master Password, it will make the change in your local SQLite database, and also in the cloud keychain. It can do this only when your data is unlocked because it needs to re-encrypt your master key with the new Master Password. Roughly speaking, "being unlocked" means that 1Password has your decrypted master key in its memory. The cloud keychain will then have its master key encrypted with the new Master Password. That will spread to other systems that you sync with via iCloud or Dropbox sync. In some rare cases, 1Password may not have "imported" the Master Password change from the sync format into the local format. So what we are seeing if the Master Password doesn't sync after you changed your Master Password on one device is that the local format is keeping the master key encrypted with the old Master Password on another device. 1Password is still able to read and write changes to the sync format because it is able to decrypt the master key (from the local format), even though it isn't able to decrypt the master key in the sync format.

    If you would like to learn even more about what goes on under the hood, the key derivation section of the 1Password data format specification explains, in gory detail, the relationship between your Master Password and the actual encryption keys: http://learn.agilebits.com/1Password4/Security/keychain-design.html

    So if your new Master Password does not sync automatically, simply changing your password manually on all devices to match, while a bit inconvenient, is just fine and will not cause any problems.

This discussion has been closed.