vault issue - unlocking primary vault also unlocks secondary vault [works as intended]

icl

I use my primary vault to store mainly logins and other non-critical information. I just created a second vault to store more critical info such as online banking, bank account and credit card details. I was surprised when I realised that when I open my primary vault, the secondary vault (with a different password) is automatically unlocked! The idea was to be able to have the primary vault open throughout the day while keeping vital information locked in another vault. Is this possible? Or are other vaults always unlocked along with the primary one?

Thanks!
iason

Stephen_C

Currently secondary vaults are unlocked when you unlock the primary vault (although you can choose to unlock a secondary vault without unlocking the primary vault). Other people have commented about the arrangement in similar terms to you, so you are not alone in thinking as you do.

Stephen

sjk

Hi @iason,

I hope @Stephen_C's answer was helpful for you. Here are some of the related topics he referred to:

• Secondary vault does not lock [Unlocking primary unlocks all secondary vault, this is intended]
• Unlocking primary vault also unlocks secondary vault [works as intended]
• Unlocking primary vault also unlocks secondary vault? [yes; works as intended]
• vault issue - unlocking primary vault also unlocks secondary vault [works as intended]

Indeed, you are not alone in thinking as you do. :)

ref: DOCS-104

icl

thanks for the replies.
it would be nice to have a feature where the vaults could be totally independent.

sjk

You're welcome, @icl. Your interest in being able to unlock each vault totally independently, i.e. unlocking the Primary without secondaries also being unlocked, has been noted in our request tracker. Thanks again! :)

icl

Thanks!

sjk

Cheers! :)

ag1

Hi,
in my opinion, it would be a nice security enhancement to have the option to create separate passwords for other vaults.
I know the program is called 1password and that's probably why you haven't implemented it yet, but let me explain why I think this would make sense.

I'm heavily using 1Password for every Login on every Website with the Safari extension. This means that my primary vault is unlocked quite some time a day. The problem is that I get a really unwell feeling of storing my credit card information, bank account information, social security number, or other highly sensible data in my primary vault, which happens to get unlocked if I want to log in reddit for instance. I don't feel really secure this way and I'm also not sure what would happen if I had a malicious software on my mac that just waits for my vault to get unlocked and then access it right away? As a software developer my self, I'm pretty sure there is such an attack vector.
That's why it would make sense to create a Vault for sensible information with a separate password, that would be locked again, right after using it.
What do you think about it?
best regards,
Andreas

littlebobbytables

@ag1 How would being required to unlock a secondary vault stop malware designed to target 1Password from eventually stealing what it was programmed for? If you assume your computer is compromised to that level then surely nothing is safe?

As an alternative, why not allow Safari to remember the passwords for these unimportant sites (which obviously also couldn't include any where you have any card details stored) thus allowing you to keep 1Password locked for periods of the day.

ag1

Well if the system is fully compromised with a malware that has root rights, you are right as it could control the vault if the 1password main application is opened (and also log the keys to get the password). But a secondary vault which requires a password every time for every access could protect you from malware that has only user rights and uses the same api as the safari extension. It also protects you if you leave your 1p main window open and quickly leave the mac.

I'm not really happy with your stated alternative as I want to sync my browser passwords locally with 1password. My workaround at the moment is to encrypt my sensible information in a sparsebundle and use 1p for all the not so important stuff.

Megan

Hi @ag1,

1Password's new multiple vault feature was designed so that you still only have to remember one password, no matter how many vaults you create. Your primary vault holds the encryption keys for all of your secondary vaults. This means that unlocking your primary vault will give you quick and easy access to all of your data, regardless of which vault it is stored in.

However, you still can unlock a secondary vault on its own. In the main app, use 1Password > Switch Vault menu. (In the 1Password mini, click on the lock image on the lock screen to select the secondary vault.) Please note that when you unlock the secondary vault alone, all other vaults will remain locked. You won't be able to copy items between vaults, and you will need to enter your Master Password to view another vault.

It might help to think of your primary vault as your high-security vault - protected behind your super-strong Master Password. You can keep 'lower security' items, such as your Reddit account, in a secondary vault. Then you can switch to your secondary vault to unlock and leave your primary closed. If the 1Password > Switch Vault menu is too much work, there are also handy keyboard shortcuts available. ⌘[vault#] will switch to the desired vault.

I hope this helps!

sjk

Hi @ag1,

Just wanted to let you know I've moved your posts and followups from Password for each vault into this related topic since that other one has now gone in a different direction for helping resolve Phillip's problem. :)

log42

Is any progress being made on having completely separate vaults with separate passwords that aren't accessible using a master password?

sjk

Hi @log42,

There's no news about this at the moment. We've been quite busy with the launch of 1Password 5 for iOS as well as preparing for Yosemite on the Mac. Being able to (un)lock the Primary vault independently of secondary vaults is still on our radar and I've passed along your interest in this to our` developers.

ref: OPM-2227

khad

We don't normally pre-announce new features or products (or give time frames for them) as there are simply too many factors affecting their release. We would hate to give some info and have to change course for some reason — possibly even a reason beyond our control — and it just breaks our heart to let folks down. I do hope you can understand.

I've passed you vote for this along to the team, though, @log42‌! :)

flying_toaster

Hello,

I create a second vault with a stronger password. If I a login in the primary vault with a short password, the seconds is also unlocked.
My question is, is the passwords from the other vaults stored in the primary vault? if it is so, it is not very save.

Best regards

Falk

Stephen_C

At present unlocking the primary vault will unlock any secondary vaults you have, as you have discovered. This point has been discussed before (including here). There is a rationale from AgileBits in post #11 in that thread but you'll see it's also possible things may change at some time in the future.

Stephen

sjk

Hi Falk ( @flying_toaster ),

I've merged your post with the topic that @Stephen_C referred to in his reply.

My question is, is the passwords from the other vaults stored in the primary vault?

@Megan's answer, from post #11:

Your primary vault holds the encryption keys for all of your secondary vaults. This means that unlocking your primary vault will give you quick and easy access to all of your data, regardless of which vault it is stored in.

Please let us know if you have any other questions about this. Cheers! :)