Unlocking primary vault unlocks ALL vaults.
I'm using 1password on OS X on a computer shared by multiple people. I have multiple vaults synced via Dropbox which belong to different people and have different passwords. For some reason, unlocking the primary vault causes ALL vaults to unlock, not just the primary. It seems that this shouldn't be possible. It shouldn't be possible to unlock a vault without knowing its password.
Is this the intended behaviour? If so, it's a bit worrisome that it works at all, how is it possible to open a vault without its password?
Comments
-
This is as designed. The passwords for your secondary vaults are stored (hidden) in your primary vault. It's always possible to open just a secondary vault when unlocking 1P (by choosing that vault from the menu) so I suspect the answer in your case is simply not to share the primary vault password (and, of course, to ensure that anything others need is in their relevant secondary vault). Does that help?
Apologies if I've misunderstood anything.
Edit: There's an excellent description of how multiple vaults work from AgileBits here. It's much better than my attempt above!
Stephen
0 -
That doesn't really make any sense in our case though. We'd have to set the password of the primary vault to something nobody knows. Which is silly. Since it's pretty much impossible to change which vault is the primary it also leaves us in a situation where we can't easily change this around. Our computers are shared workstations, ideally we'd have a primary vault to which everyone has the password, and secondary vaults which are everyone's private vaults, whoever happens to be working at that computer at the time can unlock the primary vault (shared password) and their private vault (private password). This seems like it should be pretty simple to set up, but 1password makes this kind of setup unnecessarily difficult :(
0 -
Hi @jnicklas,
I'm sorry for the trouble here. To have multiple (private) vaults on a single computer, I would recommend using separate user accounts on the Mac. At this time, 1Password isn't able to support the kind of set-up that you're looking for.
With separate user accounts, I would suggest that each user sets up 1Password so that their primary vault has their personal data, locked behind a secure and unique Master Password, and then you all share a secondary vault through Dropbox. This will allow each user to unlock 1Password with their own Master Password that no one else needs to know, and they can then easily access the shared passwords in the secondary vault.
I hope this helps, but if you have any further questions, we're here for you!
0 -
Thanks for the reply. Unfortunately having multiple user accounts isn't an option on these computers, because some system software (notably homebrew) doesn't play well with multiple user accounts. It also adds way too much overhead, in that each person has ends up having an account on each machine and has to set it up properly. We've tried syncing personal accounts in the past and it's just too slow.
Couldn't you add an option to disable this behaviour? It seems like not unlocking the secondary vaults would be a matter of not doing something (storing the secondary vaults' passwords in the primary).
0 -
Hi @jnicklas
Thanks so much for the feedback here! I'm sorry that multiple accounts is a bit of a complicated option for you.
I'd be happy to pass your thoughts along to our developers, but I can't promise much. A change like this would require a complete re-imagining of how vaults are handled in 1Password. Unfortunately, it's no small task.
I do wish I had a better answer for you here!
0 -
Just wanted to post a +1 in favor of being able to disable the automatic unlocking of secondary vaults. Now that I understand the design, I'm not as worried about it as when I first discovered the feature, but I would never have expected it to work this way by default, and would really appreciate a way to turn it off. I'm perfectly happy to enter one password for my personal vault, and one other password for my shared work vault.
0 -
Thanks for the vote, solipet!
0
