Unlocking primary vault unlocks ALL vaults.

Options
jnicklas
jnicklas
Community Member

I'm using 1password on OS X on a computer shared by multiple people. I have multiple vaults synced via Dropbox which belong to different people and have different passwords. For some reason, unlocking the primary vault causes ALL vaults to unlock, not just the primary. It seems that this shouldn't be possible. It shouldn't be possible to unlock a vault without knowing its password.

Is this the intended behaviour? If so, it's a bit worrisome that it works at all, how is it possible to open a vault without its password?

Comments

  • Stephen_C
    Stephen_C
    Community Member
    edited October 2014
    Options

    This is as designed. The passwords for your secondary vaults are stored (hidden) in your primary vault. It's always possible to open just a secondary vault when unlocking 1P (by choosing that vault from the menu) so I suspect the answer in your case is simply not to share the primary vault password (and, of course, to ensure that anything others need is in their relevant secondary vault). Does that help?

    Apologies if I've misunderstood anything.

    Edit: There's an excellent description of how multiple vaults work from AgileBits here. It's much better than my attempt above!

    Stephen

  • jnicklas
    jnicklas
    Community Member
    Options

    That doesn't really make any sense in our case though. We'd have to set the password of the primary vault to something nobody knows. Which is silly. Since it's pretty much impossible to change which vault is the primary it also leaves us in a situation where we can't easily change this around. Our computers are shared workstations, ideally we'd have a primary vault to which everyone has the password, and secondary vaults which are everyone's private vaults, whoever happens to be working at that computer at the time can unlock the primary vault (shared password) and their private vault (private password). This seems like it should be pretty simple to set up, but 1password makes this kind of setup unnecessarily difficult :(

  • Megan
    Megan
    1Password Alumni
    Options

    Hi @jnicklas,

    I'm sorry for the trouble here. To have multiple (private) vaults on a single computer, I would recommend using separate user accounts on the Mac. At this time, 1Password isn't able to support the kind of set-up that you're looking for.

    With separate user accounts, I would suggest that each user sets up 1Password so that their primary vault has their personal data, locked behind a secure and unique Master Password, and then you all share a secondary vault through Dropbox. This will allow each user to unlock 1Password with their own Master Password that no one else needs to know, and they can then easily access the shared passwords in the secondary vault.

    I hope this helps, but if you have any further questions, we're here for you!

  • jnicklas
    jnicklas
    Community Member
    Options

    Thanks for the reply. Unfortunately having multiple user accounts isn't an option on these computers, because some system software (notably homebrew) doesn't play well with multiple user accounts. It also adds way too much overhead, in that each person has ends up having an account on each machine and has to set it up properly. We've tried syncing personal accounts in the past and it's just too slow.

    Couldn't you add an option to disable this behaviour? It seems like not unlocking the secondary vaults would be a matter of not doing something (storing the secondary vaults' passwords in the primary).

  • Megan
    Megan
    1Password Alumni
    Options

    Hi @jnicklas‌

    Thanks so much for the feedback here! I'm sorry that multiple accounts is a bit of a complicated option for you.

    I'd be happy to pass your thoughts along to our developers, but I can't promise much. A change like this would require a complete re-imagining of how vaults are handled in 1Password. Unfortunately, it's no small task.

    I do wish I had a better answer for you here!

  • solipet
    solipet
    Community Member
    Options

    Just wanted to post a +1 in favor of being able to disable the automatic unlocking of secondary vaults. Now that I understand the design, I'm not as worried about it as when I first discovered the feature, but I would never have expected it to work this way by default, and would really appreciate a way to turn it off. I'm perfectly happy to enter one password for my personal vault, and one other password for my shared work vault.

  • Ben
    Options

    Thanks for the vote, solipet!

This discussion has been closed.