Can old passwords/keychains compromise security of newer versions of 1password?

tommy_tipper
tommy_tipper
Community Member
in Mac

Two initial assumptions - either of which may be be wrong:
1. As far as I understand, when you change your master password (MP), it doesn't generate a new encryption key, it just re-encrypts your old encryption key in a different way.
2. Old encrypted encryption keys are inherently less secure because they were encrypted with older algorithms, e.g. with fewer iterations of PBKDF2.

Hypothetical situation:
Attacking new customers of 1password (creating new vaults with bells-and-whistles v5 encryption) seems tough. But what if some malicious person has been stockpiling old encrypted encryption keys (how they got them is irrelevant [?]).
They use whizzy new hashcat or otherwise to break the encryption on old encrypted encryption keys.
If my first assumption is right, it doesn't matter if someone has upgraded to 1Password5 and created a new 30-letter MP... the old, cracked encryption key will still open their new bells-and-whistles vault.

I'm sure there must be a flaw in my logic somewhere, as I'm definitely no expert on these things!

But if my logic is correct, the only way to take full advantage of newer encryption algorithms in newer versions of 1Password is to create a new primary vault after an update?

Thanks for your time,
Tom

Comments

  • Stephen_C
    Stephen_C
    Community Member

    If you want a blow by blow account and a detailed discussion take a look at this rather long thread. I appreciate it may not answer all your questions but there is some interesting information in it.

    Stephen

  • Megan
    Megan
    1Password Alumni

    Hi Tom ( @tommy_tipper‌ )

    Please let us know if you have any further questions after reading through that thread that @Stephen_C linked to. :)

  • littlebobbytables
    littlebobbytables
    1Password Alumni

    Hi @tommy_tipper‌

    Essentially you're correct, if you want brand new encryption keys then for the moment you need to export all of your data in the .1pif format, wipe the old vault(s) and create new ones to generate brand new encryption keys. The thread Stephen_C linked you to is pretty long and covers a few panicky moments but there's a fairly descriptive post or two on how to do this.

    This really is for advanced users who know what they're doing so if you have any questions I strongly recommend you ask beforehand.

  • tommy_tipper
    tommy_tipper
    Community Member

    Thanks for all your replies. I'll take a more detailed look through the posts that @Stephen_C linked to and have a think about whether I want to go down that route. @littlebobbytables‌ : you say "... for the moment..." - does that mean that there is a change coming on this front?

    Thanks, Tom

  • Megan
    Megan
    1Password Alumni

    Hi Tom ( @tommy_tipper‌ ),

    The future is always full of possibilities. We generally don't comment much on unreleased features, just so users don't get their hopes up over something that becomes impossible due to factors beyond our control. I think that @littlebobbytables' statement was more to let you know how things are, rather than promise a change in the future.

    We are always looking for ways to make 1Password more secure and user-friendly though, so a simpler re-encryption process sounds like a good option to consider!

This discussion has been closed.