Sync with wrong master-password - how does it possible?

clappa
clappa
Community Member
in Mac

Hi!

I just have installed 1Pw on my Mac and iPad, and then I established syncronization via Dropbox. Everything was perfect. Then I've changed master-password on Mac, but (oops) iPad still allow login with old master-password, and syncronization still working two way.

How does it possibe? It looks like sync file on dropbox is not encrypted by my master-password at all. So, how can I be sure what it can not be opened using any other key? Or if my master-password will be compromised and I decide to change it - dropbox sync file still will be allowed to open using old (compromised) password?

S.

Comments

  • littlebobbytables
    littlebobbytables
    1Password Alumni
    edited December 2014

    Hi @clappa‌

    It's true, most of what is contained in your vault isn't actually encrypted by your Master Password but before you read that and freak out please do continue reading. Encryption is extremely tough to get right and more often than not it isn't intuitive. Bearing that in mind I'm going to link you to blog entry of ours about the opvault format titled 1Password 4 Cloud Keychain design, which will give you a feel of what's going on.

    Essentially we encrypt key information with your Master Password and that in turn is what we use to encrypt your information. Even that's a high-level description of what happens. These keys that are encrypted with your Master Password though, they don't change unless you completely delete your vault entirely and start again from scratch. When you change your Master Password that key file is decrypted with the old MP and then encrypted with the new one but the contents haven't changed.

    While we don't offer an automated way of doing so at the moment, if for any reason you are concerned that access to the encryption keys is compromised then we can guide you through the steps required to create a pristine vault with new keys and a new Master Password. In general though this isn't advised unless with very good reason, it's much better to simply pick a strong Master Password from the beginning.

    We do have a bug that should be taken care of soon where the new Master Password wasn't being picked up (as you've discovered) but I wanted to say that last as that wasn't really what you were asking, it seemed to just be the catalyst for your actual questions which I've attempted to answer above.

    In the likely event you have more questions or there is a certain area you wish to be expanded on please do post.

This discussion has been closed.