Unlocking multiple vaults - Difference between Mac and Windows versions of 1Password

LanceRas

Currently using 5.4 beta 4.

When using multiple vaults, as long as you can access/guess one of the vault's passwords, you gain access to the other vaults. This is a pretty severe security exploit, if by change 1Password access is left open for whatever reason and someone else accesses the computer.

In the Windows version, when changing vaults, you are prompted to enter the password to access the vault being accessed. The Mac version should do the same.

This behavior is with the mini as well as the main app.

Lance

rickfillion

Hi @LanceRas,

The Mac app and Windows apps differ here, and it's not considered a security flaw. The Windows app does not have the concept of Primary vs Secondary vaults, every vault is completely independent. So its behavior is appropriate there. The Mac app allows you to unlock two ways: You can either unlock the Primary vault, which unlocks not only the Primary vault, but also all secondary vaults. Or you can unlock a single secondary vault. If you unlock a secondary vault then that vault is the only vault that's open. Switching to any other vault will show them as locked.

Can you confirm that this what you're seeing?

Rick

LanceRas

I guess I don't see the reasoning for the logic on the Mac side.

Example: There is a vault for work and a vault for personal. If the Mac was at the office and, for purposes of emergencies, the password to access the work vault is given to someone. That person, once signing into that vault would then have access to the personal vault, which they would not have business accessing. The design of the Windows app allows the personal vault to be secure from access by anyone in the office, yet have access to the work vault, if needed. By the same token, if the Mac was at home, it could expose the work passwords if someone at home was given access to the personal vault.

The only advantage the Mac behavior could be desired is quick and unrestricted access to the non-primary vaults. If this is still to be designed, what i propose is an option in each vault that would force requiring the password when accessing that vault. For Windows app, it wouldn't change behavior. In the Mac app, if I indicated the preference in each vault to require password before accessing vault, then the Mac app would prompt for password before switching to the other vault (or accessing). Makes it a win-win and better security.

LanceRas

My 2nd comment was more of the reason of saying it's a security flaw. It would be the equivelant of going into a bank vault and as long as I open up my safe deposit box with my keys, I can then open up everyone else's safe deposit boxes without the need of a key. it's certainly convenient, if I was a thief, though.

pauLee

I agree with LanceRas, it think in the same way as already mentioned in the past:

https://discussions.agilebits.com/discussion/26633/unlocking-primary-vault-unlocks-all-secondary-vaults-works-as-designed

I would vote for a change!

Drew_AG

Hi @LanceRas and @pauLee,

Thank you both for your feedback about this, we do appreciate it! The ability to unlock all vaults by unlocking your Primary vault in 1Password for Mac was intended for your convenience, so you only need to enter one master password to access all your data, instead of needing to unlock each vault separately. As you already know, 1Password for Windows works differently because there's no concept of Primary or secondary vaults, so it's only possible to unlock one vault at a time, and switching from one vault to another will always require that vault's master password to be entered.

Now, depending on your workflow, one of these methods will work better for you than the other - and in your cases, it certainly sounds like the 1Password for Windows method is better suited for your needs. However, there are just as many (if not more) users who prefer the 1Password for Mac method, and ask us to change the Windows version so they can unlock all vaults with a Primary master password. We have very passionate users on both sides of this topic - which I think is a good thing! However, as you can see, there's really no way to please everyone, unless (as LanceRas suggested) we add an option so the user can choose how they want unlocking multiple vaults to work. This is a request our developers are very aware of, so it's possible they may add something like that in the future (although of course I can't make any promises at this point). I'll be happy to add your feedback to the open feature request.

@LanceRas, to address a couple things you mentioned:

...for purposes of emergencies, the password to access the work vault is given to someone.

And:

...if the Mac was at home, it could expose the work passwords if someone at home was given access to the personal vault.

Part of what makes 1Password so safe is that no one can unlock your 1Password data without knowing your master password. So as long as your master password exists only in your head and you don't give it to anyone, your data is secure. Of course, if you give your master password to someone, that person will have access to your 1Password data. Keeping your master password a secret is very important, and you should never give it to anyone.

However, I understand what you're saying, and if you want/need to give someone access to one of your 1Password vaults, then I highly recommend you make that a secondary vault. You can give that person the master password for the secondary vault, and that's the only vault they will be able to access. In your situation, you may want to have 3 different vaults on your Mac: a secondary vault with work-related data that you might need to share with other employees, another secondary vault with personal data that you might need to share with your family at home, and the Primary vault with the data you never, ever want anyone else to be able to access, ever. If you need help to switch the order of your vaults, just let us know.

It would be the equivelant of going into a bank vault and as long as I open up my safe deposit box with my keys, I can then open up everyone else's safe deposit boxes without the need of a key.

I see what you're trying to say, but they're really not the same thing. In your metaphor, you're saying that opening your own safety deposit box would open everyone else's safety deposit box. That would be like saying that unlocking your Primary vault in 1Password would somehow unlock everyone else's vaults on every single computer that has 1Password installed - but that's simply not true. Unlocking your Primary vault only unlocks the vaults you've added to 1Password on that one, single computer. They are vaults that only you are supposed to have access to. So, a better analogy would be that you personally have 3 safety deposit boxes at a bank, and unlocking one will also unlock your 2 others - but all the security deposit boxes that aren't yours will remain locked. (And yes, I realize that in reality, safety deposit boxes can only be unlocked one at a time.)

Personally, I do like your suggestion to include an option for how unlocking multiple vaults works in 1Password. Hopefully we'll be able to include something like that in the future. Again, we very much appreciate your feedback about that! If you have more questions or need anything else, please let us know. :)

ref: OPM-2227

peasnrice

We just started using 1password at work and we have a strong password that everyone knows. My concern is that there is nothing preventing one of our employees setting up a personal secondary vault with a less secure password.
The analogy above may not be not be completely correct, However...

I think a more accurate description would be akin to someone setting up an incredibly secure vault that contains top secret information and giving multiple trustees a key. Now these trustees can create their own vaults that could contain whatever else and are secured by a door made of paper. These vaults have direct and open tunnels between them.

A system is only as secure as its weakest link and this compromises the strength of the primary vault. The only way I see our company getting around this issue is to provide our employees with a password but there is nothing preventing them from changing it. I'd much prefer the ability to enable/disable this feature on a vault by vault basis.

littlebobbytables

Hi @peasnrice,

You're absolutely correct that any system is only as secure as the weakest point but while I still see an example case it I suspect you've not quite understood all of the subtleties of our current approach.

Say you have multiple vaults linked to your copy of 1Password and that 1Password is locked.

You can actually switch to any vault from the locked screen and supply just that vault's password. It will only gain you access to that one vault and should you switch away from it to another vault 1Password will return to the locked screen. The reason is the other vaults were never unlocked as you didn't supply a password that could access all of the required encryption keys. If you switch back to the originally unlocked vault you will find it is now locked and you need to unlock once again.

Only the Master Password for the primary vault allows you to view secondary vaults. The idea is your primary vault is your most personal, most sensitive one and one you take great care in securing. It is also intended to be a password you don't share with anybody.

Now of course if somebody picks a weak Master Password for their primary vault and then adds a far more sensitive vault to this copy you are correct, there is a weak point in the chain. If the primary vaults are a company vault though then a secondary personal vault won't impact on your security.

I'd say some of your thoughts are more applicable to an enterprise type environment. It's certainly something we can take on board though.

Alberonx

@littlebobbytables
I can see the reasoning on both sides here. I am running 1Password for Mac and 1Password (AppStore version) on my iPhone syncing vaults via iCloud.

It's really convenient having access to all those unique passwords for those countless logins. I do, however, have a handful of passwords, which I would not want someone to get their hands on, if someone was to get access to my iPhone 1Password app. So I created a second vault for those passwords which is not synced. I gave that second vault a much more complex password and now just realised that my master password is unlocking my high security vault, too.

I understand that this is convenient for some people. So my vote is for adding a preference that let's a 1Password for Mac user decide whether s/he wants to unlock their vaults separately. Thanks for this amazing app, 1Password Team!

AGAlumB

Thank you for your feedback! We'd definitely like to make things more consistent across platforms, so we really appreciate knowing how you'd like us to improve 1Password in the future. :)

duncanrose

I came to 1Password 3 years ago after dumping another app (SplashID) that just could not provide the security and convenience I was looking for. I have five (yes 5) vaults all syncing over Dropbox. One for my wife, one for my teenager, one for work password and two for other stuff. I absolutely love the way I can open all of the vaults at once on my Mac and iOS devices and yet share just the vaults I want to the appropriate people. Instant sync and copy an item and I can add a new login for my son or wife and it shows up on their phone.

This week I started a new role that requires me to have a Dell and to my horror I have discovered that I must now memorize 5 separate master passwords for vaults. Yikes. For those of you who feel that this is a feature. As a software engineer I must disagree.

khad

@duncanrose,

Thanks for letting us know you would like to see this on Windows as well. I've made sure the developers received your feedback. :+1: