Sharing a primary vault with a spouse & password changes
I am helping my wife to improve her password security, and have set her user account up with a primary vault that syncs to a folder in her Dropbox account that is shared with my Dropbox account. I double-clicked the agilekeychain in that folder (from my user account) to import her vault into my instance of Dropbox as a secondary vault, so I can help keep her passwords organized and audited. So far, everything works as expected -- changes I make to her passwords from the secondary vault in my instance are reflected in her primary vault, and vice-versa. (Very nice!)
Curiously, after helping her choose a much more secure master password, and changing it (in her user account, on her primary and only vault), I expected to have to authenticate with her new master password when logged into my user account and accessing her vault (a secondary vault in my instance), but I didn't have to do so. I've confirmed that the new master password works in her user account, and the old master password doesn't. The vault is still syncing through the shared dropbox folder (most recent sync is 8 seconds ago), and changes that I make while in my user account (in the secondary vault) show up while in her user account (in her primary vault).
When I first imported her agilekeychain to create a secondary vault in my account, I had to authenticate with her then-current master password. I don't understand how I'm able to make changes to her data, if it's encrypted with a new master password. Shouldn't I have been required to provide the new master password?
1Password Version: 5.4-BETA-32
Extension Version: Not Provided
OS Version: 10.10.4
Sync Type: Dropbox
Comments
-
Hello @joshlawless,
If you were to remove the secondary vault from your copy of 1Password and re-add it you would indeed be required to supply the new Master Password. The reason you're not being asked for the new Master Password right now though is because of how the encryption works.
We don't actually encrypt your vault with your Master Password. The reason is simple, as complex as your Master Password may be (and not just yours, all of ours) it's nothing compared to the size of the keys a computer can work with. The longer the key or even number of keys used to encrypt your information the less somebody can infer. Encryption is extremely complicated if you want to keep your data safe and one of the things that can leak data is if the keys are small enough so that patterns arise in the encrypted copy of the data. So we get around that issue by using your Master Password to encrypt something much smaller - a set of encryption keys that secure your actual vault. When you change your Master Password we simply decipher the keys and then encrypt them using the new Master Password. So those keys haven't changed but the key to decipher them has.
Now in 1Password for Mac and iOS the reason you don't need to unlock any secondary vaults every time you unlock your Primary vault is that we store the encryption keys for your secondary vaults inside your Primary vault albeit not in a way visible to the user. As the encryption keys haven't changed the stored keys still unlock the vault although I am sure we're meant to be testing that we can still decrypt the keys in the sync container as well.
Now this isn't to say there isn't room for improvement here but that's the technical reason why your copy of 1Password can still legitimately unlock the secondary vault. While the following document isn't specifically about the encrypted SQLite database file that is stored on your local storage device all the concepts covered here are how it is done locally too. So this link is for the Building blocks section of the OPVault Design page. It's pretty technical so I'm more supplying it if you're curious than suggesting it's fundamental reading. Now you may very well have follow up questions so please do ask!
0 -
Appreciate the explanation - glad to hear that this behavior was expected.
0 -
If you do have any other questions at all @joshlawless please don't hesitate to ask :smile:
0
