Ability to unlock single Vault?

R_K

I currently use KeePass and have been considering switching for convenience sake. 1Password, while expensive, has most of the features that were important to me compared to LastPass, which I rejected due to lack of these important features.

The most important to me is password isolation via multiple vaults with different passwords. I don't want my most secure passwords being unlocked when I frequently open my everyday passwords. They're more critical and should have their exposure limited as much as possible. This works great on the OSX app, and I can set it so that no more than one vault is open. The problem is that the iOS app seems to unlock all of my vaults with single password!! If my primary vault is compromised, ALL of my vaults are. Worse, I can't find any documentation about how this works and it appears that my vault passwords are all put into this primary mobile vault, completely negating the value of multiple vaults.

This is a deal breaker for me and I'll stay with my free, open source solution (even if it is less convenient),unless you can convince my otherwise.

Thanks!

ag_kevin

Hi @R_K,

On iOS, the one master password will open all vaults. We recommend users choose a good strong password to avoid any of their vaults, including the primary vault, from being compromised. We also recommend TouchID in cases where you are concerned about being observed while entering your master password.

If you don't mind sharing, how do you envision your primary vault becoming compromised? Such feedback would be useful and can add more weight to your feature request.

So while I can not promise you this capability today, I do thank you for your request and we will certainly give it consideration for future releases.

Regards,
Kevin

R_K

I segregate my passwords of low consequence (forums, etc) from those of high consequence (banks, insurance, etc). Given that I use the passwords of low consequence much more frequently, and given that they are of low consequence, I use an easier to type password, so it is less complex, and would thus be easier to compromise. It's still extremely unlikely, but still more possible.

My concern is that since my primary vault would be my low security vault, I don't want that one being the master that has the information about how to unlock the other vaults. My discomfort is that I don't know where you're storing the keys for the other vaults as it appears that they're NOT stored in the phone's secure element, so it implies that you're storing them in that primary vault.

My other concern, while unlikely, is that IF somebody were to snatch my phone while the vault is unlocked they could (if they were observant enough to recognize what they had), keep the phone active long enough to basically have full access to the passwords on my more secure vault, just because I unlocked the less secure vault in public. [yes, a bit far fetched, but it's a scenario that would be easily avoided by just asking me to unlock the other vaults individually like the desktop application does, only opening me to that risk when I open the high security vault]. That approach would also allow for storing each individual key in the phone's secure element.

I guess I could work around the first concern a little bit by creating a primary vault on iOS that doesn't contain any passwords and is not synced and is only used as the entrypoint to the other vaults, but it seems that short of not syncing the more secure vaults I have no way to avoid the latter risk. This also adds the inconvenience of having to switch vaults every time I open the application (unless you remember which vault was used last, I haven't tested that).

Perhaps I'm mistaken on the way that the non primary keys are stored, but it does give me pause.

ag_kevin

Hi @R_K,

Thanks for the excellent feedback on this feature. Knowing the background and motivation for wanting features help greatly when we consider them.

The password for the secondary vaults are indeed encrypted and stored in the primary vault. If you like, you can read more about our security at the following link. 1Password’s data format is published so you can read how 1Password stores data.
https://support.1password.com/secure-by-design/

Thank you for considering 1Password. If we can answer any other questions for you, just feel free to ask.

Cheers,
Kevin

R_K

So, I've done some further testing and started over with a completely clean slate and have determined that this is also true of the desktop applications, though I didn't notice it earlier. This means that the workaround that I specified before isn't really going to do anything for me.

I would REALLY like the option of NOT storing the passwords for my other vaults in my primary vault, and until that is the case I will not be migrating over the 1Password [and thus not buying licenses], even though it is so very close to what I want in every other aspect. This is the same primary shortcoming that kept me from using LastPass as well as they also have a single password to switch between all of your identities, which is effectively what you have done by automatically and invisibly storing the secondary passwords in the primary vault.

A few other issues I noticed:

• 1password mini cannot be closed unless you unlock your vault first
• The plugin's dialog to create a new entry when a password is captured allows you to click on the lock icon and "select a vault", but that doesn't seem to do anything... it always adds it to the primary vault.

Ben

Thanks for the continued feedback on this feature request, @R_K. :)

Ben

R_K

(and I just realized that in my clean slate restart I deleted the vault that had my password for this forum... :blush: )

Ben

oops! Did you crate a backup prior?

https://support.1password.com/ios-itunes-backups/

R_K

Nah, but it's OK... this site is the only one that I stored any unique data for during my testing, and you have a password reset feature.

Ben

Okay, thanks for the update. :)

If there is anything else we can do, please don't hesitate to contact us.

rBrooklyn

I'm going to +1 on having the ability to unlock one vault at a time. I even tried it by typing in the password for the 2nd vault in the 1Password login window (it seemed so obvious).

I use a lot of software as a creative freelancer and I hire someone to do updates, installs and general maintenance. It would be great to let them into my "studio" 1Password vault to access the logins and serials they need... yet rest easy knowing my banking and sexy farmer monthly type passwords are locked away.

• rB

AGAlumB

Thanks for letting us know you'd like to keep, er...some things separate! ;)

But I will say that a better option in your case may be to not give someone else access to your machine, but instead to share the vault with them using Dropbox. That way they access only that vault on their own machine, and that reduces the risk of something malicious or merely foolish from affecting yours. :sunglasses: