Password Flaw I've found

Shylock1966
Shylock1966
Community Member
in Mac

I recently changed my password on my main Mac computer to a more stronger length, this went without problem as per normal i then proceeded to check all my other devices due to sync with Dropbox. The problem i found and it works on all other devices including iPhone, iPad and a Mac Mini is that you can log into your vault using your old password even one device that was not checked until the next day. I wondered if it is not receiving the up-to date sync info from Dropbox however the second you change the password in the login box to the new one it knows this and changes, from this point it will never allow you to enter the old one. This presents a security problem if (and i mean a big if) somebody steals your computer and they know you old password they can get straight into your vault ? , dropbox will not override your old password to the new one until you put in in yourself.

1Password Version: 6
Extension Version: 6.1
OS Version: 10.11.4
Sync Type: Dropbox

Comments

  • jxpx777
    jxpx777
    1Password Alumni
    edited March 2016

    @Shylock1966 Thanks for your post. You've described the situation pretty well actually. Our own @rickfillion wrote a blog post about syncing master password changes that describes how this works and it covers some nuances to the encrypted storage of your vault encryption keys that might help explain why the current situation is the way it is. Most people will simply use the new password and not encounter this nuance. If you're very concerned, you should make sure to have all your devices together when you change your master password and unlock each of them in turn to get them all using the new master password.

    I hope that helps! Let us know if you have any other questions or concerns.

    --
    Jamie Phelps
    Code Wrangler @ AgileBits

  • finadeon
    finadeon
    Community Member
    edited March 2016

    I think that this has been explained before by the member of Agilebits. The thing is that you change your vault password on Mac and then that Mac syncs updated password to Dropbox. However, when you go to your iPhone or any other device you have you have to first open your vault with your old password because 1Password can't sync without opening the vault first. So it doesn't know that you have changed your password until you open the vault with your old password first and then it syncs and knows your new password.

    So when you change your master password and don't want that someone might be able to get to your vault with the old password the best is to open 1Password on all devices you are using with the old password and sync.

  • rickfillion
    rickfillion

    You're absolutely right, @finadeon.

    Rick

This discussion has been closed.