The Relationship between Master Passwords, Vault Passwords, and Vaults
What is the relationship between the master password, the vault passwords, and the vaults themselves?
When I had one vault, I was pretty sure I had one password, and it secured the one vault. Now I created a second vault, and when I did so, I was prompted to create a new password for that vault. All good, I thought; one password, one vault, and visa versa. Except that's not what happened -- it seems like the password for my first vault is opening my second vault, and both are unlocking at once. I was wondering how this worked under the hood, and also what information was being stored where (what's kept locally, whats being synced with which vault, etc.).
Thanks!
1Password Version: 6.1
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: iCloud, Dropbox, Local-Only
Comments
-
Also, I'm wondering if knowledge of the existence of one vault is stored in another?
0 -
(cc: @rickfillion)
0 -
Hi @kneil250,
It can get a bit confusing, let's see if I can write this in a way that helps :smile:
Each vault does indeed have it's own password which is first set when you create the vault and can then be later changed from inside of 1Password for Mac.
The password for the very first vault in 1Password is special as is that vault. So whether you created a brand new vault when you first started this copy of 1Password for Mac or you pointed it to existing data in the form of an Agile Keychain or OPVault this first vault is always known inside this copy of 1Password for Mac as the Primary vault. The password for your Primary vault is what we refer to as your Master Password because of the following.
When you add secondary vaults to a copy of 1Password the encryption keys for those vaults are stored inside the primary vault. They're only stored locally and in the backups so none of this is ever passed when syncing with one very specific exception that I'll comeback to later. By storing the encryption keys for the secondary vaults the Master Password unlocks your primary vault and then the data stored inside of it unlocks the others.
We do make the assumption that a person's Primary vault is their most valued vault and the one they protect and share either with only incredibly trusted people e.g. partner or not shared at all.
A concrete example may help. Let's say you have 1Password for Mac at home and you also happen to use it at work and they have their own company vaults. On your home Mac you have a Primary vault and a secondary family vault and you share both via Dropbox. Your Master Password is the password for your Primary vault and allows you to access the secondary vault in 1Password for Mac on your home Mac. You share your family vault with others and they only have the password to it meaning no access to your primary vault.
Let's say the Primary vault at work is a shared company vault that lots of people have the password to. If you were to add your primary vault here it wouldn't supplant the existing primary vault, instead it would merely become a secondary vault here as whether a vault is the primary or secondary isn't something set in stone inside the vault, it's merely specific to each copy of 1Password and by that I even mean per OS X user account as the data isn't stored in the application itself, just in the support files for that user account. If you added your primary vault here, anybody with access to this local copy of 1Password and with the Master Password for your company vault could access what was your personal primary vault as it's now a secondary vault here but this wouldn't help them access your family vault at all.
I hope this helps but please do say if you don't feel any more enlightened, it's one of those things that isn't easy to explain in a sentence or two meaning the concept is complex enough that nobody should feel ashamed for not getting it straight away.
Oh and that exception I mentioned earlier. Wi-Fi Sync between a single Mac and one or more iOS devices is quite special. You can sync either just the primary vault or the primary vault and one or more secondary vaults. It all happens in one go though unlike when you sync vaults separately in Dropbox. So here we do send the encryption keys for the secondary vaults with the primary but only in this one instance and when you sync using Wi-Fi you have to sync the primary vault. This is partly because support for syncing secondary vaults via Wi-Fi was added rather than being there from day 1. As such Wi-Fi Sync was only intended to sync a primary vault so the support is bolted on rather than being developed with the intention of sharing vaults separately.
If you have questions please do ask :smile:
0 -
Looks like @littlebobbytables took care of this. Do let us know if you have any more questions. We're happy to [try to] explain how this all works. We have no secrets when it comes to this stuff.
Rick
0 -
No, it makes a lot of sense, and I really appreciate you taking the time to write it out.
I do have a follow-up question: I assume that if I were to set up multiple pre-existing vaults on a new machine, I would then be prompted for each vault's own password so that it's keys could be decrypted the first time and then be stored locally re-encrypted with the Master Password from the Primary vault on that machine?
I hadn't previously realized that the first vault that each 1Password instance sees is granted a special status, but that's really useful for me to know in the future as I start to move my 1Password usage into more advanced usage scenarios.
0 -
Hi @kneil250,
You're absolutely right. If you had 5 vaults, each syncing with say an OPVault in Dropbox, and you blew away your 1Password data (our database, not the dropbox data), then as you'd set things back up and reconnected to the OPVault we would need you to enter the passwords for each of these vaults so that we can decrypt its keys, then re-encrypt them with your primary.
The fact that the first vault gets a "special" status is actually mildly annoying on our end. I'm trying to think of ways of allowing everything we do but somehow making that vault more of a peer to the other vaults. There's a bunch of features that I'd like to add that would be easier if all vaults were peers. A similar issue happens with 1Password for Teams and its accounts. The first one gets an implicit special status for the same reasons.
Rick
0 -
Ah, you actually hit on another thing that's been in the back of my mind: I put most of my family on 1Password a while ago, but now I'm thinking of moving everyone to 1Password for Families, since, y'know, that's a thing now. :) Can you briefly outline how those vaults interact with normal Individual vaults?
0 -
Hi @kneil250,
1Password Families and 1Password for Teams vaults can play quite nicely with your individual vaults. For example, I’ve got 3 vaults synced via Dropbox (that I just haven’t migrated to Families yet) and I can view all of them simply in the 1Password interface.
One of the benefits of 1Password Families and 1Password for Teams is that your data from all vaults tied to that account will be added instantly to your device when you sign into your account, so there’s no need to add one vault after the other. You sign into your 1Password account in 1Password’s Preferences > Teams.
I hope that answers your question, but if there’s anything else you’d like to know about vaults, passwords, or the universe in general, we’re here for you. ;)
0
