Master Password Clarification

chuckwolber
chuckwolber
Community Member

When creating a new vault I am greeted with the following message:

The password you enter will be used to encrypt the data in this vault. You'll continue to unlock 1Password with your Master Password.

If you don't intend to share this vault with anyone, we recommend using Master Password instead of creating a new one.

I read that in the following way:

  • The new vault will be encrypted with the vault specific password.
  • The vault specific password will be stored and encrypted with the master password.
  • To unlock the new vault, the master password will unlock the vault specific password, which will then be used to unlock the new vault.

This leads to a few questions that I was unable to find good answers to:

  1. Shall I assume that I can simply forget the vault specific password and only rely on the master password?
  2. How does one change the Vault Specific passwords? I cannot seem to find a way to do that. The only thing I seem to be able to change is the master password.
  3. If I follow the advice in the latter section and use the Master Password for the vault specific password, and the Master Password is compromised, how do I ensure that a Master Password change changes the Vault Specific passwords?

Thank you!


1Password Version: 6.5.1
Extension Version: Not Provided
OS Version: OS X 10.12.1
Sync Type: Dropbox

Comments

  • Drew_AG
    Drew_AG
    1Password Alumni

    Hi @chuckwolber,

    Thanks for writing in with your questions! I can definitely help to explain how this all works.

    I read that in the following way:

    • The new vault will be encrypted with the vault specific password.

    Close, but not exactly: When you create a vault and choose a master password, that password is used to encrypt a key, and that key encrypts the data in the vault. (The message you see when choosing to create a new vault doesn't go into those details because the point it's making is simply that the new vault will have its own master password.)

    • The vault specific password will be stored and encrypted with the master password.

    No, and that's because master passwords aren't actually stored anywhere at all. (This is part of what makes 1Password so secure.)

    Instead, the encryption keys are stored along with your vaults in an SQLite database on your Mac. Each vault has its own key, and each key is encrypted by the master password for that specific vault - but the master passwords are only stored in your own head (unless you write them down somewhere, of course).

    • To unlock the new vault, the master password will unlock the vault specific password, which will then be used to unlock the new vault.

    Unlocking your Primary vault automatically unlocks the secondary vaults by using their encrypted keys, not their master passwords. The way this works is that there's a copy of each secondary vault's encryption key which is encrypted by the master password for the Primary vault. By unlocking the Primary vault, you gain access to the keys to decrypt the secondary vaults.

    To be clear, the secondary vault keys that are encrypted by the Primary vault's master password are not actually stored in the Primary vault - they are stored in the main database where all the vaults & keys are stored. When you sync the Primary vault via Dropbox, only the data from the Primary vault is exported to a sync file, so none of the secondary vaults' keys are synced with it.

    1. Shall I assume that I can simply forget the vault specific password and only rely on the master password?

    Even though you can unlock all the vaults on your Mac by entering your Primary vault's master password, you don't want to forget the master passwords for your secondary vaults! If/when you sync a secondary vault to another device (via Dropbox), you'll need to enter the master password for that vault on the other device in order to add it there.

    You can create items in your Primary vault where you can keep master passwords for secondary vaults if you want to make sure you don't forget.

    2. How does one change the Vault Specific passwords? I cannot seem to find a way to do that. The only thing I seem to be able to change is the master password.

    I'm sorry it's not clear how to do that! First you'll need to switch to that vault in the app (use the vault switcher in the top left corner of the main app window, or go to 1Password > Switch to Vault in the menubar). Then go to 1Password > Preferences > Security and click the 'Change Password for the "[vault name]" vault' button.

    3. If I follow the advice in the latter section and use the Master Password for the vault specific password, and the Master Password is compromised, how do I ensure that a Master Password change changes the Vault Specific passwords?

    Each vault has its own master password, even if you choose the same one for each vault. When you change a vault's master password, you're changing it for only that vault. To change the master password for each vault, you'd need to change each one individually.

    I hope this helps to answer your questions, but if you have more, just let us know - we're always happy to help! :)

  • chuckwolber
    chuckwolber
    Community Member

    I'm sorry it's not clear how to do that! First you'll need to switch to that vault in the app (use the vault switcher in the top left corner of the main app window, or go to 1Password > Switch to Vault in the menubar). Then go to 1Password > Preferences > Security and click the 'Change Password for the "[vault name]" vault' button.

    I am sorry, but I do not see what you are saying. Can you show me what I am missing? This is what I see when I follow your guidance:

    I should also mention that I have searched every other tab and find nothing that would indicate that I can change an individual vault's password.

    And as a side note, I can get a consistent crash in 1P 6.5.1 if I go in and out of preferences multiple times in short succession.

  • @chuckwolber,

    In the main 1Password window if you change the vault selected where it says "Primary" to your secondary vault, then the "change master password" button will transform into a button that lets you change the password on that secondary vault.

    Rudy

This discussion has been closed.