how does changing the master password affect the security of the vault?

The_caveman
The_caveman
Community Member
in Mac

Hi,
I seem to recall reading that the master password was used to encrypt the vault.
However, changing the master password did not change the way the vault was encrypted. That stayed connected to the first password.
Is that correct? Or is my mind deceiving me?

=> What is the best way (read: safest way) to change the master password? Just change it or really start again and make a new vault?
=> if you use a very weak first master password, does that mean the vault is poorly encrypted? Does changing to a better master password do anything to the increase security of the vault (assuming the first is still used to encrypt the vault)?

I guess my non-crypto background seeps through, but I would like to know nonetheless... Please educate me! :-)

thanks

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni

    @The_caveman: You're right. Each vault has its own encryption keys which are generated when it's created, and this, in turn, is encrypted using the Master Password. So while no one is going to be able to brute force the encryption keys, and the Master-Password-decrypted-encryption-keys is never stored, if you wanted to truly start from scratch, create a new vault with a new Master Password. This will also get you a higher PBKDF2 iteration if you're using an old vault, since we've increased it over time.

    => if you use a very weak first master password, does that mean the vault is poorly encrypted? Does changing to a better master password do anything to the increase security of the vault (assuming the first is still used to encrypt the vault)?

    I did want to address this more directly though, even though I answered it indirectly above. This is part of reason the encryption keys are used in the first place, otherwise if you use monkey123 as your password to encrypt the data directly, it's a much shorter trip to cracksville. Also, if the data itself were encrypted directly with your Master Password, then changing it would be much more difficult, since all of the data would need to be re-encrypted. I hope this helps! :)

  • The_caveman
    The_caveman
    Community Member

    "higher PBKDF2 iteration"
    Euhm... qué?

    Otherwise, thanks for the reply!

  • Drew_AG
    Drew_AG
    1Password Alumni

    Hi @The_caveman,

    On behalf of Brenty, you're very welcome! I'm glad his reply was helpful.

    "higher PBKDF2 iteration"
    Euhm... qué?

    PBKDF2 stands for "Password-Based Key Derivation Function 2", and in a nutshell, it's something that makes it more difficult for someone to figure out your master password by making repeated guesses in a brute force attack. If you're interested, we have more information about that here: How PBKDF2 strengthens your Master Password

    If you have more questions or need anything else, please don't hesitate to let us know. Cheers! :)

This discussion has been closed.