Bug: 1P doesn't remove database password when signing out or updating it when changing accounts

zaccohn

Long time fan of 1Password on OSX. Around thanksgiving, I tried to help my father install it on his windows 10 laptop. As many others in the forums have been complaining, we ended up downloading 1Password 6, which has... not been a great experience. (And to save you the keystrokes - I know 1Password 6 is not a forced upgrade, and I know it's the only way to access the 1Password.com service, and local vaults are only on 1Password 4.)

The latest problem - he's trying to set up a second user account. We couldn't figure out how to create a new user, so we ended up uninstalling 1Password to force it through the "new user" flow. When we got through the user creation flow and logged in with the new user account, we could still see all of the accounts from the original account!

After some digging, we realized that the original user was logged in as well as the new user. We logged the original user out, saw an empty vault (as expected).

That's when the problems started.

We wanted to log back into his original account, but it wouldn't accept the master password. We then tried logging in to his new account. That didn't work either. Finally, we tried logging into his NEW account with his ORIGINAL account's master password.

That worked.

That's very concerning.

As of now, we still can't get into his original vault on 1Password 6 on this machine, although we CAN access his original account through the website.

I think there are two, maybe related things, happening:
1. You are leaking data between user accounts somewhere. I can't think of any other way we use the NEW email address and the ORIGINAL password and still successfully log in to the NEW account.
2. There are artifacts left over after the uninstall (which is demonstrated by the numerous times we've uninstalled, reinstalled, and then immediately been presented with a Master Password Unlock screen instead of a login screen).

Help?

---

1Password Version: 6.2.333d
Extension Version: Not Provided
OS Version: windows 10
Sync Type: 1password

MikeT

Hi @zaccohn,

Thanks for reporting this and this is intentional at the moment, it will be more intuitive in the near future.

1Password 6 has its own internal app database password, which is created by the first password you give it and it will remain that way forever unless you manually save it in the security settings, even if you change any accounts.

We plan to overhaul this process to link the database password against the first account or vault, so that if you sign out, the app must check for other accounts and reuse them.

1Password 6 does detect when you have changed the master password for the first account and when you sign in again with the new password, it will update the local database password.

For now, what you can do to fix this is unlock the app with the original password and then go to Settings on top right to select Options. Go to Settings and click on Change master password to change it to the new account's password.

1. You are leaking data between user accounts somewhere. I can't think of any other way we use the NEW email address and the ORIGINAL password and still successfully log in to the NEW account.

To be absolutely clear, it is not. There are two separate parts to this, the main database password that encrypts all data going into the database, this is separate from any accounts you're using. We do this, so you'd have one password for all different 1Password.com accounts and local vaults you add, which is stored encrypted by their own keys, which we re-encrypt with your database password.

2. There are artifacts left over after the uninstall (which is demonstrated by the numerous times we've uninstalled, reinstalled, and then immediately been presented with a Master Password Unlock screen instead of a login screen).

Correct, that's the database password. We're treating this as a bug and will remove the database password when you have signed out of the last account and there are nothing left.

MikeT

As of now, we still can't get into his original vault on 1Password 6 on this machine, although we CAN access his original account through the website.

I thought you said you can unlock with the original password or are you saying this because you expect to see the original vault due to the password you're entering?