Which Master Password encrypts the data?

Comments

  • Manaburner
    Manaburner
    Community Member

    Is the data that I have synched from 1Password.com to my Windows or Mac machine protected by the master password (which I entered on 1Password.com) or is the data protected by a (potentially weaker) local password in the application? Or both? I was wondering because what does it help when you have the strongest master password mankind has ever seen on 1Password.com, when an attacker has copied my data from the local machine and can crack it easily because I chose to have a weak local password which I chose for convenience.
    I hope what I wrote makes sense :)


    1Password Version: Not Provided
    Extension Version: Not Provided
    OS Version: Not Provided
    Sync Type: Not Provided

  • Hi @Manaburner - I hope you don't mind that I merged the discussion with this thread. @Brenty replied to a similar question yesterday and I though he had a great response. Are you currently using two Master Password? One to unlock the apps and another to sign into your 1Password.com account? I just want to make sure we're on the same page. :+1:

  • Manaburner
    Manaburner
    Community Member

    Hi @Frank sure no problem. Yes, I'm using two master passwords like you said.
    Maybe I have misunderstood something, but I don't think that Brents replies address the question I have posted.
    Basically my question is targeted to this: is it ok to have a simpler password to unlock the apps? Or does this weaken the security of my data (at least locally)?

  • AGAlumB
    AGAlumB
    1Password Alumni

    @Manaburner: Ah, I think you're right. Sorry about that. I've split you off into a separate discussion so we don't confuse things. :blush:

    I was just thinking to myself that we've made it so that the server will ask you to reauthenticate if you change your Master Password remotely now...but I'm guessing you still have a local vault hanging around. Is that the case? ;)

    Anyway, to (hopefully) answer your question, the new 1Password 6 Windows desktop app currently uses the first successful Master Password to encrypt the data locally. This could be a local vault you imported before anything else, or the first 1Password.com account you signed in to. Either way, unless you later update it within the app, that will remain so.

    With that in mind, I'd definitely recommend changing what you're using to be stronger, for a few reasons:

    1. A long, strong, unique Master Password will better protect your data.
    2. A single good Master Password will be easier to remember and develop muscle memory for typing, even if it takes some practice.
    3. Having more than one also puts you at risk for either forgetting one (or both), or tempts you to save one (or both) somewhere other than your brain; it can be good to do this by saving a copy of your Emergency Kit in somewhere very secure like a safe deposit box, but otherwise it's best that your Master Password only exist in your brain so that it can never be discovered.

    I think that should help, but please let me know if you have any other questions. :)

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited June 2017

    @Manaburner: And I realize now that I should have answered your original question more directly, because of how important this is:

    Basically my question is targeted to this: is it ok to have a simpler password to unlock the apps? Or does this weaken the security of my data (at least locally)?

    No. Always use the best Master Password you can, as it's the single most important way you can protect your data. Only you ever know what it is...unless someone is able to guess it (or brute force it with a computer), so we don't want to take any chances.

  • Manaburner
    Manaburner
    Community Member

    Hi @brenty
    thank you for your very detailed answer.
    I think we're almost there, maybe I should have phrased my question differently. :)

    From what I've read about the security of 1Password.com accounts, the data is protected by the secret key and the master password. Data is locally encrypted before being transmitted and if I'm using the web version, SRP comes into play.

    What I don't quite understand is, why you can have a password to unlock the apps that is different (and potentially weaker than) the super strong master password I chose when creating my 1Password.com account.
    In the old days when syncing via Dropbox, you had no choice but using the strong master password that you used for the .agilekeychain vault.
    And now we have a password per device/app and the master password. Is the data (locally) encrypted using the "app" password or the master password used on 1Password.com?

    Because obivously the app password is able to decrypt my data locally even if it's different from the master password

    I really hope this all makes sense. It's really hot here in Germany currently ;)

  • AGAlumB
    AGAlumB
    1Password Alumni

    @Manaburner: Ah, fair enough. You're right, that is a bit different. I'll do my best! :chuffed: ch

    This first thing to keep in mind is that any time there are multiple local vaults and/or 1Password.com accounts in an app, there's a "chain" setup there so you can unlock the app with a single Master Password. In most cases, this is the Master Password for the Primary (local) vault or first added 1Password.com account (if no local vault exists). All "subsidiary" vaults/accounts have their derived keys encrypted in the local database using keys derived from the Primary/first Master Password, so that this can be used to unlock and decrypt all the data. It's only slightly different on Windows in that there isn't a way to "sync" Master Password changes to/from the app, so it's in a bit of a no man's land currently in that respect. But we'll be updating it to use the same specification as the others.

    Anyway, let me know if that helps. Hopefully it's a dry heat. Stay cool out there! :lol:

  • Manaburner
    Manaburner
    Community Member

    Hi @brenty
    Thank you for your detailed reply. So I learned that I should use a strong password locally to because it weakens the "chain". Makes sense. Have a nice weekend :)

  • AGAlumB
    AGAlumB
    1Password Alumni

    You too! In hindsight, I wish I'd summarized it as concisely as you just did. Cheers! :chuffed:

  • mpix
    mpix
    Community Member

    Excuse me, I'm not totally understanding the logic here:

    isn't the encryption password (and decryption, ofc) derivated from secret key+master key? Even locally I was supposing

  • AGAlumB
    AGAlumB
    1Password Alumni

    @mpix: Local vaults don't have a Secret Key, so no. When Manaburner and I setup 1Password 6 with a read-only local vault to import our data, that vault's Master Password became the one used (derived) to encrypt the app's database.

  • Manaburner
    Manaburner
    Community Member

    Hi @brenty
    sorry if I resurrect this thread. I just tried to change my local masterpassword in 1Password Beta on my Windows machine but couldn't find any option for that. Is this possible at all?

  • AGAlumB
    AGAlumB
    1Password Alumni

    @Manaburner: No. Writing to local vaults isn't possible in 1Password 6. It will use the Master Password for the first vault/account added, and you'll be prompted to update your account credentials if you change it remotely. Let me know if you have any trouble with that!

  • Manaburner
    Manaburner
    Community Member

    Hmm, I have only added my 1Password.com account to it, but I definitely have a local master password that is different from the "online" master password.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @Manaburner: That sounds like you may have been affected by a bug in a previous version then. Sorry about that! Make sure of two things:

    1. You have the latest version of 1Password installed
    2. You have all of your data in your account at 1Password.com

    Then just follow the instructions here to start over in the app so you can set it up with your account from scratch:

    Reset 1Password

    Let me know how it turns out! :)

  • Manaburner
    Manaburner
    Community Member

    Hi @brenty you nailed it. After resetting, there's no more discrepancy between the master passwords. I'm so glad that I chose a very long master password that I now have to enter every time I unlock 1Password sigh ;)

  • Greg
    Greg
    1Password Alumni

    @Manaburner: On behalf of Brenty you are very welcome! :chuffed:

    A good Master Password can be memorable, so it is not much of a hassle to enter it. You can check our article about it:

    How to choose a good Master Password

    Moreover, you can change Auto-lock settings in 1Password app and extend the period, so you won't have to unlock 1Password too frequently. I hope it helps. :+1: If you have any other questions about 1Password, you know where to find us.

    Have a great day!

    Cheers,
    Greg

  • Manaburner
    Manaburner
    Community Member

    My master password is memorable, but it is still very long (7 words). So it's a lot to type

  • Greg
    Greg
    1Password Alumni

    @Manaburner: If that is the case, please try to choose a comfortable Auto-lock time in the settings. But please be careful. Thank you!

    Cheers,
    Greg

  • AGAlumB
    AGAlumB
    1Password Alumni

    With the additional security of the Secret Key that's arguably overkill, but that shouldn't discourage you from continuing to use such an awesome Master Password since that's really future-proof — you can hang onto that one probably for the rest of your life, and it will probably get easier over time as things like Touch ID and Windows Hello become more commonplace! :sunglasses:

This discussion has been closed.