Is a Primary vault necessary in order to have a different desktop Master password?
TL;DR version
Am I right that when using Family (or Teams), a local (i.e. not-in-the-cloud) Primary vault is still needed (although it can remain empty) if one wants to have a different Master password for use in the desktop app versus the Master used for the <mysite>.1password.com account?
Details
Since moving to Family and Teams, I no longer have need of a local Primary vault. However, I left it lying around for a while, even though it was empty. The other day, I decided to clean up and I deleted it, and as a result only narrowly avoided what could have been a bit of a disaster.
You see, although I have very long-and-strong Master passwords for my 1password.com accounts -- one in Family, and one in Teams -- for everyday use in the desktop app, I have a Master that is still tough but not just as long-and-strong as the ones out in the internet badlands. But what I hadn't realized was that that shorter desktop Master password was in some way intimately bound up with my unused-but-not-yet-deleted Primary vault. As soon as I did delete the Primary vault, it seems I also deleted the shorter Master password. That was a potential disaster because I then needed one of my long-and-strong Master passwords to access my Desktop app, and I do not know either of the long-and-strong Masters for my Family and Team accounts! They're too long-and-strong and so in fact I keep them in 1Password.[1] Fortunately my long-and-strong Masters are in vaults shared with my wife, and I also knew her shorter desktop Master, so I could get access that way. (Also, she's an admin so we could also have initiated recovery of mine.) So then, having obtained the required long-and-strong Master, I was able to use it to regain access to the desktop, and from there I re-created my Primary vault and reinstated my shorter-but-still-strong desktop Master (which is why I knew how to answer this question), and all was well. Given all of that, my question is:
Am I right to assume that if one wants a different "Master" password on the desktop -- i.e. different from the Master(s) used in any Family or Team accounts to which one is subscribed -- one must have a Primary vault, even if it is left empty?
thx.
[1] That's acceptable because I rarely need those long-and-strong Masters, and because on the odd occasion I do need them I can get to them using my shorter desktop Master which I can remember ... except I'd just deleted it, thereby rendering it obsolete as a password! (Yes, yes, I should have all this printed out on my Emergency Kit, but I don't (yet). Sue me.)
1Password Version: 6.7 (Mac App Store)
Extension Version: Not Provided
OS Version: OS X 10.11.6
Sync Type: Family & Team accounts
Comments
-
Hi @ThomasK! That's a great question - let me answer it in two ways: a technical answer to the direct question, and a theoretical answer to your situation there in general :chuffed:
Technical: The answer is yes-ish. In 1Password for Mac, when you have a mixed setup with subscription accounts and local vaults, the app will ask for the master password of the first local vault found (which is Primary) when unlocking. In the absence of any local vaults, the app will instead ask for the master password of the first subscription account membership that is signed in. So with a Family account and a Teams account, if you had no local vaults and signed into the Families account first, then Teams, the app would ask for the Families membership master password. If you you then subsequently signed out of the Families account, the app would switch over to asking for the Teams account master password. I hope that all makes sense!
Theoretical: Generally speaking if your master password is so long or complex that you can't remember it, then it's likely not the best master password you could have. For master passwords, complexity isn't the only goal - you need to balance complexity with the ability to memorise it, otherwise there will be potentially situations like this where you either need it but don't know it, or are thinking about using a potentially less-secure password as a workaround for having to enter it (which defeats the whole point).
We have an article here about how to choose a great master password that balances both sufficient cryptographic complexity (which is the important type of complexity here!) while still being easy to remember and enter - you might want to read through it (and the linked "Towards Better Master Passwords" blog post), and maybe think about updating your Families and Teams master passwords accordingly! https://support.1password.com/strong-master-password/
I hope that helps! :+1:
0 -
Thanks John.
So on your technical point, it looks to me like the answer is not merely yes-ish, but an outright yes. If one wants a desktop password that is different from those used for any subscription accounts then a local Primary vault is required, period. Fair enough, and good to know. And having checked the mechanism again, I can see that the user is given fair warning that in deleting the Primary they will have to start relying on the relevant subscription Master password. So I should have seen it coming. However, clearly that wasn't enough to stop me gaily proceeding with the deletion without realizing that particular consequence, so by way of a feature suggestion I guess a slightly more obvious warning couldn't go wrong (you know -- the kind with klaxons, flashing red lights, and a voice saying "Idiot alert! Idiot alert! Idiot alert!")
On the theoretical answer, yeah I go back on forth on that. I did leave my laptop at an airport once and in the time it took to get it back (which happened in a couple of days and without incident), I did worry about the fact that my 1PW Master on it was not just as strong as the ones I use for the subscription services. And that's despite the fact that I run FileVault on the Mac in question (with a strong password completely different from my local 1PW Master).
But to be clear, my local 16+ character Master is very strong. In fact I actually consider it strong enough for use not only on the desktop but also for the subscription services. However, I still see a difference in threat profiles for my desktop versus the subscription services. To get my desktop stuff an attacker would need to physically get my laptop (and either login or get past FileVault) before they could even begin to hit the local 1PW data with a dictionary attack (which I'm pretty sure it would survive). So a degree of reasonable security through obscurity is at play in my favor. That is in stark contrast with the subscription accounts which every Bad Guy in the world knows live at <something>.1password.com. So it seems to me that in the balancing of password strength vs usability, the calculus weighs a little bit more towards the former for the cloud than it does for the desktop.
Therefore, since I login to the subscription services so infrequently I've chosen to make their Master passwords 32+ character behemoths. And they are of the correct horse battery staple type (although I also use numerics, symbols and case-mixing), not the Tr0ub4dor&3 type; in other words, they are memorable (to me, or at least they would be if I used them often enough to embed them in my brain). The trouble is, memorable or not, I have found that the probability of me mis-typing a 32+ mixed-case-alpha-numeric-symbolic character pass-phrase to be around 50%, and that doesn't make for a fun day (especially when for any given authentication that mis-type percentage, along with the amount of cussing from me, tends to increase each time I mistype!)
I concede that in the end, such big-ass Masters, when combined with the AgileBits secret keys, means the whole thing is perhaps paranoiacally strong, so much so that if anyone ever does get into my subscription setup I'll probably throw all my computing machinery in the trash and revert to clay tablets and weaving my own clothes.
But as a result I simply no longer worry about my password security. And that's in no small part due to you guys and 1Password. So kudos for that.
Tommy
0 -
Its an absolute yes. The way 1Password unlock works is you're either unlocking with the Primary vault (and it encrypts the keys for the other vaults and accounts with its key) or you have no local vaults and the first account in the Accounts list acts as the "master account" that holds onto those encrypted keys.
Rudy
0 -
@ThomasK: And just to clarify my "-ish" answer, I was mainly replying to your TL;DR version, where the "ish" was instead of having a local vault with a different master password, to have a .1password.com account with a different master password, and have that signed in before .1password.com ... otherwise as covered above by myself and Rudy, a Primary local vault would be the only other way to do it
0