To protect your privacy: email us with billing or account questions instead of posting here.

Question regarding multiple accounts with different master passwords

Hi.

I have a 1Password teams account (let's name it A) and an individual account (let's name it B ). The teams account exists since the 1Password teams beta, the individual account only for some days. I use different master passwords for these accounts.

Today I realised, that only the master password of account A is necessary to unlock both accounts on my mac, after the initial setup.

Now my question:

  • How is this possible? I found nothing in the security whitepaper.
  • Is some key to unlock my individual account stored in the teams account?
  • If yes: What happens, if the team administrator is evil? Can he get my personal passwords in my individual account?
  • And what happens, if the master password of my teams account gets into the wrong hands? Does it affect the individual account?
  • What happens, when I log out of my individual account on my mac? Are all keys to access my individual account deleted in the teams account?

Can you explain to me how this works?

Many Thanks.

Kind regards
Anonymous


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • Lars
    Lars
    1Password Alumni

    @anonymous20283u90234 - excellent question! You are quite correct in your observation that it requires only one password to unlock all your vaults and accounts.

    Is some key to unlock my individual account stored in the teams account?

    Sort of. The short answer is: only locally, for that specific installation of 1Password -- and it's not extractable by you or anyone else.

    This actually predates the existence of 1password.com accounts by quite some time. Back in the day when there were only local vaults and manual sync, each time you created a new secondary vault, you had to give that vault a unique password, which generated the AES256 key that actually encrypted your data. But because we figured that "1Password" sounded better and simpler than "1Password each for however-many vaults you have" as a product name (and as a practice), we developed a method whereby the process of creating a new vault and giving it a unique password resulted in a copy of the encryption key for that secondary vault being "escrowed" (for lack of a better word, although key escrow is not entirely accurate to describe what is actually taking place) by your Primary's Master Password. Provide the proper Master Password locally within your 1Password app to unlock the Primary vault, and 1Password puts the keys "escrowed" when you created the other vaults into their "locks" as well, and all your data become visible to you. In this way, we can keep calling ourselves "1Password" ;)

    To be a little more serious, and to fast-forward to the present, a similar mechanism is in place when you use a native 1Password app with multiple 1password.com accounts. The password for whichever account you add when you first install 1Password on your device becomes the Master Password for that instance of 1Password also...but you can still add other accounts, and the keys to locally decrypt the data in those other accounts will be similarly stored inside that copy of 1Password for Mac, Windows, iOS or Android. So no matter how evil your team administrator becomes, (s)he has no way to snatch the keys to decrypt your data in your own personal account.

  • [Deleted User]
    [Deleted User]
    Community Member

    Hi Lars

    Thanks a lot for your detailed answer. :-)

    Could you also answer two last question regarding this topic?

    • What happens, when I log out of my individual account on my mac? Are all keys to access my individual account on the local device deleted?
    • From your support article about the Security of Touch ID on iOS: "When you enable Touch ID, 1Password stores in the iOS Keychain an obfuscated version of a secret that is equivalent to your Master Password. The secret is used to unlock 1Password when your fingerprint is recognized." Is the principle on the mac similar to the principle described in this support article? :-)

    Kind regards,
    Anonymous

  • Lars
    Lars
    1Password Alumni

    @anonymous20283u90234 - If you mean signing out of your individual account in a web browser? Your encryption keys never leave your local device. If you mean removing your individual account by going to Preferences > Accounts and clicking the minus button to remove it, then yes, everything would be removed as soon as you did that. If you meant something else, can you clarify?

    If you have a TouchBar-enabled Mac, then yes, Touch ID works quite similarly to what you see in 1Password for iOS when you use Touch ID there. You're essentially allowing the Mac (or iOS) keychain to store an obfuscated copy of your Master Password, meaning you're (more or less) substituting the security of Touch ID for that of typing out your Master Password. It's unquestionably not as strong, at least assuming you have a long and strong Master Password that you haven't shared with anyone. Apple says Touch ID is as good as about 1 in 50,000 (or the equivalent of about 6 digits worth of password entropy -- which is why it's no coincidence that Apple raised the unlock code from four to six digits at the time they first debuted Touch ID). Your long, strong Master Password is much, much more entropy than that.

    If you meant what we've been discussing, then no. The keys to unlock your other vaults (or accounts) remain encrypted by a KEK (Key Encryption Key) generated by your primary account (or Primary vault); the one you use your Master Password for, to unlock all data. So the key to your other accounts is encrypted by the public key of your first account. You prove you have the corresponding private key by entering your Master Password, that means you're authorized to unlock those other accounts' vaults as well.

    I hope that made sense, but if not, feel free to ask clarifying questions.

  • [Deleted User]
    [Deleted User]
    Community Member

    Hi @Lars

    Thanks again for your detailed answer. :-)

    If you mean removing your individual account by going to Preferences > Accounts and clicking the minus button to remove it, then yes, everything would be removed as soon as you did that.

    If you meant what we've been discussing, then no. The keys to unlock your other vaults (or accounts) remain encrypted by a KEK (Key Encryption Key) generated by your primary account (or Primary vault); the one you use your Master Password for, to unlock all data. So the key to your other accounts is encrypted by the public key of your first account. You prove you have the corresponding private key by entering your Master Password, that means you're authorized to unlock those other accounts' vaults as well.

    Perfect, this answers my questions.

    If you have a TouchBar-enabled Mac, then yes, Touch ID works quite similarly to what you see in 1Password for iOS when you use Touch ID there. You're essentially allowing the Mac (or iOS) keychain to store an obfuscated copy of your Master Password, meaning you're (more or less) substituting the security of Touch ID for that of typing out your Master Password. It's unquestionably not as strong, at least assuming you have a long and strong Master Password that you haven't shared with anyone. Apple says Touch ID is as good as about 1 in 50,000 (or the equivalent of about 6 digits worth of password entropy -- which is why it's no coincidence that Apple raised the unlock code from four to six digits at the time they first debuted Touch ID). Your long, strong Master Password is much, much more entropy than that.

    Thank you for this explanation, that's good to know. Sorry if my question was a bit imprecise. :-)

    Have a nice day.

    Kind regards,
    Anonymous

  • Lars
    Lars
    1Password Alumni

    @anonymous20283u90234 Glad to hear it! Drop by any time if you have questions or issues. :)

  • AdamP
    AdamP
    Community Member
    edited December 2017

    It seems like you have removed this functionality in 1Password X; i.e., I now have to unlock each account individually. Moreover, according to your support page for 1Password X, it looks like you are recommending that people do away with the very safeguard you described:

    We recommend using the same Master Password for all your accounts. If you signed up for accounts with different passwords, you can change them.

    This is really too bad, and seemingly counterintuitive to your own design philosophy as described above. On my work machine, I prefer to be able to open my family and team items in the browser at once, but I wouldn't my employer to have access to my personal vaults. I was able to successfully open both in 1Password X, but it had to be done manually each time 1Password is unlocked, and is very cumbersome at the moment. I would hope that you would at least give the option to continue to unlock all vaults and accounts using a single master password in 1Password X.

  • Lars
    Lars
    1Password Alumni
    edited April 2018

    @AdamP In terms of Master Password re-use, it's a matter of personal preference. Yes, having different Master Passwords for each account is probably (though not necessarily) more secure. But it's also more likely to cause confusion or even data loss, if you can't remember the password you used for a particular data-set.

    One of the reasons we recommend against password re-use for logins in the web is because potential thieves know what the big banks/credit card companies/email providers are. If you use the same password out "in the wild," one disclosure at some out-of-the-way site could potentially lead to your entire digital life being taken over, with just a little effort on the hackers' part. But re-using a Master Password for multiple 1password.com accounts isn't quite the same thing. To begin with, you should never tell your Master Password to anyone, but - and this is the most-important point here - even in a 1Password Teams setup, your team's owners and administrators don't know your Master Password. They can manage your account - even delete your membership and all your data without warning to you...but they can't reveal or cause us to reveal your Master Password.

    In order for you to be vulnerable, someone would have to learn your Master Password, and even then, they'd still need your Secret Key in order to be able to access your data, as that's a second encryption factor. The only exception to this rule would be if someone 1) came across your Master Password 2) had physical access to one of your computers on which you had 1Password X and 3) thought to try the (work-related) Master Password on different accounts you had in 1Password on that device.

    Without access to a device on which you have 1Password X installed, an attacker would need to know what other accounts you HAVE. Unlike with regular internet passwords (where hackers would default to checking all major banks/credit card providers, to see if they can leverage password re-use into a payday for themselves), if you have multiple 1Password accounts, how would a thief know under what URLs to look for additional accounts for you? Just some food for thought.

This discussion has been closed.