Separate password and vaults for less trusted devices

Hi,

I'd like to separate my less important passwords for a different vault with different vault in so that if I use a machine that's less trusted and more likely to be compromised only the less important passwords could be compromised. Now there doesn't seem to be a way to do that as it's required to type the single master password to access any vault. Is there any solutions for this use case? Lastpass allows free accounts with which I could easily achieve this but with 1password I'd need to pay twice to get this functionality if I've understood correctly.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

«13

Comments

  • JacobJacob

    Team Member

    Hi @komentaja! Thanks for asking about this. At the moment, all vaults in the 1Password apps are indeed unlocked with your Master Password. This is mainly for convenience, but it's also the name of the app — one password. :) If you'd like to use multiple passwords to unlock different vaults, you could have two different accounts and sign in to them each separately in a browser. You wouldn't be able to use the filling features this way, but you could separate your data.

    Hope that helps! We've gotten some feedback about adding something like this to the apps before, so I'll let the team know you asked about it.

  • Thanks for the quick response even though it's weekend! Is it possible to share vaults between accounts and somehow get account created without paying twice if I'm using both myself? That would solve my issues for now. Current solution is to check from phone or some trusted device nearby and manually type in the passwords. I'm keeping them simple and memorable only because of that which sucks.

  • JacobJacob

    Team Member

    @komentaja At the moment vaults are account-specific, so that wouldn't be possible. I'm sorry for the inconvenience. It's worth remembering that if your Master Password is a strong one, there isn't anything to worry about even if your data falls into the wrong hands. A better strategy than having two Master Passwords and sets of data would be to have one that is very strong and trustworthy. Creating a strong Master Password is a good start:

    How to choose a good Master Password

    Once you do that, there are three umbrellas of security in 1Password accounts to protect things. Before all of them is your Master Password and Secret Key. In the standalone version of 1Password, everything is protected by your Master Password and all the security wizardry in the app. But in an account, the Secret Key is used to strengthen things even further. If you have a weak password, it's very unlikely someone will be able to access your data because the Secret Key is a 128-bit string of characters that's generated locally when you set up your account. It never leaves your device, and we ask that you print it out to have a copy in case you need it later — you're probably not going to remember the whole thing. ;)

    It’s great to have a Master Password and Secret Key protect your data, but they also need to communicate with the server to access your data, so we use three layers to protect things at rest and in transit. The first layer is based on your Master Password and Secret key, which are used to derive a secret that is used to securely encrypt all of your data, both at rest and in transit between your devices and our servers. The second layer is based on the Secure Remote Password protocol. It allows your devices and our servers to make sure they are who they say they are. This provides an additional layer of protection against attack. The third and final layer is the standard TLS/SSL protocol. This layer provides a final layer of encryption and also allows your web browser to indicate that you were communicating directly with a 1Password web server.

    If you'd like to keep learning about how 1Password keeps your data while it's on your device and syncing, this is a good spot to start:

    About the 1Password security model

    Hope that helps :)

  • What you're trying to do @komentaja is very insecure.

    You shouldn't be accessing your vaults on a computer you don't trust. If you need to access a site on an untrusted computer then access your passwords via a mobile, type them into the computer and then immediately change it on a trusted device afterwards; such as your mobile.

    Having multiple passwords is extremely confusing and likely to lead to people being locked out of their accounts.

    If you're adamant on continuing with your current insecure practice then you could sign up to another password manager, such as BitWarden and use that. It's free but not as secure as 1Password but as you're already in an insecure workflow, it wouldn't matter much.

    I suggest another password manager (for your untrusted devices) because the solution you want in 1Password would require two accounts and two payments. Sharing a separate vault with yourself, from another account, would be tied to your original master password.

  • But the problem is that I can never type in my master password for more important vaults on a less trusted devices as there could be keylogger sending it elsewhere or malware reading all my decrypted password and sending them forward. If I would have different password and hence different encryption key for less important vaults I could choose to take a risk of getting those compromised for the ease of use. I'd never login with more important passwords on less trusted device even without password manager anyway.

  • That's my point @komentaja, you shouldn't really be using any password manager on an untrusted device because if there's a keylogger or other surveillance software it could capture all of your passwords.

    This is a solution that technology cannot solve.

    Maybe a physical solution like the Qwertycard would be better for you. Then, even if a keylogger was installed, only one password would be compromised!

  • @darrenNZ I don't care if my reddit account gets leaked but I would really care if my bank credentials do and that's why I'm not even logging in on my bank account on less trusted devices. The condescending tone doesn't help you deliver the message better btw.

  • I want to be able to make a trade off between easyness and safety. Not all of the accounts are equally important for me.

  • I'm not being condescending but I'm not going to dress things up and make you feel secure.

    We could lie to you and say that you could do X, Y and Z and you'll be 100% secure but, even if that's what you want to hear, it wouldn't be true and we'd be doing you a disservice. It's called security theater.

    You could use another password manager but risk losing everything if compromised.

    Something like the Qwertycard is the only realistic solution.

  • I didn't at any point ask for a safe solution to have my master password on a less trusted device. I asked to be able to classify my passwords for different vaults protected with different passwords with hope of being able to share the vault for the more secure password. The less trusted device I'm talking about is my home gaming computer which is up to date but because of the fact it's windows I don't want to ever have my master password typed on its keyboard.

  • Leaking some forum credentials for the ease to be able to have them filled would be worth the risk for me. Not for the bank accounts.

  • Your request isn't possible in 1Password because the encryption scheme has been developed around the use of a single password.

    It'd require significant development introducing this functionality and there'd be little to no reward which is the very essence of security theater;

    Security theater has real monetary costs but by definition provides no security benefits, or the benefits are so minimal as to not be worth the cost.

    I understand your suggestion but it's not something that will be possible.

  • brentybrenty

    Team Member
    edited January 2018

    I think it's worth looking at from a different angle: why not afford all of your sensitive data the same high security? It isn't out of your way to simply keep the stuff you're less concerned about under the security of a long, strong, unique Master Password that's good enough for even your most important data. That's not only less passwords to remember (1Password, right?), it's also less cognitive load overall since you don't have to try to decide what's important and what isn't to sort things into different places; you just give everything the highest security. That's 1Password. :sunglasses::+1:

  • It's certainly possible but not implemented currently. Are you really not able to see the value it would bring to me if it would be possible? Not having to manually type in the passwords vs. getting them filled in if accepting the risk of getting them leaked. I bet I'm not the only one having this need. People using password managers on employers computers for example. IT support can install monitoring applications that can easily pick up the passwords etc.

  • There's no 100% safe way to store the passwords and will never be. There are only different levels of risk you're ready to take for them. Using the security purist point of view you're trying to convey is just naive. Most of the people take the easiest option always but improving it even a little is worth it.

  • @brenty isn't there quite a cognitive load every single time I have to manually type in the passwords from other source? If I could do it only once per password it would be quite an improvement already?

  • brentybrenty

    Team Member
    edited January 2018

    @komentaja: I'm not sure why you think they're getting "leaked". 1Password only decrypts data on demand, so the only thing potentially "leaking" is the login credentials you're filling into a webpage — and you know that was happening since you asked 1Password to do that. Does that help? Ultimately, if you give someone access to your computer, they can do a lot worse than impersonate you on Reddit. Did you read my comments above? :)

  • @brenty if my windows box is compromised and I type in the password on the keyboard and that's the only thing needed to get access to all of my passwords the data is by definition leaked, isn'it it? It's unlikely that the windows computer will be taken over but I don't store any information on it for which I don't accept the risk. Having my games and reddit accounts leaked instead of my bank accounts is a different story. There's nothing stored or typed in for the windows machine that I don't accept to leak. I use different machines for the important information.

  • Information compartmentalisation:

    • High-security passwords = 1Password
    • Reddit/games passwords = Another password manager

    This solution will work for you as it's want you want.

    For most people I wouldn't recommend it for the reasons already given.

  • Corporate users having personal 1password on their machines don't expect the leak either but you can't be sure enough if you don't even have admin access to the machine you're using. I'm trying to argue that there would be value and safety this kind of feature would provide for users.

  • @darrenNZ that's the case now but why you see it wouldn't be valuable to make it all with one client software?

  • The problem with offering it @komentaja is that it gives users a false sense of security and encourages bad practices. If it were to be introduced you'd have users who didn't fully understand the implications and then you have the law of unexpected consequences.

    1Password is built around simplicity. The more software code you have, the more complicated it becomes and the scope for mistakes is greater. It also makes auditing the software significantly more difficult.

    Then you have development costs: "the benefits are so minimal as to not be worth the cost".

    There are three possible solutions for you:

    • Another, paid-up, 1Password account
    • Qwertycard or equivalent
    • Another password manager
  • @darrenNZ thanks for finally addressing the issue I was trying to bring up! I agree to disagree now about the tradeoffs you mentioned for bringing it in. There's also free password managers but paying for this I'd expect it would cater for the usual needs of the users. More advanced features requiring better understanding could be hidden under some menu with a confirmation that you understand what you're doing. What's 1password's official take on this, could we ever see a feature like this?

  • @komentaja

    I'll let brenty give you the official take but in terms of it being introduced, it's unlikely.

    It's not something that's frequently requested so realistically 1Password is catering "for the usual needs of the users". Your use-case is, with respect, not not usual.

    From everything you've said - convenience vs security - I think a separate password manager for insecure environments is going to be your best option.

    For a more secure, but less convenient method, use the Qwertycard as you minimise security fallout should one password be compromised.

    For the best security possible, do what you're currently doing (using 1Password on a mobile device) but be sure to change your password each time after using the insecure computer. To make it slightly more convenient create diceware passwords within 1Password to make it easier to type.

  • komentajakomentaja
    edited January 2018

    sigh..

  • brentybrenty

    Team Member
    edited January 2018

    @brenty isn't there quite a cognitive load every single time I have to manually type in the passwords from other source? If I could do it only once per password it would be quite an improvement already?

    @komentaja: I guess I don't understand what you're typing in manually. The only thing you should have to do that with is your Master Password. What I'm suggesting is using one good one for everything, instead of trying to memorize and type different ones for different stuff (after going to the trouble to sort everything that way). Maybe I'm misapprehending what you're trying to do though.

    @brenty if my windows box is compromised and I type in the password on the keyboard and

    Yeah. That's exactly my point. Why would you do that?

    that's the only thing needed to get access to all of my passwords the data is by definition leaked, isn'it it?

    We go to a lot of trouble to prevent that, but yes, you should assume that if someone has control of your machine they can do that. They're the new owner.

    It's unlikely that the windows computer will be taken over but I don't store any information on it for which I don't accept the risk. Having my games and reddit accounts leaked instead of my bank accounts is a different story. There's nothing stored or typed in for the windows machine that I don't accept to leak. I use different machines for the important information.

    I think maybe I see what you're getting at. You could always use a guest account for that. I know some 1Password Families customers do for things like a shared media center PC. Just keep in mind that if your "risk" machine is infected, unless it's also isolated from your regular network and you never plug in USB drives to transfer data between it and your other devices you're really not going to be much better off in the long run. It's just a matter of time before other machines are infected.

    I really think this all comes back to security hygiene. You're right that some stuff is more sensitive than others, and you probably don't need high security to surf and play games. But lowering your guard is an awful habit to get into, and makes it more difficult to switch contexts and start practicing good security hygiene when you need to. It's better to get into the habit of treating everything with care, as a new vulnerability is always right around the corner, and could be used to leverage what seems like reasonable behaviour today into compromising your security tomorrow.

    @darrenNZ thanks for finally addressing the issue I was trying to bring up! I agree to disagree now about the tradeoffs you mentioned for bringing it in. There's also free password managers but paying for this I'd expect it would cater for the usual needs of the users. More advanced features requiring better understanding could be hidden under some menu with a confirmation that you understand what you're doing. What's 1password's official take on this, could we ever see a feature like this?

    Though it's something we'll consider, we don't currently have any plans for something like this for the reasons outlined above. Our goal with 1Password is to make the secure thing the convenient thing: a single long, strong, unique Master Password to remember to protect your data, so you can use unique passwords for everything else and not have to remember or type them. Anything we do needs to be measured against this. I think darrenNZ touched on two salient points:

    The problem with offering it @komentaja is that it gives users a false sense of security and encourages bad practices. If it were to be introduced you'd have users who didn't fully understand the implications and then you have the law of unexpected consequences.

    That goes back to security hygiene, as I mentioned above. It is not easy to get people to use good security practices. If you tell people to do so, they generally won't. Some will try, but if it's too much of a hassle they'll give up and go back to whatever they were doing before.

    1Password is built around simplicity. The more software code you have, the more complicated it becomes and the scope for mistakes is greater. It also makes auditing the software significantly more difficult.

    With all the vulnerabilities that seem to be coming to light more and more in just this last month, I can't stress this enough: the more complex we make things, the more likely there will be bug which could be leveraged to compromise security. That goes for everything, but certainly for 1Password as well. We almost never touch the code for security — locking, crypto, etc. — unless there's good reason. We'd have to fundamentally change 1Password's security model to have 1Password use different Master Passwords in different contexts, and that would make it not only more complex but also offer an opportunity for us to make mistakes. There would have to be a significant need for us to justify doing this, and we don't hear from many people at all that they want to do this; rather, our customers overwhelmingly want us to make 1Password easier to use without sacrificing security, not more complicated. It's definitely an interesting issue though, and it's important for us to challenge our assumptions and consider other perspectives, so I appreciate you bringing this up and encourage you to continue do so if you have questions or anything you'd like to add. Even if we don't agree that this would be a good fit for 1Password at this time, it's really good to hear from you. :)

  • bkhbkh
    edited January 2018

    Sorry to join the discussion late, but it's taken me a week to formulate my response.

    First, to @komentaja I would like to state clearly that 1Password will completely solve your issue if you are willing to pay the subscription fee for a Families account. Brenty alluded to the solution, and it is akin to the suggestion by darrenNZ to use a second password manager, but I'll fully state the solution right here. In the family account you will have 2 users, komentaja and kmtjGames. User komentaja will be the master, and in komentaja's private vault will store the precious passwords, such as the banking passwords. In a family shared vault store the less-valuable passwords --- gaming passwords and such. So if you log in as user komentaja, using your highly-secure master password, you have access to all the passwords. Now the second family member, kmtjGames, only logs into 1Password to get access to the shared vault containing less-valuable passwords, but through this account has no access to komentaja's secure personal vault. So logging into 1Password as kmtjGames on the windows PC does not expose the precious passwords to theft.

    I'm going to push back on @darrenNZ, who's invocation of "security theater" as a reason to reject komentaja's request neglects a main benefit of a password manager that is not about security. A password manager is also about convenience: for example, filling a login form on a web page. The suggestion to use Qwertycard for a manual password translation, or to use a secure mobile to look up the password and then manually type it into the insecure machine completely loses the convenience, and given a certain threat model, it it is unnecessary to do that. It is perfectly reasonable to use 1Password to fill less-secure passwords on an insecure machine, without exposing the precious passwords to loss.

    I'd also like to push back a little to @brenty, who twice recommends putting all the eggs into one basket with 1Password under a strong master password, because it is a really really safe basket, and recommends not getting into the habit of neglecting security hygiene to accommodate convenience. I'm going to push back on that by discussing a different threat model. And this explanation also states to darrenNZ why I think 1Password should support multiple vaults within a single 1Password account that are not all simultaneously unlocked by a single master password, without falling on the wrong side of the "security theater" argument.

    I'll start with a simple question. If I'm in my home or my office and I walk away from my computer leaving it and my password vault unlocked, do I deserve to lose everything? My banking passwords as well as my trivial games passwords? Under the evil maid threat model, the answer is yes. Good security hygiene requires that I not leave my vault and machine unlocked when I step away, because if I do, I no longer own my machine, the evil maid does.

    I'd like to propose a weaker threat model that I still find quite reasonable. In my threat model there are no evil maids in close proximity. I am, however, exposed to snoopy maids and mischievous maids. The snoopy maid might quickly step over to my machine to load my email (auto-filling the password information if need be) to take a quick look. The mischievous maid could sneak over to my machine to masquerade as me in one of my social media accounts (auto-filling the password information if need be) and send an offensive joke in my name. But these maids do not install a keylogger or other persistent data-exfiltration threat. I assert that this threat model is quite reasonable for many home and business office environments. How many of us really need to air-gap our computers and fill our USB ports with epoxy?

    For my threat model, I have two classes of passwords. The ordinary ones are exposed to the maids, and live in a vault that is normally unlocked "when I'm around" and locked otherwise. The precious passwords live in a second vault that is only unlocked briefly while I log into 1 or more sensitive accounts, and then relocked soon thereafter. If I'm correct in my belief that I have only snoopy maids and mischievous maids, it makes sense to distinguish precious passwords from ones I'm willing to lose, and trade off convenience vs. security for those two classes. If it turns out that I'm actually exposed to an evil maid, then darrenNZ and Brenty can laugh at me for believing in security theater and lowering my guard, because I will have lost everything. But I assert that it is my right to assess my level of threat and make tradeoffs that comport with that assessment. 1Password can preclude stupid choices, but should not prevent reasonable ones.

    So my feature request, which lines up with what komentaja originally requested, is to have 1Password offer the ability to keep a locked vault in an unlocked 1Password account. This gives an extra layer of defense for precious passwords, loses no security by comparison with the current 1Password, and enables me to get significantly greater convenience that is still appropriate for my threat model.

  • Oh yeah, the family shared passwords is pretty much already what I was requesting, thanks @bkh! Any chance to have those features somehow for a single user or have at least "family" of 2 for my own use for the personal plan?

  • Allowing more users for a single email shouldn't endanger income from family plans if all of them need to have the same email address..

  • @bkh

    Yours is a well-thought-out response but using 1Password for Families isn't a solution unless you're willing to pay the extra price.

    It's not easily solved on a single account, as you admit, because of the need for one master password. AES doesn't work by having multiple passwords in the manner that komentaja wants. It requires two separate accounts with two separate passwords.

    It is perfectly reasonable to use 1Password to fill less-secure passwords on an insecure machine, without exposing the precious passwords to loss.

    As things stand using multiple passwords isn't a feature of AES and two separate accounts are necessary. That's the reasonable solution, or, use a second password manager if you don't want to have to pay for two accounts.

    Alternatively you could create a local vault.

    There are lots of solutions to this problem which don't involve 1Password adding extra complications to the code but nevertheless the suggestion was noted earlier.

This discussion has been closed.