Master password clarification: Mac vs. iOS vs. Dropbox

I am experiencing the same problem. I have 1Password 4.4.1 running on a MacBook Air (OS X 10.9.4). It is sync'ed via Dropbox to my iPhone 4 (iOS 7.1.2) running 1Password for iOS 4.5.3. I When I changed the Master Password on my Mac and made sure Dropbox synced to my iPhone, I can open the vault on my iPhone with my OLD master password, not the new one.

And when I add a new login on my Mac, I can access it on my iPhone using the old master password. Similarly, when I add a login on my iPhone, it appears on my Mac with no problem.

Opening 1PasswordAnywhere (1Password.html) requires my NEW master password and sees all the new logins from both the Mac and the iPhone.

How is this even POSSIBLE? If the vault is encrypted, it's encrypted, right? So certainly a NEW record should be encrypted with a NEW master password, even if the old ones aren't. And if the iPhone has the OLD master password, I would expect it to be encrypted in such a way that it can't be read on the Mac using the new master password. Or can a vault be encrypted/decrypted by multiple passwords (e,g. an OLD and a NEW)? If so, then that would explain some things, but is not expected.

Also, if there's a facility for multiple passwords that can be used to open a single vault, that seems to lead to the possibility for a "backdoor" password that could also be used to read my vault. Does 1Password put a backdoor password on vaults? I don't mean to be alarmist, but I would like a clear "yes" or "no" answer to this question. Given all the security breaches and spying you read about every day in the news, this is very important to me and I'm sure the community as a whole. Even if just old master passwords can open a vault, that would still seem to be a problem.

Thanks for any help clearing up these mysteries.

@Stephen_C Thank you very much for the link to the thread about what really goes on with master passwords and the encryption key. It does explain how the things we are seeing can happen.

It does not explain why they are happening in this particular case -- especially if the program has been updated recently to avoid any confusion after a master password change. Even after letting things sit for 10 hours, my iPhone can still open the vault with my old master password and see new records. So it appears that individual items are getting synced, just not the master password-encrypted encryption key itself.

I second the suggestion in that thread for adding some command or option in the program to update both the master password and the underlying encryption key. I understand that this may be messy internally, but it's even messier if you leave it to the user to do it manually.

Finally, I would like to see some statement from AgileBits saying "We do not add any sort of backdoor password or key to 1Password vaults." If this has been stated elsewhere on the site, a link would be great.

As a website developer and general computer evangelist, I wholeheartedly recommend 1Password to everyone using a computer or smartphone. I want to know that my trust in the program is merited.

Thanks again, Stephen. Now I remember reading the 1Password and The Crypto Wars blog post when it came out last year and it was as reassuring as it could be. I really appreciate Jeff's straightforward, honest tone in the write-up.

This is STILL happening to me on the latest Mac and iOS versions synced via Dropbox.

1. Changed the password on Mac and waited for the Dropbox client to sync successfully.
2. Logged in to iOS app with the old password and Dropbox synced successfully.
3. Terminated the iOS app and relaunched it but it still accepts the old password.

Nothing short of deleting and reinstalling the iOS app made it recognise the new password.