Old credentials on 1password.com account

No, when you change your Secret Key or Master Password with a 1Password membership the old ones will no longer be accepted. I hope that helps. Should you have any other questions or concerns, please feel free to ask.

Ben

Maybe I'm misunderstanding your question, but the personal keyset is not the Master Password and/or Secret Key. Try it. Create a 1Password.com account and set the Master Password. Then change the Master Password and try to log in with the old one. It won't work. :) But the whitepaper is correct that the personal keyset does not change unless going through recovery.

Ben

ref: XMP-85994-937

@nis: Unless you disconnected your computer from the internet completely (and leave it offline) before you change your account credentials, you'll be prompted there to update them immediately, so they will be up to date as well. So that would work for you in that case. And keep in mind that even if your computer is lost, stolen, or destroyed, you'll be able to access your data on the next one by signing into your account, either in the app or in your browser. Everything you save in 1Password is backed up on the server automatically. Does that help? :)

@nis: Sure thing. I’m sorry for misunderstanding.

1. Indeed, any changes will be sent to the server if the device is online when you make them. In your example, that would be a given since you’d need to have Internet access to use the website. At that point, the server will also send those changes to your other devices, provided they are also online at that time. Otherwise they will connect the next chance they get.
2. If someone has all of your account credentials, they can use them to sign in and decrypt the data just as you can. If you believe that your Master Password and/or Secret Key has been compromises, you can change them from your Profile page in your account.

Does that answer your questions? Please let me know. :)

@nis: I can relate! It's pretty dense, and I had to read it, ask some questions, and read it again before it all clicked for me. So if you appreciate my replies to your own questions (thank you for the kind words!), I have to say it's only because I have the benefit of the expertise and patience of these awesome people here at AgileBits. :blush:

To try to tie it all together, I think it's important to consider that the passage you're referring to is very much a worst-case scenario. In that case, someone has already gotten your account credentials and accessed it (that's how they can get the keyset and decrypt it). If that happens, yes, you will need to take steps to get a new keyset. But on the plus side, if someone signs into your account, you'll be notified. You then know that they have your account credentials, and you can change them immediately.

But there's an important fact that I don't want to gloss over: in order to get your Master Password, Secret Key, and the rest, they would need to get them from you. We never have these, as they are literally never transmitted to us (that's why we use SRP, to avoid being in that position). Additionally, the Secret Key is only ever used when authorizing a device in the first place, so that also limits the situations where it could be captured. For example, the vast majority of the time, even if someone could observe you entering your Master Password and learn it that way, you will not be doing the same with your Secret Key. So they would have to get direct access to one of your authorized devices to make use of that. They could not sign into your account on a new device without the Secret Key. Let me know if that helps. :)

Thanks @brenty :smile: The whitepaper is really good. And i'm glad that you guys have published it. Also, as you said, you have the luxury of asking questions to your team members, and I'll take this forum as a substitute :smile:

@nis: Glad to hear it! What I meant was that while it's arguably a bit easier for me to have an in-depth conversation with the folks working on all of this, the reason that's valuable (other than because I'm a curious nerd) is that I can better answer questions like yours as a result. But when I don't know the answer, I am happy to poke someone else to respond directly. ;)

Your response does help a lot and has clarified my concerns. I am curious about one thing though that you mentioned in your reply. It's about "that's how they can get the keyset and decrypt it". This also ties in with story 9 where Mr. Talk is able to copy the keys.

Ah, that's a great point. There's a lot of ways, but they would all involve some pretty significant security lapse, either on our part or yours:

• They break into the server and compromise its security.
• They break into one of your devices and compromise its security.

The first one, for us, is obviously very scary, because it's literally the company at stake. For you, while that may sound dire, our paranoia and real-world motivation (our livelihood) should hopefully provide some comfort, as this means that we have not only cryptographic, system-level, and organizational protections in place to defend against attack, we also participate in external audits and cooperate with independent security researchers to find any flaws so we can fix them. So, ultimately, since you and I personally probably have a less stringent defense in place (after all, we use our devices for things other than securing data — 1Password.com server infrastructure is used for nothing else — and we also manage our operational security ourselves), it will be much easier for someone to compromise our personal security. And, of course, they would still need our Master Password and Secret Key to be able to decrypt our personal keyset in order for it to be of use to them...and they cannot get either of those from AgileBits. So essentially we're talking about a true worst-case scenario, which necessarily involves you being compromised on some level.

Glad to help! And, rather than giving me nightmares, I find it comforting to have a good overview of things so I can take the necessary precautions and not worry about it. Hopefully this helps you get there too. :chuffed: