![]() We know that a vault’s UUID and AES key will never change for the lifetime of the vault. Instead of the password, we store the sync vault’s UUID and its AES key, and we encrypt those with our local AES key. ![]() We use this password to unlock the sync vault, but once it’s unlocked we throw away the password you gave us. This is important as it allows 1Password to continue syncing even after you’ve changed a Master Password on one device.ĭuring initial sync setup, we ask you for the Master Password of the sync vault (typically an Agile Keychain). This is the case for your local vault as well as the Agile Keychain you’re syncing to, so we’re essentially responsible for syncing something we don’t have. It is important to reiterate that your Master Password is never stored anywhere. This means that trying to use your old Master Password will generate the old derived key, which will not be able to decrypt your AES key that’s now encrypted with the newderived key. ![]() It’s encrypted with the new key, derived from the new Master Password. Effectively all that changes is the encrypted form of your vault’s AES key. What changes is the key that is used to encrypt your AES key (the one that’s derived from your Master Password). ![]() When you change your Master Password locally, the vault’s UUID and AES key do not change at all. Now that we know how your vault is unlocked with your Master Password, let’s discuss what happens when you change your Master Password (leaving sync out of the equation for now). If the decryption fails, it’s the incorrect Master Password. A successful decryption indicates that the correct Master Password for this vault has been entered, thus the vault will unlock. Determining whether it’s the right key is a matter of attempting to decrypt the AES key. If it’s the same Master Password, the result will be the same key.Ī key will be derived even if an incorrect Master Password has been entered. We use this Master Password and go through the same key derivation process that we used originally. To unlock 1Password, you provide us with a Master Password (which may or may not be correct). You have an unsynced vault on your desktop. The key that is derived from your Master Password is then used to encrypt your vault’s AES key. For this, we use the Master Password you provided when you created the vault to derive another key. We need a key to encrypt your AES key with. It would be like leaving your house key on a hook next to the door, outside. Obviously, it’s a bad idea to store the keys unencrypted. In the simplest scenario of a Mac syncing with an iOS device via Agile Keychain, that’s 3 vaults, 3 AES keys. This means that your local Mac vault does not share a UUID with the Agile Keychain it’s syncing with, and any other Mac or iOS device that’s also syncing with that Agile Keychain will have its own UUID/AES key combination. These are both randomly generated when the vault is created. The BasicsĪt its most basic, a 1Password vault (be it a local vault in 1Password for Mac/iOS, or a sync vault in the form of an Agile Keychain or an iCloud vault) contains a couple things:Īn AES key used to encrypt and decrypt itemsĮvery vault has a different UUID, and a different AES key. But, let me assure you that it is, and all the tricks up our sleeves make things both more secure and more convenient for you. How can 1Password on the second machine accept the new Master Password if we are careful to never store it? This has led a lot of astute users to mistakenly imagine that their data isn’t really protected by their Master Password. The next time you unlock 1Password on some other device, you can unlock it with your new Master Password. Suppose you change your Master Password on one of your computers. (A not very relevant exception is for use with Touch ID.) ![]() A cornerstone of Master Password security, though, is that 1Password never stores your Master Password in any form. There are a lot of seemingly mysterious things that go on when a Master Password changes, so it is quite reasonable to have questions about security in this area. You do, but we’ve made it look like we do. It’s all just an illusion - a clever one - but since we don’t actually store your Master Password, we don’t sync it for you either. How can 1Password on the second machine accept the new Master Password if we are careful to never store it?Īt the risk of being blackballed by the Alliance of Magicians, we want to reveal the secret to Master Password syncing. ![]()
0 Comments
Leave a Reply. |