Problems using Browser extension after changing Master password

Manaburner

Hi there,



I recently have changed my master password for 1Password, which worked fine. As I sync my keychain with Dropbox, the change populated to all my computers. However on one Windows 7 x64 SP1 machine, that change didn't quite work.



The extension in Chrome 19 and FF 12 did still accept the old master password. The 1P application itself only accepted the new master password, which is correct.



After trying around and entering the new master password into the extension, I got prompted, that the master password had changed and I should enter the old one to update the extension.



Is this the intentional behaviour of the extension? If so, I think there should be a piece of documentation telling the user, what he should do after changing the master password.



Regards,

Michael

4EverMaAT

My problem is a bit worse. I changed my master password earlier today and my windows 7 (64 bit) Firefox 12 extension has no passwords saved. I have to open the main 1password and copy passwords manually. I tried removing the extension within firefox, restarting firefox, and then reinstalling the extension from here [url="https://agilebits.com/extensions/win/index.html"]https://agilebits.co.../win/index.html[/url] . I still get the blank passwords box. Either there is a bug in the firefox extension for windows, or there is another method to [i]completely remove[/i] and reinstall the firefox extension. Although honestly, if 1Password extension is loading within firefox, and it can read my master password ok, why would the password list be blank? I didn't realize changing the master password (and waiting for dropbox to update ok) would cause so much trouble.



Another bug: sometimes in Firefox extension, the cursor will be in the master password unlock textarea, but when I type, nothing happens. I have to escape out, and then re-click the extension again to bring back the master password unlock window again. Now I am able to type in my password. Definetly a bug.



Chrome 19.0.1084.52 windows extension seems to be just fine <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/smile.png' class='bbc_emoticon' alt=':)' /> all my passwords load fine after master password unlock.



In mac, my firefox extension prompted me for the old password to continue, but then it seemed to be ok. I went ahead and updated to firefox 12 and everything works fine.



And while I am ranting, you need to do a better job of linking your forum throughout all of your websites. support.agilebits.com can have a simple link at the top that says "forum". So should your website agilebits.com . I shouldn't have to google for it. <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/skype_no.png' class='bbc_emoticon' alt='(n)' />



We need to fix that windows bug fast.



edit: YES, i've restarted my laptop twice. And I also disabled my firewall for a few seconds to see if the firefox extension was somehow blocked by that....although it always worked in the past no problems.

khad

[size=5][b]Master Passwords should rarely be changed.[/b][/size]



I want to say that upfront. Only change your Master Password if it is weak and needs to be made stronger or if it is also used for something else. Your 1Password Master Password isn’t like a typical Login password, and so security advice that tells people to change passwords regularly does not apply to things like your 1Password Master Password.



In technical terms your 1Password Master Password is an encryption password instead of an authentication password; the advice used for one does not apply to the other. Once you have a strong, memorable, and unique Master Password you should not change it.





[quote]

Is this the intentional behaviour of the extension? If so, I think there should be a piece of documentation telling the user, what he should do after changing the master password.

[/quote]

Yes. It is expected. The database IDs of the main application and the sandboxed browser extension need to match. In order to authenticate the change, you need to enter your old password in the extension. I'm not sure that documentation would help more than just walking users through this directly in the extension where they need to enter the old password... <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/huh.png' class='bbc_emoticon' alt=':huh:' />









[quote]Either there is a bug in the firefox extension for windows, or there is another method to completely remove and reinstall the firefox extension.[/quote]



There is another method in Firefox. Other browsers handle the removal of the SQLite file automatically along with the removal of the extension, but [b]you will need to do this manually for Firefox [/b]because he is a rascally red panda:



1. Open Firefox.

2. Remove the 1Password extension.

3. Enter `about:support` in the address bar and press Return.

4. Click the "Open Containing Folder" button.

5. Quit Firefox.

6. In the Explorer window that opened, go up one level in the file hierarchy.

7. Move the `OnePassword.sqlite` to your desktop.



​Then reinstall the Firefox extension from 1Password for Windows' preferences on the Browsers tab.



[i]Once everything is working well, you can safely move the `OnePassword.sqlite` file on the desktop to the trash.[/i]







[quote]sometimes in Firefox extension, the cursor will be in the master password unlock textarea, but when I type, nothing happens. I have to escape out, and then re-click the extension again to bring back the master password unlock window again. Now I am able to type in my password.[/quote]

I cannot reproduce this. Can you please start another thread with steps to reproduce so they don't get lost in here if you are able to reproduce it?



[quote]We need to fix that windows bug fast.[/quote]

What Windows bug?

naomi

Khad, I have the same problem with logins having disappeared from the firefox extension- I am a brand new user and changed the password as my first choice was pretty weak. I have now got the same password in the main app and the extension but still none of the logins i created yesterday appear. I am totally not a tech person so I'd appreciate advice in VERY simple terms....

4EverMaAT

[quote name='khad' timestamp='1338880915' post='60114']

[size="4"][b]...........[/b][/size]

There is another method in Firefox. Other browsers handle the removal of the SQLite file automatically along with the removal of the extension, but [b]you will need to do this manually for Firefox [/b]because he is a rascally red panda:



1. Open Firefox.

2. Remove the 1Password extension.

3. Enter `about:support` in the address bar and press Return.

4. Click the "Open Containing Folder" button.

5. Quit Firefox.

6. In the Explorer window that opened, go up one level in the file hierarchy.

7. Move the `OnePassword.sqlite` to your desktop.



​Then reinstall the Firefox extension from 1Password for Windows' preferences on the Browsers tab.



[i]Once everything is working well, you can safely move the `OnePassword.sqlite` file on the desktop to the trash.[/i]

..............................................

[/quote]



This did the trick. Thanks. Was annoyed at having to use chrome a lot, but it's all fixed now.

[quote name='naomi' timestamp='1338900726' post='60117']

Khad, I have the same problem with logins having disappeared from the firefox extension- I am a brand new user and changed the password as my first choice was pretty weak. I have now got the same password in the main app and the extension but still none of the logins i created yesterday appear. I am totally not a tech person so I'd appreciate advice in VERY simple terms....

[/quote]



Follow the instructions I quoted above, and maybe you will get it back. Perhaps support can do a quick demo video?

khad

Thanks for letting me know that everything is working well, 4EverMaAT! That is always good news. <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/smile.png' class='bbc_emoticon' alt=':)' />



naomi, first, welcome to the forums! Second, as 4EverMaAT suggested, have you tried following the steps I outlined above to completely remove the Firefox extension?



If you are having trouble, can you let me know which step you are stuck on? I would love to provide further assistance.



Thanks!

khad

Try this link:



https://mikhailt.clarify-it.com/d/jdjwjf



Screenshots may help. <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/smile.png' class='bbc_emoticon' alt=':)' />



I wish Firefox didn't make this so complicated.

Manaburner

Hi khad,



sorry for my late reply but notifications for this post haven't worked for me so I didn't get your answers.



Thank you for your statement concerning the master password. Indeed I changed it, as I had used it for some logins so it was insecure in my opinion.





[quote name='khad' timestamp='1338880915' post='60114']

I'm not sure that documentation would help more than just walking users through this directly in the extension where they need to enter the old password... <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/huh.png' class='bbc_emoticon' alt=':huh:' />

[/quote]



I understand what you're saying. OK "documentation" is probably not the right expression for it. But maybe a hint popping up after you have changed your master password like "In order to change the master password in your browser, please enter the new one and follow the instructions in the extension". Something like that.



Regards,

Michael

khad

[quote]Indeed I changed it, as I had used it for some logins so it was insecure in my opinion. [/quote]

Smart move. Your master password should be both strong and [i]unique. [/i]<img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/smile.png' class='bbc_emoticon' alt=':)' />



I should have linked to this earlier, but we have tips for creating strong and [b]memorable[/b] master passwords:



http://blog.agilebits.com/2011/06/21/toward-better-master-passwords/







[quote]I understand what you're saying. OK "documentation" is probably not the right expression for it. But maybe a hint popping up after you have changed your master password like "In order to change the master password in your browser, please enter the new one and follow the instructions in the extension". Something like that. [/quote]

Agreed. We will try to improve this! <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/smile.png' class='bbc_emoticon' alt=':)' />

Manaburner

[quote name='khad' timestamp='1339137570' post='60170']



Agreed. We will try to improve this! <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/smile.png' class='bbc_emoticon' alt=':)' />

[/quote]



See, that's why I like your company. Always open for improvements <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/skype_smile.png' class='bbc_emoticon' alt=':-)' />

khad

We appreciate your kind words. Enjoy your weekend! <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/biggrin.png' class='bbc_emoticon' alt=':D' />

benfdc

[quote name='khad' timestamp='1338880915' post='60114']

In technical terms your 1Password Master Password is an encryption password instead of an authentication password; the advice used for one does not apply to the other. Once you have a strong, memorable, and unique Master Password you should not change it.

[/quote]



I was [url="http://help.agilebits.com/1Password3/agile_keychain_design.html"]under the impression[/url] that entries in my keychain are protected by one or more 1024-bit master encryption keys, and that 1Password Master Passwords are, effectively, authentication passwords that are used to encrypt and decrypt those master encryption keys.



Truth be told, it seems to me that there is little to no security benefit to changing a master password unless you can be absolutely certain that no attacker can ever gain access to an older version of your keychain (such as from the backups maintained by 1Password itself, user backups, or old versions recoverable via Dropbox).

jpgoldberg

This is why we advise that once you have a good master password you keep it for life.



Changing your 1Password master password is like changing your ssh private key password or changing your PGP passphrase. In general it doesn't add to security (unless you had a weak password) and in some cases can even reduce security.



As I explained elsewhere, we do need to address the mismatch between how it works and how people think it works, so that we get better security practices.



Cheers,



-j

choelscher

Well, now it happened to me: change of master password and the extension stopped working.



After looking for a solution, I found a lot of topics in these forums that explained why this happens and what to do. I was able to solve the issue.



Agile Bits is a fantastic company and I love 1Password. But you really should reconsider this issue:



1) The least you could do is to share the information more visibly how to get the Firefox extension back up and running after a master password change in 1Password. What do I mean with "more visibly"? Well, right in 1Password when the master password is changed and here: [url="http://help.agilebits.com/1Password3/change_master_password.html"]http://help.agilebit...r_password.html[/url]



2) When the extension is removed, the OnePassword.sqlite should be removed automatically. It does not feel right to leave the data in this folder.



3) When the extension is being re-installed, the OnePassword.sqlite should be updated or replaced automatically.



Again, I love your product and I understand your point of view, but as you can see in your own forums: there are a lot of 1Password users who run into this issue. And it could be addressed.

khad

Welcome to the forums, choelscher! Thank you for your feedback. It would certainly be nice to make this known in the application. The biggest problem is Firefox which does not remove the SQLite file when you remove the extension. We do not have control over this. If we did, you can be sure we would resolve this. The other browsers handle this much better. They simply require you to remove and reinstall the extension. Done. Boom.



I'll mention linking to [url="http://support.agilebits.com/kb/browser-extensions/i-just-changed-my-master-password-but-my-browser-extension-doesnt-recognize-it-mac"]our support article for this[/url] when changing the master password to the developers. There is always room for improvement, even if Firefox prevents us from automating the process in this case.

charlie98

[quote name='jpgoldberg' timestamp='1342135231' post='60751']

This is why we advise that once you have a good master password you keep it for life.



Changing your 1Password master password is like changing your ssh private key password or changing your PGP passphrase. In general it doesn't add to security (unless you had a weak password) and in some cases can even reduce security.



As I explained elsewhere, we do need to address the mismatch between how it works and how people think it works, so that we get better security practices.



Cheers,



-j

[/quote]

I have managed to lose my iPad which potentially means that someone has physical access which, at least to me, means they have the potential for cracking my master password.



With that in mind I want to change my master password. As a FireFox user it looks like I will have issues.



Much as I'd like my master password to last forever, and it is quite strong, I'm not willing to tempt fate.

khad

So sorry to hear about your iPad. I'd encourage you to review our blog post "[url="http://blog.agilebits.com/2011/02/11/lost-iphone-safe-passwords/"]Lost iPhone? Safe Passwords![/url]" (It applies equally well to iPads.)



Your master password does not have to be the same between 1Password for Mac/Windows and your 1Password iOS app(s). Many users like to have a less-complicated one for 1Password iOS apps because of the interaction using the much smaller virtual keyboard. Because they do not have to be the same, they are never synced from one device/platform to another.



If you do decide to change your master password on the desktop, you just need to follow the steps to remove the SQLite file when removing the Firefox extension. It's just a few extra clicks.



I hope that helps.