First setup with Dropbox and master password

Manaburner

Hi all,



Just a quick question on the first time setup. When I choose "Existing User" and then "Sync with Dropbox" it searches Dropbox for my 1P keychain and then asks me for the master password, which is the keychain password on 1P for Mac and Windows. But what happens if I choose to change the master password on the i-Device? Will it also change the keychain password in my Dropbox and with that, the master password for Mac and Windows? Or is it just a local change on the i-Device?



Thanks



Regards,

Michael

MikeT

Hi Michael,



Great question! Starting with 1Password 4, all master password changes will also sync with your desktop apps and other 1Password 4 mobile apps. So, you really are working with just one master password now or "1Password".



To help deal with the longer master password on the iOS devices, we introduced the quick unlock code to make it easier as you use 1Password throughout your day on your devices.



I hope that helps, please let me know if you have questions!

mrtoner

When does the master password kick back in? That is, when is the quick unlock code not enough to log in?

MikeT

Hi mrtoner,



You can only use the unlock code once, if it is wrong, it automatically reverts to the master password. The master password will also kick in if iOS is forced to kill 1Password app in the background to reclaim its memory. But until that time, the unlock code is in use at all times until you incorrectly enter the code once or manually lock 1Password.

mrtoner

So much more convenient, with the minuscule risk that my quick unlock code would be guessed on the first try.

Manaburner

Hi Mike,



security-wise it's a good decision. I hope I don't have to enter my very long masterpassword too often <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/skype_wink.png' class='bbc_emoticon' alt=';-)' />

jhollington

[quote name='MikeT' timestamp='1353477144' post='63519']The master password will also kick in if iOS is forced to kill 1Password app in the background to reclaim its memory.[/quote]

Unfortunately, this happens far too often -- frequently even after opening merely one other application. This may be a function of the beta version either requiring more memory than usual, getting lower iOS priority or having some other bug, but at this point it's rendering the quick unlock code feature virtually useless.



This is on an iPhone 5, which has 1GB of RAM, so I can imagine it would be even worse on other devices.



[b]Update[/b]: Okay, on further testing this actually appears to be tied into the Auto-Lock setting. If 1Password remains closed for longer than the auto-lock interval (tested at 1, 2 and 5 minutes, at least <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/smile.png' class='bbc_emoticon' alt=':)' /> ), then the Master Password will be required when re-opening the app. This may be by design, but if so, it is extremely confusing as the word "lock" is essentially being used to mean two completely different things -- a "full" lock which requires the Master Password versus a "quick" lock which requires only the Quick Unlock Code. Auto-Lock and the "Lock Now" button require the Master Password, while "Lock on Exit" requires only the Quick Unlock Code.

MikeT

Hi,

[list=1]

[*]The manual lock button will definitely require the master password, you're intentionally locking the app completely.

[*]Correct, the quick unlock code is tied to your auto-lock timer setting. If the lock on exit is turned on, the quick unlock code is used any time you switch out from 1Password to another app and switch back to 1Password. It can still be used when the app times out due to the auto-lock timer unless the app got killed in the background, which can happen any times after 10 minutes.

[*]If the [i]lock on exit [/i]is turned off, the quick unlock code is used to unlock the app when the auto-lock timer kicks in but between that timeframe, you don't have to enter any code to unlock the app.

[/list]

If you have more questions, please let me know.



Thanks!

jhollington

The problem is that currently the [i]Master Password[/i] is required once the [b]Auto-Lock [/b]interval has passed, even when a Quick Unlock Code is set. This occurs regardless of whether [b]Lock on Exit[/b] is enabled or not, with the only difference being whether the Quick Unlock Code is required or not prior to the Auto-Lock interval.



We're discussing this already over in this thread: http://forum.agilebits.com/index.php?/topic/11172-lock-settings-and-quick-unlock-code/ but figured I'd post one more reply here just to close the loop on this one.

MikeT

Just to be clear here, there's a bug in the auto-locking system where it isn't showing the quick unlock code after the auto-lock kicks in if you have quick unlock code enabled, it works fine before the auto-lock.



Once, we fix it, it should then make sense. <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/smile.png' class='bbc_emoticon' alt=':)' />

Penelope Pitstop

Is the 1PW master password still stored in the iOS keychain?

jhollington

I can't see any reason why it would need to be at this point, since it's the actual Master Password that you use to log into 1Password 4 now, so not only is there no point in keeping it around in the iOS keychain, but that would actually be a security issue.



I think one of the main reasons for changing over to the same Master Password across all devices is to avoid having to store the real Master Password anywhere on the device. I suppose if you're using a Quick Unlock Code some derived key must exist somewhere in volatile RAM while the app is in the background, but this is not the same as having the Master Password actually [i]stored[/i] on the device, iOS Data Protection and obfuscation aside.

Penelope Pitstop

Thanks jhollington. It was the quick unlock code that made me question it.

jhollington

Yeah, I can see why that would <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/smile.png' class='bbc_emoticon' alt=':)' />



Just to be clear, the Quick Unlock Code only applies when the app is suspended in the background (i.e. still in active memory). If the app gets closed, either manually from the multitasking tray or simply because iOS pushes it out of RAM, you'll be prompted for the Master Password all over again. Ditto for rebooting your device.



Right now the Auto Lock timeout also reverts to requiring the Master Password once it expires, although this is apparently not intended behaviour -- I'm told that it should revert to the Quick Unlock Code instead.



Bottom line is that I'm not sure exactly how the app stays "unlocked" but my [i]guess[/i] is that it's simply retaining the master-password-derived-key in RAM. Note that this would not be the [i]actual[/i] Master Password, but the decryption key [i]derived[/i] from the Master Password. Based on the way that iOS works this is pretty secure since it's virtually impossible to get at another app's active memory space unless you're on a jailbroken device (in which case all bets are off <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/smile.png' class='bbc_emoticon' alt=':)' /> ).



I'm not one of the developers, of course, so this is merely an educated guess.

Penelope Pitstop

Thanks again. Hopefully Agile will confirm your educated guess.

khad

[quote]Is the 1PW master password…stored in the iOS keychain? [/quote]

Nope. [url="http://forum.agilebits.com/index.php?/topic/11340-understanding-the-ios-keychain/"]As you know[/url], it was only ever stored (very securely) for Dropbox syncing, but even that is no longer the case.



jhollington strikes again. <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/smile.png' class='bbc_emoticon' alt=':)' />