关于 1passwd bug？

闲来无事，想想自己的 1passwd 的主密码好几年没修改了，突然想修改下密码。
背景：
1 mac os ver ： 10.11.6,手机是 6s ios9.3.5
2 1passwd 均为 app store 最新版本
3 mac 和 iphone 之间同步是使用 icloud
4 手机 /电脑多次重启都能复现问题
过程：
1.在 mac 上修改了 Master passwd,等他同步完成
2.ios 上使用 旧的密码 进入 1passwd ，等待他同步完成，新加了一个登录项账户名密码随机
3.神奇的事情发生了 mac 同步到了！！！！！
mac 现在的状态是：只能用新密码登入，旧密码无效。
iphone 是旧密码能登录，新增的数据 mac 可以看的到。
两个互相增加的数据都能被同步！！ why? 不是说基于 aes 加密解密的吗？？？？？？？
这是为什么？
官网是这样说的:
If you use 1Password on multiple devices, you may need to change your Master Password separately on each of them.
等待 1pw 的回复

lovelinghan

2016-09-07 00:31:40 +08:00

update ：
手机修改 master passwd mac 可以马上生效
只要你在 iphone 不输入新的密码你都是可以用旧密码登入然后同步数据的
不明白为什么？
现在 master passwd 都不一样了为什么我还能新增数据？而且还能同步的好好的
求打击啊！！！不想毁了信仰！！！告诉我我只是个例！！！

wclebb

2016-09-07 00:42:00 +08:00

我也遇到过，我也不明白。
感觉有过几次修改发现主密码不同，但依然能同步。有时候感觉是不是 iOS 设备已经有两种密码，已经很安全了。也有感觉是不是主密码绑定在当前设备密码库，然后不同的设备也有不同的主密码。

当然，不同步导致的 iOS 能无限用旧密码打开也是一个很无奈的隐患。

lovelinghan

2016-09-07 00:59:53 +08:00

The fact is we don't encrypt your data using your Master Password. Counterintuitive I know but instead what we do is we create a bunch of very long keys. We use each key to encrypt some of your data and their length is partly where the strength behind the system is. Of course we still need a way for you to access your data so what happens is these encryption keys are kept in a small file and we encrypt that file with your Master Password.

So when you type in your Master Password you're actually just unlocking one small file and then we use the contents to retrieve your actual data.

We do have a bug though that if you have a sync in place that a Master Password change isn't being pick up by all devices and that the old Master Password can continue to work. The reason that is possible is because again, the very long encryption keys don't change when you change the Master Password. So if a device for whatever reason doesn't think the encryption key file has changed it will continue to use the locally stored copy of that file which of course, because the keys inside don't change, will still work.

cxbig

2016-09-07 04:53:51 +08:00

不用 iCloud 或其他网络储存方式保存密码库， MacBook 和 iPhone 、 iPad 同步都是用 Wi-Fi ，好像没有发现这个问题。

Errpt

2016-09-07 08:28:16 +08:00

同意楼上的， wifi 同步最安全。

Autonomous

2016-09-07 09:07:05 +08:00

要不这样？
先关闭所有同步，手机端清除密码库。
将电脑端的主密码更改，然后再开启同步

ihubert

2016-09-07 09:29:37 +08:00

1password 现在改成订阅式的，不好玩。。。

eddiechen

2016-09-07 11:08:17 +08:00

@lovelinghan 按这个回复的话，密码库不是直接用 master password 加密，而是别的，不过这样也说不通啊， master password 都变了，那个小文件怎么还解的开，除非是这种小文件是允许多个存在，新旧密码各对应一个小文件，估计很有可能。。。

chztv

2016-09-07 11:22:45 +08:00

订阅模式其实还是有他的优势，至少楼主这个主密码的 Bug 就会没有了。

lingaoyi

2016-09-07 11:25:59 +08:00

假设被盗。。。。还是照旧能看到密码更新？

lovelinghan

2016-09-07 12:03:19 +08:00

@eddiechen 你看看

Your data is encrypted with a randomly chosen encryption key when you first set up your 1Password data for the first time - this is your "master key". Your master key is what gets encrypted with your Master Password. When you change your Master Password, you are changing how the master key is encrypted. You are not actually changing the master key. There are good reasons for designing things this way. You will find that other high security systems, such as PGP, SSH, SSL certificates, and disk encryption systems all work the same way. A random key is generated when the user first sets things up, and then their passphrase is used to encrypt that key.

1Password does not use the sync format directly for its regular operations; instead it uses a local data format (encrypted SQLite database) that is optimized for quick searches and so on. 1Password does "import" and "export" changes to and from this local format to your agilekeychain, opvault, Cloud Keychain, or CloudKit database. The local and sync formats will use different parameters for encrypting the master key that are best suited for their different environments. So the encrypted key can't simply be moved from one to the other.

When you change your Master Password, it will make the change in your local SQLite database, and also in the sync format. It can do this only when your data is unlocked because it needs to re-encrypt your master key with the new Master Password. Roughly speaking, "being unlocked" means that 1Password has your decrypted master key in its memory. The sync format will then have its master key encrypted with the new Master Password. That will spread to other systems that you sync with via iCloud or Dropbox sync. In some rare cases, 1Password may not have "imported" the Master Password change from the sync format into the local format. So what we are seeing if the Master Password doesn't sync after you changed your Master Password on one device is that the local format is keeping the master key encrypted with the old Master Password on another device. 1Password is still able to read and write changes to the sync format because it is able to decrypt the master key (from the local format), even though it isn't able to decrypt the master key in the sync format.

So, since your new Master Password did not sync automatically, simply changing your master password manually on all devices to match should fix the issue.