Changing Master Password need to be more intuitive

jmjm:

https://support.1password.com/change-master-password/#if-the-first-vault-you-added-is-in-a-1password-account, but I agree that we can make the process more intuitive :+1:

but there's not much we can do if someone forgets their account password for an individual membership.

I guess I didnt explain it well enough. The title of the thread is appropriate. That is how is one to know in advance that one needs the 'older'/previous MP even after changing it?

Hey jmjm! In this case, writing the password down (or recording it securely somehow, your specifics may vary) is definitely a good idea. There are a lot of ways we try to make 1Password as "safe to use" as possible - meaning that your data is protected, intact, and available when you need it - but there's not much we can do if someone forgets their account password for an individual membership.

What makes that password useful is 1) its mathematical strength (longer password is better!) and 2) the fact that no one but you knows it, which makes life way harder for an attacker.

In short, we don't know your password, don't have access to it, and we don't want to! We feel this creates a much better situation for your security and privacy overall, but you're correct that it can become an issue in the scenario you've described.

jmjm - If you are afraid that you are going to forget your old master password before you can log in to 1Password with it to "activate" the new MP, then you probably should write it down. Once you log in with it, the new MP becomes active and the old MP can no longer be compromised even if it is written down (make certain you have updated ALL devices with the new MP).

and so on. It follows then that it can't discover the validity of your new Master Password until you've entered your old one.

I bet I am missing something simple but what happens if one forgets the "old one" ie the previous MP, before using it to log into 1P for Windows?

No problem @MrMoerby, I'm glad Peter's explanation was helpful! :smile:

Thanks again for providing this feedback.

Thanks for the detailed response Peter (and for forwarding my suggestion)!

It's nice to know the technical reason why the Windows app functions the way it does. Makes a bit more sense now.

Hi @MrMoerby, first I'd like to apologize for the frustration of this experience. On the other hand, it's great that you were able to log back in! Congrats on that aspect.

Your point about the login UI providing some kind of prompt that could help a person in this situation is well-taken. I have just passed your suggestion on to our developers. 👍

To explain a little of why this happened: the 1Password for Windows is a "true lock" app, meaning that when you are not logged into the app, it is entirely closed to the outside world; completely incommunicado. This design partly arises from how Windows itself handles security (which is why the app responds differently to Master Password changes on other platforms).

The upshot is that on Windows, 1Password doesn't know anything about anything until you unlock it, which gives it a chance to correspond with our servers, find out about updates, sync any new items you've created on another device, and so on. It follows then that it can't discover the validity of your new Master Password until you've entered your old one.

I recognize that this can create an issue, as it did for you, when this is not clear to the person at the keyboard. It's for that reason that we appreciate your suggestion here, and the opportunity to do it better. Thanks for letting us know.