To use an analogy, we only remake the lock for your account when you change your password, and its the lock that gets sent to your other devices. You have the only copy of the master key to unlock the locks with. Here's a more detailed answer:
IT ALL STARTS WHEN YOU FIRST CREATE YOUR PASSWORD
SpiderOak One and Groups derive an outer level key from your password, using the PBKDF2 algorithm. That outer layer encryption key is then used to encrypt the other nested encryption keys, which are in turn used to encrypt your data, making your password a master key. Those encrypted keys get uploaded to our servers, and propagate from there - the keys we have are highly encrypted, and can only be unlocked by the 'master key,’ which is your password.
YOUR KEYS ARE STORED IN AN ENCRYPTED FORMAT
So while we don't keep plaintext versions of your keys, we have a securely encrypted copy of the outer level keys/account details, and that is what propagates to the other devices.
The password you input in the device unlocks the account details, because it's keyed to the password. Putting the wrong password in won't unlock the account details.
SO WE CREATE A NEW LOCK, INSTEAD OF A KEY
So when you change your password, SpiderOak One and Groups work on re-encrypting the account details and the outer layer the nested encryption keys, and it's those that propagate between your devices.
The password itself we don't know and we will never know, it's just the key that's used to unlock the manifest which does get sent to your other devices via our servers.