Too much power in the hands of a family manager



  • I'm not sure I see the problem with private vaults in a setup like yours (and mine) where you (and I) provide tech support for elderly family members.

    I simply created additional non-private vaults which are intended for use as the main storage vaults for my family members and to which I can add myself when support is needed. Anything a family member wishes to store in their private I consider unsupported. If they run into a problem with a given private login and wish my help, they must first move the problem entry to their main, shareable vault where I can then access it and work with them to clear up the problem. Once that's done, they can either move the corrected entry from the shareable vault back to their private one, or (preferably) leave it in the shareable vault where it will be accessible by me when and if they need my help again. Works for my family, hope it does for yours as well.

  • rpaulsonrpaulson
    edited April 2021

    @williakz I'm not sure if I understand your point correctly. As a family manager you don't have access to the private vaults of other family member, so it makes sense that they have to move items to shared vaults if they want to ask you for technical support regarding specific items. But it doesn't stop you from just deleting the whole account of other members including all their private items, which is the main concern of this thread.

    In my opinion, it's quite obvious that the current solution is flawed, at least I cannot think of any pros that the huge amount of power in the hands of a family manager brings to the shared account, and – if I haven't misinterpreted any of the previous responses – all of the team members agreed with the expressed concerns.

    I would assume that the "Families Plan" is just a rebranded "Business account", at least from a technical perspective. In a business context the idea of "If you leave the company, you'll loose all your company-related passwords and sensitive data" makes much more sense, hence the admin should have more power than parents in the context of a family (or even a child if it's the tech-savvy person in the family who started the account).

    I would love to know what the ratio of family accounts to individual accounts is. As long as it's just a small fraction, and probably even a smaller fraction of family admins who are aware of that problem, there is not much incentive to implement these new features in the near future.

  • I suspect the 1Password Families product is primarily used by spouses (where each presumably carries FO status and should be capable of protecting their own interests in the event of relationship issues).

    After that, parent/child configurations with parent(s) in charge (single FO). I can see where parents might really have a problem with private vaults accessible ONLY by their minor children and children with the shared accounts accessible by all family members.

    Finally, parent/child configurations with child (tech support role) in charge (single FO). Again, since those performing tech support are presumably responsible individuals serving the interests of their family members, I don't really see where or why abuse in the nature you have described is likely here.

    It's really only the middle case, where parents and their minor children become estranged (teenagers!) that presents the problem scenario. I agree that 1Password should have a mechanism whereby young adults can spin off their erstwhile family account into individual accounts (and hopefully someday a family account of their own).

  • rpaulsonrpaulson
    edited April 2021

    @williakz I agree, that there are many different possible family structures we could think of (maybe even more than three), and that it would maybe make sense to implement a whole system with different roles and permissions (account owner, family organizer, adult, child, minor, etc.) than just the current binary solution (family organizer and family member). But then you are asking for additional features, and IMO we should be careful to not mix different topics here. To my understanding most people in this thread haven't been asking for more features but rather the solution of a fundamental flaw, the possible misuse of power, i.e. the deletion of whole accounts with all their included secret data.

    I think, the rather straight forward solution of splitting off accounts instead of deleting them should be fixed before we start talking about additional features that could be built on top of the current account.

    Besides, I don't agree that it's just your middle case, where parents and their minor children become estranged, that presents the problem scenario. We can consider ourselves very lucky if we never experienced domestic violence within our families, but – sadly – it's a very real problem. I think we need a solution that prevents misuse by design, not one that is built on trust, especially in the context of passwords and private data.

    I can just speak for myself here:
    Do my parents trust me and are not worried that, in the current situation, I have the power of deleting their accounts? Yes.
    Do I want to have the power to delete their accounts and by doing so preventing them from accessing their online banking (even though it's just temporary as they could reach out to their bank)? Most certainly not.

  • All good points, and well taken. Hopefully, some of this is sinking in with the folks setting direction for 1Password product development. My concern is that the main effort will be devoted to high-revenue business products rather than perfecting lower return individual and family products.

  • rpaulsonrpaulson
    edited April 2021

    All good points, and well taken.

    Thanks for the positive feedback. In anonymous discussions on the internet there's always the risk that debates go the other way and get very heated-up =)

    I share your concern, I guess a few family organizers with their concerns are not on the top end of the priority list... but I can't blame 1Password, I'd probably set priorities similarly, in the end it's important to generate income if you want to survive in a competitive market.

    Fingers crossed that the dev team will find a few free hours/days to solve the issue eventually.

  • The good news is that, as I understand it, 1Password Families is supplied gratis along with the business product. Thus, employees "forced" to use the business product will likely discover significant benefit in using the Family product for their personal secure information needs. Some significant portion of them will, upon leaving that employer, choose to continue to use (and pay for) 1Password Families. Between current and former employees using the Family product, hopefully the user base for the 1Password Families is large and growing, thereby increasing the odds of successfully claiming development resources to effect some of the improvements we've been discussing here.

  • BenBen AWS Team

    Team Member

    Indeed; 1Password Business includes a 1Password Families membership for each Team Member.

    Get a free 1Password Families membership when you use 1Password Business

    As a point of brainstorming: perhaps offering a similar thing whereby 1Password Families members could have a separate individual membership would be a workable solution. I don't claim to know how feasible that would be to implement, but I think perhaps it would alleviate some of the concerns raised here. On the other hand... it seems like a fairly complex solution to implement when working with less technically inclined folks. I wonder how many would actually take advantage of this.


  • I guess the difficulty for 1Password is that they are taking a scheme designed for teams and adapting it to families. A team manager needs to have the right to delete a team members account, including their private vault, because the contents of that account are company assets. The same is not true of families.

    Would it be possible to have a half-way house whereby an individual's account is frozen after being removed from the family? It would still be part of the family in terms of key management, but the individual would not have access to shared vaults. Ideally they would still be able to ask the family organiser to recover the account and regain full access, but this is not essential.

  • ag_anaag_ana 1Password Alumni

    I think that a solution involving separate individual accounts, whether frozen or not, would indeed be a nice one. As Ben said, we don't know how feasible this would be, but it's certainly a direction we can investigate :+1:

  • Is there a solution yet to this problem of the owner being able to delete the accounts of all the family members?

  • AGAlumBAGAlumB 1Password Alumni

    You can start your own family (or individual account) at any time. For the same reason I don't live with my parents anymore, I also have my own 1Password membership. I still have an account as part of theirs in order to be able to share some things with them, but I depend on 1Password for my own personal use as well so it's worth it for me to pay for my own account that can't get wiped out if something happens to them or they make a mistake -- same with work. While I understand and appreciate where folks are coming from here, at the same time it's only fair and reasonable that the person paying for the membership has control over who else is in it.

    edited June 2021

    @brenty I agree that the person who pays should be able to decide who is part of their subscription but they should only be able to remove members, not delete their account. These are two very different things which should be treated as such. To me hinging it all on one or more organizer accounts is a clear security flaw both on a social trust level (as mentioned in earlier posts) as well as on a technical level. I get that this is the current implementation and that it might not be easy to change it but it doesn't give me much hope when without hearing from you guys that there is at least a plan to fix this.

  • While I understand and appreciate where folks are coming from here, at the same time it's only fair and reasonable that the person paying for the membership has control over who else is in it.

    Everyone here will probably agree with you @brenty that the person paying for the membership should be able to add and remove members – I most certainly do. But that's not the point here. As @MONKi1P pointed out again, it's a big design flaw that the FO is able to delete entire accounts with all personal information.

  • I haven't read this whole thread, but I would just like to chime in as a dissenting opinion here. I would actually like to be able to prevent my child from creating passwords in their own private vault where I can't see them. (It would be great for me to be able to delete that vault entirely, tbh.) This is not a trust issue, it's a UX issue. They tell me they've created an account already, I don't see it. I go and look at their 1Password account, and they have, it's just in the wrong vault.

  • @grid the solution I have for seeing everything from someone is either to have their 1Password login info and be logged in with their account in addition to my own or alternatively you can change their default vault to one that is shared with you and untapped the private vault so it's not showing any content for that user. Of course you cannot lock it to stay this way. Your kid(s) can always change this seeing if they want to. I don't see the benefit of being able to delete their account unless you want them to lose access too everything and you potentially as well if you don't have access to it and you didn't safe out all the content.

  • AGAlumBAGAlumB 1Password Alumni

    @grid: People you invite as guests get access to a single vault you explicitly share with them. It sounds like that may be the way to go in your case.

  • AGAlumBAGAlumB 1Password Alumni
    edited June 2021

    @MONKi1P, @rpaulson: The account is part of the membership. It isn't possible to "remove" it without deleting/destroying it. That's why multiple membership types/accounts exist at all. They each have their own cryptographic keys. The only way for families/teams to be able to access shared data is by setting up shared keys as part of account creation. You can't have it both ways. Making an account be able to function on its own means that it cannot share with others, and an account that is part of a membership would be completely broken if it was "removed" from it. Are there ways of doing it differently, that may allow for more flexibility? Sure, but at the cost of additional complexity, potential bugs, and edge cases, all of which are unnecessarily risky. This security model was carefully considered from the start and has been hammered on for the better part of a decade by us, external auditors, and independent researchers.

    What you're asking for is really just a separate account, and those already exist, either in the form of an individual membership, or a separate family/team membership, which puts you in control. And you still have the option of setting up other accounts as part of someone else's membership if you want to be able to share with them. Keeping your own personal data in an account which you control eliminates the risks you're concerned about, and that is already possible. I get that you'd prefer it if the reality was different, and 1Password worked more like other services that don't need/want to go to these lengths for security, but that's not something we're willing to compromise on, especially when anyone has the ability to sign up for their own account to have complete control over their own stuff. If that's really the goal, it's already very achievable.

  • rpaulsonrpaulson
    edited August 2021


    What you're asking for is really just a separate account, and those already exist, either in the form...

    IMO you are giving a pretty detailled explanation why group accounts with shared vaults only make sense in the context of team or family plans, which totally makes sense as long as the account is part of the plan. But IMO the point of the whole conversation here is that the FO has the power to delete an account (this is not the problem, of course they should be able to remove team members and they should loose access to shared vaults) INCLUDING the persons private vault (that's the real problem). So you're absolutely right, I guess most here are just asking for a separate account in the moment a team member is removed from the family plan. The removed member should have the option to move their private vault into a seperate account. Is it not possible to move the private vault into a seperate account and to still access it with the person's master password and secret key?

  • rpaulsonrpaulson
    edited August 2021

    @brenty Actually, I had a closer look at the Whitepaper again, and now, I think, I don't really understand your point of the first paragraph.

    As far as I understand the Whitepaper the sequence of encryption/decryption looks like this:

    1. vault key: used to decrypt/encrypted vault items (AES 256) (unknown to 1Password, so they cannot grant access to new members)
    2. private key (group or recovery group): used to decrypt vault key < public key (group or recovery group): used to encrypt vault key
    3. private key (user): used to decrypt private group key < public key (user): used to encrypt private group key
    4. key encryption key KEK / master unlock key MUK: used to decrypt/encrypt private key of user
    5. MUK is derived from: master password + secret key (principle of two-secret key derivation 2SKD)

    So, if I haven't missed anything important, everything but the second step is the same for an individual user's account and a team's or family’s account. By introducing a group key set (public and private key) it is possible to create vaults that can be shared, but the actual vault is still just encrypted with a single vault key. Also, every vault created in the context of a teams or families plan is shared with the recovery group, even the private vaults, which is important to be able to recover private vaults as well as all vault keys are unknown to 1Password. This means that from a cryptographic point of view all members of the recovery group have access to all private vaults, the only protection of preventing this is by enforcing a server policy of who is granted access. This also means that a member that is removed from a group, from a cryptographic point of view, still has access to all previously shared data that is still on his local machine. Here as well, access has to be controlled by the server.

    From my basic understanding of this encryption scheme splitting off a user shouldn't be that hard:
    The user can keep his account (master password + secret key > master unlock key > user key set) as no other member, a FO or another Admin, ever had access to this information. The client and the server only have to create a new vault (that won't be shared with the previous recovery group) and move all items from the old private vault (that is still "accessible" by the recovery group). The actual user shouldn't see any of these steps. After entering the master password and after receiving a notification like "Hey, unfortunately you have been removed from the team, would you like to move forwared with your own account?", the client application should have all the necessary information to communicate and to perform these steps together with the server.

    Please tell me if I'm missing anything here...

  • Very interesting discussion and quite useful in helping to understand the nuts and bolts of crypto. I look forward to hearing from the 1Password folks regarding @rpaulson's latest comment.

  • Hey everyone, any updates on this issues? I'm getting even more concerned as 1Password 8 won't support local vaults anymore. So family members won't be able to create local backups of their cloud data to prevent total data loss in the case that their account will be deleted, accidently or on purpose.

This discussion has been closed.