Is there a way, as the admin (account owner/manager) to see/edit/manage user passwords/logins?

I would really like to ability as admin to see the terrible passwords my users are creating and change them, or at least be able to use them myself if I need to login to a service we're using.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • ag_anaag_ana

    Team Member

    Hi @counteragent!

    This is possible in shared vaults, if you are a member of them. You will not be able to see other users' Private vaults however (the same way other users cannot see what you store inside your own Private vault).

  • What happens if an employee quits, how do I gain access to their private logins? These are services I'm paying for and would need the logins to revert to an admin account at the very least.

  • ag_maxag_max

    Team Member
    edited February 8

    @counteragent

    If a team member is in the process of leaving an organization, we recommend that an administrator work with them to offboard any important company passwords and data to a shared vault, so that any passwords can be changed after the user departs and loses access to their account. You can find a relevant article covering that process below:

    Offboard a team member

    This doesn't address the exact scenario where a user has already left the organization, however. I'd be happy to pass on your feedback to our team for consideration. I can envision certain instances where an employee may have access to sensitive data before leaving, making it difficult for administrators to retrieve or make the necessary changes to these credentials. While I cannot promise any changes will be made in this area, due to the security and privacy design surrounding the Private vault. I'll let our team know there's some interest.

  • Thanks for the information. I'll read over it.

    It would be great if it was always a known and amicable departure. Unfortunately, we've had some bad experiences in the past with employees either straight up leaving without notice or just not on the best terms. It would be great to have some way to recover data from these private accounts in such circumstances.

  • edited February 9

    This is a bad idea, infact it would be enough to have us close our 1password account if implemented. Your concern can be mitagated by being proactive if need be and ask "hey bob, that cloudflare account you setup for the company, is that in shared-vault? ", "bob, you registered subdivision-acme.com, are the detail in domain reg vault?". And can also suggest that company related accounts are in at least one shared vault, where the SaaS or otherwise isn't multi-user, in multi-user scenario as an admin of the SaaS product etc.. you can usually just reset or assume their rights/data

    We have a teams account, and as part of our onboarding we actively try to encourage the use of a password manager, this needs to be baked in, we first scare them by asking for their last personal email addresses and showing them haveibeenpawned.com, we then explain the private vault is completely private - so you can stick what you need in there personally,** we usually setup a shared vault with only them in it too and advise that is company accounts**, but the aim is to get unique secure passwords as first nature and if that means pushing on personal front first then so be it. We are not anal about Bob checked facebook for 2minutes, or logged on to meetup.com for a pub crawl etc.. we'd rather have him adopt strong passwords for them too (research shows an employee's personal account can be used a social engineering vector for company attacks too).

    @ag_max, please advise if this discussion goes anywhere as we'd opt out completely if this was implemented/tested

  • ag_maxag_max

    Team Member

    @sitepodmatt

    Thanks for sharing your detailed feedback about how you onboard your users into 1Password in your organization. There's certainly some area for improvement when it comes to offboarding users and ensuring shared company data can be safely transferred to a shared vault credentials can be updated. With that in mind, our development team always puts security and privacy above convenience, and this has shaped decision making in 1Password since the beginning. We appreciate all constructive feedback and use it to improve 1Password for all users, so thank you again for taking the time to share yours.

    Let me know if there is anything else I can help with.

  • The thing is, with these team/business 1password accounts, the private vault for each user shouldn't be their personal vault. It' merely private in that they are the user that creates and logs in via those private vault logins. It only make sense for the business paying for those accounts (again not personal accounts, business) that we should have ultimate access to them. This could even be something as an account owner you could enable or disable and make clear to each user that this is the case.

    Unfortunately, not everyone works for a tech (or adjacent) company and has employees that understand how to follow simple technical instructions. This is very similar to company email, in that we as a company have a right to know how it's being used. The current shared vault implementation is fine for some things, however, we would have to create far too many shared vaults to be so specific to just one or two employees that it would make managing too time consuming.

  • ag_joshuaag_joshua

    Team Member

    Hi @counteragent! Apologies for our delay in getting back to you. Let's dive back in. :smile:

    The thing is, with these team/business 1password accounts, the private vault for each user shouldn't be their personal vault.

    The Private vault provided for each regular user within a team or business account is intended to be for their individual work-related data. In a typical work environment, we'd recommend that any owners or administrators within a team or business account work directly with their teams to explain the purpose of these Private vaults, along with reaching out to any individual team members directly if there's ever a need to review the contents of their Private vault. It's best to clearly define the purpose of Private vaults internally within your team to ensure they're aware of how they should be used.

    This could even be something as an account owner you could enable or disable and make clear to each user that this is the case.

    We have received requests from other team and business customers asking for the ability to disable Private vaults, so I'll make sure that your request for this gets added to our internal tracker. :+1:

    Thanks again for sharing your thoughts and feedback! We really do value these kinds of discussions and input, as it gives us really valuable insight into how 1Password is used differently across various kinds of teams.

    ref: internal/business-roadmap#6
    ref: internal/business-roadmap#75

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file