1Password on Mastodon

Multiple passwords to unlock is unacceptable

Currently 1Password8 requires the user to provide multiple passwords to unlock multiple accounts on the same machine. This is a radical departure from all previous versions where 1password would allow you to provide one password.

AgileBits response is because "the security team". Give us the choice, not the security team. Regardless of if the security team and PM's investigated all the different use cases (which I suspect they did not), AgileBits does not know our risk preferences.

They do not know all our individual use cases or our risk preferences. Heck it may be individual per computer.

Not being able to unlock all accounts, at least as an option, is a deal breaker for myself and my companies. There is absolutely no purpose to 1password offering free family accounts for business if you make it so difficult to use. I encourage all my users to setup their own account so they can store their secrets securely and be a good internet citizen - AND its so easy, right? They open up 1password with ONE Password, they can access their company secrets and their personal.

This is the sort of change that should come with a checkbox for the business admin side. Because it really depends on your risk tolerance. Some may see unlocking multiple accounts at once being a big risk, some may see the risk to be adding user friction. Neither is wrong. But... clearly it is possible to go both ways, so give the admins a choice.

Maybe the admins are concerned that the users have a shitty password on their personal account that would unlock the business world, thereby effectively getting around the business password requirements. Totally fair, make it so that the users must use the business account password, but also can unlock their personal/other accounts too. There are lots of ways to slice the solution that doesn't ruin user experience in the name of security theater.

The thing AgileBits seems to forget is that by making this change, you sort of need to rename your branding to something like PolyPassword, because it will require MANY passwords to use. The users will continue to use it for business because they have to (in theory, but users are just as likely to find a way around the problem) but they most certainly will not unlock it twice in a row just to get at their personal stuff too. That means either they'll stop using it for their personal stuff, or they will start storing that stuff in their business private vault - which will absolutely suck for them when they leave the company and lose access.

Also for users like myself that have access for a half dozen or more 1password accounts, this is absolutely game breaking. It's my desktop computer, in my office, in my house, and I'm the admin of all the accounts. It's freaking secure. Don't tell me it's not secure enough that I have to enter 6 or 12 different password to access all the data I may need to access.

PS. TouchID doesn't help Windows.
PSS. The workaround suggestion is hilarious. Basically you're suggesting we use the same single password for multiple websites/services. The very horrific security issue that 1Password is supposed to solve, you are recommending as a fix.

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided


This discussion has been closed.