Very confused about Archive and Recently Deleted, when adding a new member

truisttruist
edited September 6 in Memberships

My wife and I have had a Family 1password account for years, and we used the "Shared" vault extensively to share records with each other. Now I'm trying to add my son as a new account on our family, but I don't want him to have access to all those shared records. I set up a new "Parents" vault and moved everything from Shared into it, but now Shared still has stuff in the "Archive" and in "Recently Deleted" on the website. Will my sone have access to those? How do I get rid of them entirely?!?

I'm on a Mac and was using the latest 7.x version, and I've just tried the 8 beta. It's interesting that the 8 beta makes the archive more visible, but now I can't tell which things were from which vault. It also still seems to be the case that the Recently Deleted is only on the website?


1Password Version: 8
Extension Version: Not Provided
OS Version: macOS 11.5

Comments

  • It turns out that he was able to see the Recently Deleted items on the website, so I was forced to delete the vault entirely to hide them. (Or one-by-one destroy each item, and there were dozens or hundreds of them, so no way.) 1password folks, I get that you think this feature is important and secure (i.e. I should trust you with my passwords), but it isn't secure from the "shared vaults" POV, and it's a very hidden insecurity. If I hadn't thought to check this all carefully, my son would have had access to all sorts of secrets that he never should have had - including my "what to do if I die" letter for my wife. In your zeal to protect users from themselves, you're also taking control away from them, and that's a huge UX no-no - and it has real consequences.

  • I'm essentially cross-posting my question and discoveries from over in the "Browser" section, because I think it's important for families to know about this.

    The gist is that if you add a child to your 1password account, that child will have access to the Shared vault. In my case, my wife and I had been using that vault for years to share stuff with each other. So I naturally moved all those things to a new "Parents" vault. But it turns out all those things remain available via 1password.com, in the "Recently Deleted" section. If I hadn't investigated that carefully, I would have totally-unknowingly left all those records visible to my son, including my "what to do if I die" letter to my wife with all sorts of personal details.

    Then, even though I had discovered this major flaw in 1password's security model, there's still no way to delete all those Recently Deleted records, except one-by-one in a cumbersome UI. I ended up deleting the entire Shared vault, and I'm honestly still not certain the secrets aren't visible to him in some other hidden location.

    So - heads up!

    Here's the post where I was discovering these things: https://1password.community/discussion/123260/very-confused-about-archive-and-recently-deleted-when-adding-a-new-member#latest


    1Password Version: Not Provided
    Extension Version: Not Provided
    OS Version: Not Provided

  • ag_yaronag_yaron

    Team Member
    edited September 6

    Hey @truist ,
    Your messages were merged into one single discussion here.

    Thanks for taking the time to write to us about this, and my apologies for the confusion.
    You can easily remove a family member from a shared vault so they'll have no access to it at all as follows:

    1. Log into your 1Password account via our website (https://my.1passwored.com)
    2. When you log in, you'll see all of your vaults there. Click the grey gear icon under the shared vault.
    3. Change the permissions and access there to any and all family members as you see fit.

    If you remove a family member from a vault, they will no longer see that vault and won't have access to anything in it, including the deleted/archived section.
    You might also find this article helpful: https://support.1password.com/create-share-vaults/

  • Tertius3Tertius3
    edited September 6

    What @ag_yaron is missing in his answer, is the fact access to the default vault called "Shared" in a family account cannot be restricted. Every family member is always able to read and modify and delete and undelete every entry. This is hardcoded behavior for the "Shared" vault only. Other shared vaults you create can be restricted.

    So you did the right thing by moving all items to a new vault and restricting access for this vault.

    But as far as I observed, moving an item to a different vault is internally handled like copy the item to the new vault and delete the original from the old vault. Deleting an entry this way seems exactly the same as if you pressed the delete key: it's archived. And if you really delete it, it's still there for undeleting. To finally remove deleted entries, you need to go to the 1Passwort website, open the "recently deleted items" at the bottom left corner, and click "destroy" for every item. As far as I see it, after "destroy" an item is finally gone and not visible or restorable by anyone any more. So you need to do this to finally complete the move operation.

  • oof. Glad I read this. 1Password folks I'm on board with the OP. If there are no plans to change the behaviour then at least make it super obvious what's going on.

  • ag_anaag_ana

    Team Member

    @Tertius3:

    But as far as I observed, moving an item to a different vault is internally handled like copy the item to the new vault and delete the original from the old vault.

    That is correct :+1:

    As far as I see it, after "destroy" an item is finally gone and not visible or restorable by anyone any more.

    That is also correct: if you remove an item also from the item history list, it won't be recoverable anymore :+1:

  • To the two 1password people who replied - thank you for replying, but you're missing the point. I know the software is designed to work this way, and that's the problem - this design is very likely to expose secrets to people who shouldn't have them, and that's the opposite of what a password manager is supposed to do. Please share this feedback with your product managers.

    Here's the general case:

    1. A group of people share passwords in a vault
    2. A new person comes along and needs access to some of the passwords, but shouldn't have access to all of them
    3. The admin "moves" the more-restricted passwords to a new vault and adds the existing users to the new vault
    4. The admin adds the new user to the old vault, totally expecting that the new user won't have access to the more-restricted passwords
    5. The new user logs onto 1password.com and views the more-restricted passwords in the "Recently Deleted" UI

    This is completely hidden and counter-intuitive and insecure.

  • ag_anaag_ana

    Team Member

    Thank you again for the feedback @truist! I know our developers have been discussing what the correct move/copy/delete behavior should be, so I am sure they will find your perspective useful as they consider this :+1:

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file