To protect your privacy: email us with billing or account questions instead of posting here.

Is it wise for a technophobe to be a family account organizer?

Bronwen224466
Bronwen224466
Community Member
edited October 2022 in Memberships

I have used 1Password for several years. I just converted to a family plan to add my husband, who I had to drag kicking and screaming, to use a password manager. It is only the 2 of us in the plan. I would like to make him an organizer so that we have the added safety of him being able to help me regain access should I lose it, but I worry that he could accidentally mess something up if he is an organizer. He would not intentionally do so, but he is not savvy with password managers. I am unclear on exactly what he would have access to, and what he could conceivably do to our data, without intending to. As an organizer, would he have access to my private vault? I'm thinking not, because I can't see his, (but I don't know if that is because I don't know how to access it). If someone hacked his master password, would that mean they could access my vaults too? And yes, we do have second factor authentication set up, but suppose we didn't for that last question, or suppose that the hacker somehow circumvented the second factor. If using a "memorable" password consisting of words for the master password, how many words minimum would you advise?
Thank you very much in advance for your answers.


1Password Version: 8.9.6
Extension Version: Not Provided
OS Version: iOS 16.1
Browser:_ Safari

Comments

  • Tertius3
    Tertius3
    Community Member
    edited November 2022

    Don't give a computer illiterate person admin access to a vital database such as your passwords. Your data is at risk with this, because the person could accidentally delete everything without even knowing it. Especially in some emergency situation such people start clicking everything without understanding and trying everything (including delete/remove functions) and click away every warning without understanding it.

    In your case, it is not only his data that is at risk, it is your own data as well. Even if the private vaults are not shared (you cannot see his and he cannot see yours, that's by design), deleting your account accidently from the family account will permanently remove your private vault as well without a chance for recovery (that's a flaw in 1Password).

    I recommend you print the emergency kit on paper and put it in a safe location along with your other paper documents. Make sure the print contains the email address used for 1password, the secret key, the master password, and the QR code for the 2nd factor authentication. With this information you are always able to get access to your account on your own, even if each and every computer and mobile device gets lost or burnt. It's locked away on paper, so the information is only used if really needed.

    I also store this information as entry within 1Password itself, so if the print gets lost and I still have some device with 1Password, I have this information as printed and can print it again. 1Password adds a default entry with the emergency kit, but you have to manually add the 2fa code.

  • Hi there @Bronwen224466

    There were a few points in your post I wanted to address, so I'll come to each individually.

    but I worry that he could accidentally mess something up if he is an organizer

    If you're both a Family Organizer, then you both have the power to:

    • Invite people to your family account.
    • Give people temporary access to a vault in your family account, and remove them when they no longer need access.
    • Create vaults and share them with your family.
    • Restore access for family members who forget their 1Password account password or can’t find their Secret Key.
    • Manage your subscription, payment details, and invoices.
    • Change your family name, family portrait, and account type. You can also delete your family account.

    That's why it's so important to make sure that you only make someone a Family Organizer if they understand the responsibilities and powers that come with that role. Any Family Organizer (either of you, in this case) could delete the whole family account, so if you think there is a chance of that happening, even with the warnings in place when you do so, you shouldn't make your husband a Family Organizer, for safety.

    I am unclear on exactly what he would have access to, and what he could conceivably do to our data, without intending to. As an organizer, would he have access to my private vault?

    No one but you has access to your Private vault. Everyone has full read and write access to the Shared vault that's created when you start a family account. Any Family Organizer can manage access to any non-Private vault. So, for example, if you made yourself a second vault, your husband could potentially give himself access to it.

    If someone hacked his master password, would that mean they could access my vaults too?

    No, for the reason shown above.

    And yes, we do have second factor authentication set up, but suppose we didn't for that last question, or suppose that the hacker somehow circumvented the second factor.

    Your account is still protected by the Secret Key, even with two-factor authentication for your 1Password account turned off. Someone would need to find that Secret Key from your Emergency Kit or from an unlocked instance of 1Password on one of your devices before they'd be able to sign in.

    If using a "memorable" password consisting of words for the master password, how many words minimum would you advise?

    Four or five, I would say. More if possible, but you'll already have very good security even with four. No need for uppercase letters, numbers, or symbols – four words (from the password generator) would work just fine as a account password, because the Secret Key does a lot of heavy lifting in providing security anyway. For example, wayside mumble daybook upside would make a good account password. (Just don't use it now that it's in public!)

    There's guidance on choosing an account password here: How to choose a good 1Password account password.

    As @Tertius3 stated, your best defence against getting locked out of your account might well be to use the Emergency Kit with your account password written on it, stored in a safe place along with your passport or other important documents. Even for an individual account where recovery isn't an option like it is for a family account, it's the least-involved way to make sure you can always access your 1Password account.

    Please let me know if you have any questions, or would like any further help. :)

    — Grey

  • Bronwen224466
    Bronwen224466
    Community Member

    Thank you both for your input. I do have my emergency kit in a safe deposit box, so I have decided not to make my husband an organizer. Tertius, your description of panicked clicking is compelling. Also, thank you for pointing out the need to include the 2Fa back up with the emergency kit. I never thought of that! I set my husband's 2Fa to use Authy. It has back up. I think I would have to remove the 2Fa and re-do it, to save a copy of the QR code.
    Grey, thank you for clarifying the vault access. I used 1Password to generate his "memorable" master password. There is one thing in your reply that I don't understand, when you talk about the security of the Secret Key. If someone hacked a master password, and 2Fa was turned off, that hacker would now have access to the Secret Key, So how would that be protecting my account? Thanks again!

  • @Bronwen224466

    Thank you for the reply. An attacker would need both your 1Password account password and Secret Key to log into your 1Password account and decrypt the data within it. And if you have two-factor authentication enabled for your 1Password account then they would need the six-digit one-time password from your authenticator app as well.

    Let me know if you have other questions. 🙂

    -Dave

This discussion has been closed.