Sharing a Secret Securely
I want to share a secret with a family member. I see that I can share items, but don't see how to require the recipient to enter a password to reveal the secret.
If that is the case, how is this secure? Sure, the process for someone to use the generated link to retrieve the item may be secure. But it doesn't secure the sending of the link to the recipient!
For example, if I email the link, anyone who intercepts the email would be able to retrieve the secret. That's no more secure than if I just email the secret in plain text.
I might as well encrypt the secret separately and send that. Which is why I'm not getting the 1Password sharing feature.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided
Comments
-
Well, how would you let the other person know a password which he/she had to enter? A password would not solve anything, Family plan would be of course the recommended way, IMO. This is not meant for a regular use, so if you time-limit the link enough and/or limit it to a single view, the danger should be minimalized.
0 -
Firstly, I'd like to appreciate both of you for bringing up this crucial point about security and the sharing feature of 1Password.
To @mschmitt: You're right in being cautious. The secure sharing feature of 1Password allows you to share a unique link which, when clicked, will show the shared item. While the process is encrypted and the link itself is randomized and hard to guess, the weakest point, as with many secure systems, is the delivery method. If someone malicious intercepts the link during transit, they could access the shared item.
However, there are several nuances:
- When sharing, you have the option to specify that the link is only accessible to those with a specific email address. This means even if someone else gets the link, they'd need to verify access using the specified email.
- Time-limiting the link or limiting it to a single view, as pointed out by @J_O_D, adds another layer of security.
To @J_O_D: Your suggestion about the Family Plan is spot on. Sharing within a Family Plan is undoubtedly the most secure method as items are shared directly within the vaults, ensuring end-to-end encryption without relying on external communication methods.
In essence, the 1Password sharing feature is designed for convenience with security considerations. However, for ultra-sensitive data or regular sharing with family, using a Family Plan is the best approach. Always ensure you're sharing through trusted communication channels and be aware of the potential risks.
Thank you both for the discussion. Your feedback is invaluable in helping us improve and educate others on best practices.
0 -
"Well, how would you let the other person know a password which he/she had to enter?"
The usual method is you use two different means of communication. Such as, you email the item that needs the password, but give the password over the phone.
Or, you use a password that is something only the recipient could know. Such as, you email the link and say "The password is the name of the city that you lost your umbrella in, a space, then the year you almost broke your arm".
0 -
Hello @mschmitt,
You've touched upon an essential point in secure communication, often referred to as 'out-of-band authentication'. Using two separate channels to convey sensitive information can indeed reduce the risk of both channels being compromised simultaneously.
Your examples, especially the use of shared personal memories as a makeshift passphrase, are interesting and remind me of security questions. However, this method requires a certain level of personal familiarity and history between the two parties.
For broader contexts or for those who may not share such personal memories, using the dual-channel approach – such as sending the link through email and the password via phone or SMS – is a practical solution. This approach provides an added layer of security, especially when the content being shared is of a sensitive nature.
Your insights serve as a valuable reminder that while technological solutions can go a long way in ensuring security, the human element – be it creativity, caution, or diligence – remains paramount in many scenarios. Thank you for enriching this discussion!
0