Dropbox: I don't want to expose primary vault key information on son's phone

gregwoods

Hello,

As a family licence holder I am setting my son's iphone 4 up with his own vault and syncing it with my mac and his iPhone via Dropbox.

However, I am nervous by the prospect of allowing access to my 'entire' dropbox (which the 1Password app for iPhone asks for) as this also holds my primary vault key information. As you can imagine, the idea of allowing access to all of my own login and secure 1Password details on my 12 year old son's mobile is a daunting thought and a huge security risk in my opinion (please correct me if I'm mistaken).

What do you recommend please?

Thanks
Greg

littlebobbytables

So you want to set up a secondary vault on your mac for use on your son's iPhone, is that correct?

The trick is to use Dropboxes ability to share folders, that way you will share the secondary vault but the son never has access to your Dropbox. What you need is for both you and your son to have Dropbox accounts. This guide should then help you with what you need to do, I believe the key part is the secondary vault's keychain has to be in its own folder for Dropbox to share it.

Then on the iPhone it's simply a case of logging into his 'own' Dropbox account.

Hopefully that helps :smile:

gregwoods

That makes a lot of sense to me and is a great solution - I'll give it a try. Thanks loads!

gregwoods

Ok. I tried this and all was fine up until I tried to download the encryption keys (on the iphone) from the shared folder. I'm getting this error:
The operation couldn't be completed (dropbox.com error404.) 1 password encountered a problem

I've gone through all the steps again including re-downloading 1password + dropbox on iOS8, re-sharing the dropbox folder and re-pointing to it in 1P

Can anyone offer any help please? I'm starting to try to bite my elbows

G

hawkmoth

Is there a reason shy your sone wouldn't just have his own vault, not a secondary vault in your database? That should be really simple to do, unless there is a reason I haven't thought of. I don't use multiple vaults myself, so I don't have advice for you on that score. It just seemed like maybe you are overthinking this.

Take a video if you bite your elbows. (Sorry - I couldn't resist. I know it isn't funny to you right now.)

gregwoods

@hawkmoth,

Thanks for your reply. The elbows are surprisingly tasty ;-)

Not sure what you mean by 'have his own vault, not a secondary vault in your database?' It's not in my database as far as I know. It is his vault. The family licence I bought means I can have multiple users, each with their own vault of passwords. That's really why I bought it. I followed the guide kindly provided by Littlebobbytables to set one up for my son and all is fine except this final error (see my last post). If anyone has any suggestions of how I can get this working, with experience of using multiple vaults, I would be very grateful.

Cheers
G

hawkmoth

I was confused by @littlebobbytables‌'s reference to setting up a secondary vault, which it doesn't sound like you need to do, if I understand what you say you are trying to do.

littlebobbytables

Hey hawkmoth :smile: The reason I pointed him in that direction was based on gregwoods' first post, where he asked to sync his son's vault with his mac. I didn't query the intent behind the request, I just assumed he also wanted access.

@gregwoods‌ You might not be doing anything wrong. Seems at least one of the reasons you might see that error is just issues with Dropbox. One thing to try, when you sync to Dropbox you gain access to a neat feature called 1PasswordAnywhere and here's a guide to it. I'm mentioning it just as a troubleshooting step, can you access the vault via this route?

Now to go back to what hawkmoth was talking about. When you purchased a family licence you weren't purchasing the ability to use secondary vaults - that you get just by owning 1Password. What you've purchased is the ability to install and run 1Password on multiple machines used by up to five family members. So say your son and your wife both have their own macs - you can legally install 1Password on those machines whereas the single user licence is for machines that you own and use. You also don't have to sync a vault on your son's iPhone to your mac unless you want to. He can have a completely separate vault which you can't access if that's preferable. What I assumed was you wanted to retain some level of control to ensure stuff was getting backup up somewhere safely or for troubleshooting purposes. Given a secondary vault means you can access his vault while he has no access to your primary it's certainly one way to do it.

If you post back with a description of how you would like your setup to look one of us can recommend what to do :smile:

gregwoods

Hi littlebobbytables,

Thanks for this info and for explaining the difference. Originally i wanted to back up his 1P info on my mac so he could use it there too when required (as he often uses the mac for his homework stuff etc.) so it made sense to create the vault there and use dropbox to sync to iOS8. However, given this is not working well due to this error, I think I will stick with a direct icloud backup now from his iphone for simplicity.

I do have otwo remaining questions though please:

1. Its not obvious how I can upgrade his free version of 1password on his iphone ios8 to the family licensed version and therefore have use of the extra features of licenced version. Do you know how this works please?

2. Will his 1password prompt him to save passwords when he creates them? This is such an excellent feature on the mac.

Thanks again for both your efforts and contributions Littlebobbytables and Hawkmoth.

thightower

@gregwoods‌

Here is my personal setup. Please read over it and if you have any questions ask away.

I created separate Dropbox account for my kids (boys all of them), I then placed their 1Password keychain inside a shared folder in their respective accounts. I shared that folder from their account to my Dropbox account. Actually I am a little paranoid so I placed the keychain inside the shared folder on my end. Why? Dropbox interprets me as the owner of the file. Thus I can make sharing changes etc prohibit re-shares and so forth. But that on is just me.

This allows for several things. One you each get a referral for Dropbox space :) next his keychain is local to his Dropbox only. (keep reading ;) )
He can use his Dropbox account on his device, I usually set it up so camera uploads are automatic for him. Safety feature of sorts. He can be logged into Dropbox using his account on his Mac or his iPhone.. If its a shared Mac you can create a separate user account and add his Dropbox to his user account. Restricting access to your other information on the Mac.

When I need to set or re-setup his 1Password on a new phone I can link directly to his account. For those camera uploads and it makes authorization easier during the install of various app.

Now to you. Since you have his vault shared to your Dropbox, you can very easily add his vault to your Mac/Win allowing you the ability to monitor and keep track of his changes etc. Also allowing him to do that homework you mentioned under your user account, if you choose not to do the separate user accounts.

You can also add his vault to your iOS device for the same reasons.

If he doesn't need access to your vaults there is not reason to add any of your vaults to his iOS ( To do so you would need to share your vaults in a shared folder back to him). Having his vaults on his own account keep things compartmentalized. This also solves the getting his phone setup for multiple vaults etc and saves you from purchasing an upgrade to his version of 1Password.

This eliminates that huge security risk you mention. This is one of the reasons I set mine up to prevent or rather give them access to only what they need.

In app purchases are not shared in Apples implementation of family sharing so you would need to purchase for yourself and your child. This can get expensive. My method completely ignores this problem on his side, he can keep using the basic free version. The only one you would need to upgrade would be you to carry the multiple vaults if you want them.

This is a lot of info in a very short space, as I said do not hesitate to ask if you have questions.

ps

If you set up a separate Dropbox account for him make sure to turn on 2 Factor Authentication using his phone as a primary device and add your phone as a secondary device. Add a tag in 1Password for all items that have 2 Factor Authentication. That way if you ever need to update things before a number change etc its easy to do. Just go to the tag in 1Password for 2 Factor Authentication.

pps

Make sure to save the lock out or reset codes from Dropbox within 1Password. Same goes for the codes from iCloud.

hawkmoth

1. Alas, there is no family license on the App Store. And, although AgileBits planned to allow it, family sharing isn't permitted for in-app purchases, which is the way you unlock the pro features. You will have to purchase another copy for your son, unless he and you share the same Apple ID for purchasing applications and media from Apple.

2. Does your son have a separate user account on the Mac? If he does, I expect he should see the prompts to save new or changed passwords. I don't know what will happen if he uses your account on the Mac, but I don't think you can install more than one instance of any application is any given user account.

Megan

Hi @gregwoods,

It looks like you've already gotten some awesome advice here, so I'm not sure there's much left for me to answer, but i wanted to jump in all the same.

In particular, you asked:

Will his 1password prompt him to save passwords when he creates them? This is such an excellent feature on the mac.

This is one of my favourite features on the Mac - it makes life a lot easier! However, the iOS extension is currently a bit more limited than the desktop browser extension. Some of its limitations are simply because it is new and, as with all new features, there is always room for improvement. But some limitations are also a result of the iOS. We don't have the same ability to detect when form fields are being filled in on mobile Safari that we do on the desktop, and users must explicitly call up the extension from the action menu - it cannot just pop up whenever it thinks that you might need it. ;) So at this time, the extension can fill your existing details on a Login in mobile Safari. We're excited to continue developing the iOS app extension to make it as useful and powerful as the desktop browser extension (within the limitations of the iOS, of course.)

I think that's the only remaining question that needed an answer, but if you need any further clarification, we're here to help!

(And thanks to @littlebobbytables‌, @hawkmoth‌ and @thightower‌ for giving such great advice, as always.)

gregwoods

Wow, that's a lot of great advice. Its going to take me some time to digest this all but a huge thanks for all your guidance guys - very appreciated.

Greg