Working as a team

Olliecampbell

Hello,

This isn't really for 1Password for Mac solely, but I had to post it somewhere!

I've seen posts saying that you guys have teams working using 1Password and sharing passwords across the team by adding it as a secondary vault.

It all sounds exactly what I need, but I have a few questions:

• My team is across both Windows and Mac. I'm presuming that as long as we use Dropbox to sync the vaults then we shouldn't have a problem across OS's?
• Is Dropbox still the only supported sync method?
• I'd like the ability to remove access to this vault from anyone that leaves the team. I understand that this is more of a personnel issue that 1Password issue, but want to see if there's anything it can do to help. Ideally I'd be able to reset the master password on the vault and it locks out that vault across my staff until I give them the new password. Can it do this?

Thanks in advance!

littlebobbytables

Hi @Olliecampbell,

Dropbox is the best way of syncing multiple machines where it's a combination of Mac and Windows. You can use Folder Sync too which is a local way of syncing but it places extra responsibility on you.

Now as to the requirement of access. While you can use a single Dropbox account there may be advantages to considering Dropbox for Business here. Each user can have a managed account and you can give all of them access to the vaults they need access to.

At this stage you can easily remove access to the vault via Dropbox but I will cover the issues of changing your Master Password

Even if you remove access, you are best to assume the person knows all of the logins that were available to them. So you will want to change all of those passwords but only after removing access.

Now, as to changing your Master Password. It isn't as easy as you would want it I'm afraid but it is possible. Let's call the vault you want to change the password to old_vault. The most thorough way forward is actually to create a new secondary vault which we'll call new_vault. You would create this new_vault with the new Master Password that you wish to use. You would then copy the entire contents from old_vault to new_vault. You would delete old_vault at this point and set up syncing for the new_vault. Windows users would simply start using the new vault.agilekeychain created when you set up sync while Mac users would delete the old_vault from their copy of 1Password and then add the secondary vault from the new .agilekeychain.

The reason I would suggest this is because it would create new encryption keys. That, combined with denying access via Dropbox if you were to use Dropbox for Business will be as an effective solution as we have at the moment. While I could say you could change a Master Password from a Windows machine, if we don't change the encryption keys then Macs can still access the secondary vault.

If you have any questions following any of that please do ask and we'll do our best to explain/answer.

littlebobbytables

Hi @Olliecampbell,

Dropbox is the best way of syncing multiple machines where it's a combination of Mac and Windows. You can use Folder Sync too which is a local way of syncing but it places extra responsibility on you.

Now as to the requirement of access. While you can use a single Dropbox account there may be advantages to considering Dropbox for Business here. Each user can have a managed account and you can give all of them access to the vaults they need access to.

At this stage you can easily remove access to the vault via Dropbox but I will cover the issues of changing your Master Password

Even if you remove access, you are best to assume the person knows all of the logins that were available to them. So you will want to change all of those passwords but only after removing access.

Now, as to changing your Master Password. It isn't as easy as you would want it I'm afraid but it is possible. Let's call the vault you want to change the password to old_vault. The most thorough way forward is actually to create a new secondary vault which we'll call new_vault. You would create this new_vault with the new Master Password that you wish to use. You would then copy the entire contents from old_vault to new_vault. You would delete old_vault at this point and set up syncing for the new_vault. Windows users would simply start using the new vault.agilekeychain created when you set up sync while Mac users would delete the old_vault from their copy of 1Password and then add the secondary vault from the new .agilekeychain.

The reason I would suggest this is because it would create new encryption keys. That, combined with denying access via Dropbox if you were to use Dropbox for Business will be as an effective solution as we have at the moment. While I could say you could change a Master Password from a Windows machine, if we don't change the encryption keys then Macs can still access the secondary vault.

If you have any questions following any of that please do ask and we'll do our best to explain/answer.

Olliecampbell

That's great thanks.

A theoretical question here, what would happen if my leaving member of staff took a copy of the vault before the password was changed? I'm presuming it would still allow them to setup 1Password on another machine and access the contents of the vault?

Thanks

Stephen_C

You can't "un-share" a shared vault once it is shared, so your assumption is correct. See this knowledge base article.

Stephen

Olliecampbell

Ok thanks, good to know.

Are there any other gotchas that I need to be wary of when sharing vaults across teams?

Thanks

littlebobbytables

Hi @Olliecampbell,

I can't think of anything specific to 1Password but here's a couple of points to try and remember.

1. If they have access to the username and password to a site then there isn't much they can't change on the site. Make sure everything uses an email address with restricted access.
2. Once you remove access for somebody following my suggestions in post #3 you're advised to consider every item at risk until you've changed all of those passwords and ensured email addresses are still correct.

I've seen requests where users can't see the password but I've always had my concerns for the following reason. Anything entered into a web page can be read locally. I don't like the idea of creating a false sense of security when a simple JavaScript bookmark can bypass such a feature.

If you have any questions please do ask :smile: