Only as secure as the weakest link in the chain? Possible to have separate passwords per vault?
My team is evaluating 1password for teams at the moment. But we're a bit unsure about the security of it. We get that you go to great lengths to make sure every saved password is secure etc. etc. But we feel it's a crucial flaw that a single team member can make your entire team account insecure by using an insecure password. Unless we've overlooked something here.
When I sign into my 1password for team account I instantly get access to every single vault I have access to, by only using my own personal password. This means that if I decide to use 12345 as my personal password everything in our team account is only protected by the password 12345. It doesn't matter if the rest of the team use extremely secure passwords. I can even set my 1password account to never log me out meaning the entire team account is accessible to anyone even without a password and there's nothing the team admin or other team members can do about it except keep track of the personal passwords and password routines of every single team member.
What we're suggesting is that you're able to set:
- Passwords per vault
- Password renewal dates per vault. So that the password for a specific vault has to be changed every year for example. Mainly as a safety net.
- Login timers per vault. So that a team member who has set his 1password to never log him out will still have to log into the shared vault every 5 minutes or whatever.
The idea is obviously that a single team member should never be able to make a shared vault less secure than the team admin intended. The way it is currently it feels like the entire account is only as secure as the weakest team member and there's nothing the team admin can do about it.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
Hi @TwiiK,
Thanks for writing in with this feedback, we'll definitely keep it in mind. You're right that a user with a weak password could compromise data, assuming the attacker also gets their hands on the account key. Currently there's only basic enforcement for bad passwords. It would be really nice if the account owner could set a minimum threshold for passwords. I'm not talking about "must have 4 letters, a symbol, and an eye of newt," but more along the lines of "Must have a strength greater than X according to our password strength test". These would be policy decisions configured by the owner, and maybe as part of that there could be something like "Only allow to be unlocked for X minutes without activity" which the clients would dutifully obey. Is this the kind of thing that you'd be thinking of?
I want to be very clear that I'm talking about ideas here to see if I understand where you're coming from and not describing what's currently under development.
Rick
0 -
Hmm, what you're suggesting sounds like somewhat of a compromise. And it would also impact everyone on the team regardless of how often they need to access the secure vaults. Forcing everyone to have harder passwords for their entire 1password just because we deem it necessary for certain vaults is not an ideal solution.
Our problem is that we have some very sensitive data in some vaults, but a lot of people need access to these vaults. Things like access keys for our servers and other things people need to work are in here. And we would really prefer it if the team admin was the one who determined how secure these vaults were, independently of how secure each team member's personal vault was.
In my mind it would ideally be handled similarly to how it was in 1password for iPhone. I have to write "was" because it's so long since I've used it on my phone so it could have changed since. There I could choose to secure passwords with either just a pin number or my entire master password. When I unlocked the app with just my pin number I could still see everything in there, but if I tried to access something secured by the master password I would be prompted to enter it. This exact solution could be implemented in 1password for teams.
Say I'm on my Mac, I've logged into 1password with my master password and I search for "spotify". This password is in my personal vault and I get it up right away. Then I search for "AWS access key". 1password returns a search result so I can see that I've found what I'm looking for, but when I try to open it I get prompted for the password for the vault this key belongs to.
That way if I only ever use my personal vaults or the everyone vault I can log onto 1password with my weak 12345 password and use it as I did before, but whenever I try to access something stored in one of the secure vaults I get prompted for an additional password.
This would be my ideal solution, I think. Obviously there could be something I've overlooked here. I also realize that this would slightly hamper the user friendliness of using 1password in general because you can no longer log in with just one password and have instant access to everything, and unless something has changed on 1password for iPhone this is already how it works there. And this would be an optional feature for those who want it, those who don't see a need for it never need to enable it.
Is something like this feasible?
0 -
When browsing it could look something like this (see attached image). And you could click it and type in the password then and there. And 1password mini would have to be handled similarly.
Note: The pixelation of the search results is just to hide some sensitive information in the image from you. :p
0 -
I am not sure how we are going to distribute that additional password and what happens if this password is lost?
0 -
If you lose your existing master password you're equally screwed, no?
As for distributing passwords, that is something we're actually struggling with at the moment. Because we're just evaluating 1password for teams at the moment, not everyone on our team is in there and we were wondering if there was some tools or something in 1password that enables someone to share a password with someone else? At the moment we share them through ssh'ing into servers and sharing them there to avoid chat clients, email and the like. :p
This share feature is in addition to what I've talked about here and something I was going to create a separate thread about. Let's say we have a "critical vault" which only a couple of people have access to. It would be nice to be able to take one password from that vault and share it with a team member through a secure channel without that team member having access to the entire vault.
0 -
Hi @TwiiK ,
Didn't read thrue hole post. Just the beginning. What you may overseem is the account key. Which adds security to a weak masterpassword. And if team member is handling accountkey and masterpassword in an insecure way, there is no technical solution for it. Just a organizational one, by telling the guys how important it is to secure stuff.
Anyway thats said, would be good to have an server / client policy that enforces good masterpassword. Fir example by only allowing automatic generated diceware passwords. Only option for the user whould be the language.
May take the time tonight to read the hole thread.
Random
0 -
You're actually not screwed if you lose your master password, as long as the Team has another member in the Recovery group that can recover your account.
Every user account in 1Password for Teams has public/private keys created for them. It'd be nice if we exposed this in a way to allow sharing of data (maybe a 1Password item, or anything really) in a way that's encrypted with those keys.
0 -
Hi @TwiiK,
your additional password would be a Solution. But still fails if person are not aware of security. The Risk would be that password for vaults would be stored in personal vaults because additional password is to complex to remeber.
And if you tell person to don't do it, you have to have same trust in them as you would have to if telling them to select good masterpassword.So imho there person should get the awareness about how important is it to select good masterpassword and may be forced to use diceware.
Just my 2 pence
Random
0 -
See https://support.1password.com/teams-admin-security/
And the whitepaper for details
0 -
Well said, @random_31731ec7aea.
Rick
0 -
@rickfillion I meant the master password to your personal account. I know there are ways of recovery included with the teams account. I'm just saying that having to keep your password safe because if you lose it you lose your data is not something that would be new to 1password because it already is like that. Unless I'm mistaken.
@random_31731ec7aea The account key is only for the initial setup of a device.
I see what you guys are saying, but I still have issues with it. The only way to secure our "critical vaults" now is to force everyone to use tough master passwords. That is like CAPTCHA in my opinion - hurting honest users because you yourself are unable to handle spam on your website. We're forcing those who maybe only once a month need something from the "critical vault" to use a tough master password every time to access their normal logins and stuff in their normal vaults. At least that is what I'm taking from what you've said so far.
And like I mentioned being able to securely share a login or password would also help us with this. That way we could just not invite certain team members to the critical vaults and instead have them ask us when they need a server access key or something like that.
I see a flaw with my method though. If we have tough passwords for critical vaults then employees are sure to save those tough passwords in their personal vaults so they don't forget them and then we're no more secure than before. :p In that case some way of securely sharing something with team members is perhaps the best thing for us.
0 -
I guess, the account key requirement would mean this is only a security issue if someone loses their device or has it stolen. We'll evaluate it further and see what we think. We at least have to come up with some more convincing arguments I feel. :p
Thanks for your time.
0 -
@TwiiK the "flaw" you mention (storing the complex password in the vault backed by the weak password) is what @random_31731ec7aea was referring to.
You're right that we don't have a perfect solution for the problem you're trying to solve. The closest thing we have right now would probably be to have a user ask to be temporarily added to the Critical vault. Once they're done, they could have it be removed. This would temporarily give them access to the Critical vault. It doesn't sound like much fun for the user though. We're looking at various ways that we could make these kinds of scenarios easier, it's definitely something that's on our radar.
Rick
0