Scary experience moving from Lastpass to 1Password (for Teams Beta)

I'm a long-time user of Lastpass. Whilst I find having a password manager useful, I've always found Lastpass kinda annoying.

My co-founder (Adam) has always used 1Password, and set up the rest of the team on it, sharing any necessary logins. I'm the only one left on Lastpass, which makes sharing passwords to and from me annoying (I'm the CEO). I've always had the strong feeling that 1Password would be better than Lastpass but could never get around to migrating. Today Adam told me that some kind of Team feature from 1Password meant that today would be a good time to get setup on 1Password.

I had previously registered on the website, but this time downloaded the Mac app. The most important thing for me was to download all my Lastpass logins (600+ of them) and move them over to 1Password. I read that I could just export a csv from Lastpass and import in to 1Password.

Here is where things start going wrong.

I imported my Lastpass logins to 1Password. OK. Where have they gone. Oh. They have gone in to a Shared Vault. Hmm.. what does that mean? Oh... it means I have just shared all my usernames and passwords with various people. Oh crap. Have they appeared on my colleagues' computer yet? Oh yes they have...

So I try to delete the logins. Nope. By design I discover that logins cannot be permanently deleted - instead they are moved to Trash - still shared - for 30 days. OMG. I'm starting to panic now.

Not only do my colleagues now have every single one of my 600 usernames and passwords, they also know every single website I ever log-in to. Ummm...

So what can I do? Luckily my co-founder gave me Admin rights for the account. So removed my colleagues from the Vault, renamed it and created a new Vault. Now I have to move the logins that we had previously been sharing amongst ourselves from amongst my personal logins back to the shared Vault. Except every single login, including the ones I want to find, seem to have today's Created and Last modified dates so I can't easily find them. Luckily there are only two and I remember they are Google related so with a text search I find them - but imagine there were already hundreds of shared logins in there? I would have been screwed.

The other fortunate thing was that I only accidentally shared my 600 personal logins to the Management Vault, rather than the entire company Vault. If I had done that everyone in the company would have had all my logins and websites that I use. We are only a small team of 10 but imagine we had hundreds of people on the same Team?!

So now I have managed to do this I rename the new shared Management Vault back to it's original name and re-add my management team. They probably won't even notice the change (expect the one guy who helped me sort out this f**k up and I will probably send this thread to my co-founder anyway).

So last thing is to delete this Vault with all my personal Logins. It seems that is possible. I click on "Delete". Up comes a pop-up telling me I need to type in the name of the Vault to.... "Archive" it. Archive? :( I want to delete it!

So my first question is: have I deleted that Vault with all my personal stuff in it, or is it Archived somewhere I can't see? I can't find it anywhere.

I guess the issue is that I was signing up for the "free" Teams beta or something? I think the rest of the team have paid for 1Password, but I had not. I believe my colleagues had like a personal Vault not linked to our Team account or something?

This really was quite a blood-chilling experience, but it could have been much worse.

My one suggestion would be - if someone imports Password they should only be able to Import them in to their personal Vault space, even if that is on a Team (if that is how it works). Or failing that if you try to Import password to a shared Vault you should give some very serious obvious pop-up warnings that these logins will be shared.

Well that is my first experience with 1Password and I'm slightly scared to use it again, even though I am sure I will like it. I think I will go home and lie down now...


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: OSX 10.10.5
Sync Type: No idea

Comments

  • @steven_renwick Hi, Steven.

    Wow, I'm really sorry to hear your first experience wasn't a great one. Thanks for sharing it with us, and I hope you're taking a well-deserved rest right now!

    Ok, now that you're back, I'd like to reply to specific parts of your message to ask questions or just agree about things we can improve.

    I imported my Lastpass logins to 1Password. OK. Where have they gone. Oh. They have gone in to a Shared Vault.

    This is bad, and I'm not sure how it happened except that it just wasn't clear what vaults were what. More on that later though.

    So I try to delete the logins. Nope. By design I discover that logins cannot be permanently deleted - instead they are moved to Trash - still shared - for 30 days.

    Hmm, I'm not sure where you were told items in the Trash had to stay around for 30 days. When you delete items, they are indeed moved to the Trash, which is indeed still available to other team members, but you can choose to empty the trash and the items will be gone permanently.

    Except every single login, including the ones I want to find, seem to have today's Created and Last modified dates so I can't easily find them. Luckily there are only two and I remember they are Google related so with a text search I find them - but imagine there were already hundreds of shared logins in there? I would have been screwed.

    Imported items do set created and last modified to be the current date and time, yes, but in the Mac app, you should be able to sort your items by created date and find any items that were older, no? Is there something we could improve there?

    We are only a small team of 10 but imagine we had hundreds of people on the same Team?!

    Yep, not pretty. :(

    So my first question is: have I deleted that Vault with all my personal stuff in it, or is it Archived somewhere I can't see? I can't find it anywhere.

    Yeah, we need to just change that to say "Delete". We had an issue filed for that, but it got pushed back and forgotten. I'll change it today and it should be live this week sometime. To answer your question, it technically is not immediately deleted from our server, but it is effectively deleted, meaning it is not returned to any clients anywhere and it could be cleaned (permanently deleted) from our server at any time.

    We may at some point add the ability to truly Archive a vault while retaining the right to un-archive it, but right now that's not what it's doing.

    I guess the issue is that I was signing up for the "free" Teams beta or something? I think the rest of the team have paid for 1Password, but I had not. I believe my colleagues had like a personal Vault not linked to our Team account or something?

    It sounds like you may have set up 1Password for Mac with just your team account, which is fine. Others on your team may have personal vaults outside the team account, but everyone has a vault in their team account labeled "Your Vault" – a vault can only be accessed by that user. If your items had been imported there, you would not have had any problems, but we certainly didn't help make that clear in the app (more on that below).

    One thing to note, though, is that "Your Vault" in your team account, while private to you, is really meant to hold information related to your team. The reason is that it is recoverable by the Recovery Group on your team. Right now, server policy prevents the Recovery Group from accessing your data directly, but at some point, we will implement the ability for someone in the Recovery Group (maybe just the team Owner or maybe a customizable restriction) to "take over" any team member's account. In that case, if you were to leave the company for some reason and another administrator were to take over your account, they would be able to see everything in "Your Vault".

    That's a lot of detail, but I thought you would find it helpful especially considering the circumstances. All that is just to say this: you may want to separate your truly personal information from your personal work information by creating a vault outside your team account for those kinds of things.

    My one suggestion would be - if someone imports Password they should only be able to Import them in to their personal Vault space, even if that is on a Team (if that is how it works). Or failing that if you try to Import password to a shared Vault you should give some very serious obvious pop-up warnings that these logins will be shared.

    I agree that one of these two changes should definitely be implemented. I will open an issue so that we can discuss this and decide on the policy we should implement across all of our client apps.

    Well that is my first experience with 1Password and I'm slightly scared to use it again, even though I am sure I will like it.

    I'm sure you will like it too once this nightmare is behind you. Thank you for your honest feedback and for sharing it so politely. :) I'll see what we can do to help prevent something like this from happening again.

    Let me know if there's anything else I can do for you!

  • steven_renwick
    steven_renwick
    Community Member

    Hey thanks for the detailed feedback. I think I will do as you suggest - set up my own truly personal 1Password account and then move work-specific logins over to my own Vault in the Team account.

    The one thing to answer to your reply above - we really could not Delete the logins from the Trash. If it's there somewhere then it is not obvious in the UI. I did some Googling and found this which suggested that one cannot properly delete anything in the Trash: https://discussions.agilebits.com/discussion/19971/permanently-delete-single-item-from-trash-not-possible-atm

    Another thing to point out that I forgot to mention and which makes it more urgent to fix something - I only managed to rectify this without too much impact because my co-founder happened to make me an Admin on the account. If this happened to any regular Team member then there would be nothing they could have done.

    Anyway - thanks again, and for the attention on Twitter.

  • @steven_renwick It is possible to empty the Trash but you will need to switch from "All Vaults" view to an individual vault first. It is a limitation of the current version and we hope to resolve it soon.

  • rob
    rob
    edited January 2016

    @steven_renwick Ah, yeah it may have been the All Vaults issue Roustem mentioned.

    The thread you linked discussed the fact that it's not possible to permanently delete selected items in the Trash without emptying the whole Trash (same as Finder). But emptying the whole Trash is possible (except in All Vaults at the moment) and that's what a non-admin user would need to do.

  • steven_renwick
    steven_renwick
    Community Member

    So given I have started with a Team account, how do I set up a Personal Account that is not linked to the Team, but still accessible from the same master password? I saw a few of my team had that, but I think they all started with 1Password Personal.

  • rob
    rob
    edited January 2016

    @steven_renwick, sorry, it's not extremely obvious. I had to check with someone else because I also started before I had a team account. If you open 1Password's preferences, you should be able to select the Advanced tab, then Enable Personal Vaults.

    Then you can just create a new personal vault (or several) from the 1Password menu.

    Hope that helps!

This discussion has been closed.