Procedure for password and key changing in 1Password Teams
Hello good people !
This is my first post here so please forgive any misunderstandings I may have. Also, maybe I didn't look hard enough, but I didn't find an answer to my question in the forums or documentation .
If I understand correctly, the security of 1Password is based on encryption strength and use of long keys and strong passwords. If so, it stands to reason that, like passwords, security is enhanced if the keys and passwords are regularly replaced to limit the time available for potential attackers to crack them. With that in mind I'd like to ask what is the best procedure for doing so. Let's say for example I have a Team with 4 users (2 admins, one of which is the owner and 2 non-admin users). Let's say each of these users has 2 iOS devices and 2 Macs running the latest OS versions using iCloud syncing and the Safari plugin. If I want to replace all account keys and master passwords once every three months, what would be the best procedure for doing so please ?
Many thanks !
nudge
1Password Version: 6.2.1
Extension Version: 4.5.6
OS Version: OS X 10.11.5
Sync Type: iCloud
Comments
-
Hi @nudge!
First I'm going to quote from a blog post talking about Master Passwords, as this section applies to your question:
We’ve all been told to change passwords on a regular basis, and there are still some circumstances under which that remains reasonable advice. But it is not a good idea with 1Password master passwords. Ideally you should pick a good master password at the outset and never change it.
With that being said, you change your Master Password and Account Key by following these steps:
Sign in to your account from 1Password.com and click the account menu in the top right, then select My Profile.
Click "Change Master Password", then fill out those fields with updated info and confirm the changes.
Click the pencil beside your Account Key, type your Master Password, and click Regenerate Account Key.
Click the Generate Emergency Kit button and store that in a safe place so you can sign in later.I hope that helps!
0 -
Thank you for your reply nmott, I've now read that blog but it doesn't seem very related to my question. In fact the answer you've kindly provided appears to be for the single user method that I've already seen in the documentation.
Whether or not Agilebits consider it appropriate to change keys and passwords on a regular basis I'd still like to here how you recommend going about doing this in a multi-user Team. I wonder what are the implications for syncing between multiple users and devices, how a syadmin responsible for maintaining a 1Password environment in a business might go about doing this. By the way, whether or not you think this is needed isn't likely to change what a security auditor recommends.
Thanks for helping.
nudge
0 -
@nudge thanks for clarifying.
You can accomplish this using the recovery options. This will require users to come up with a new Master Password and regenerate their Account Key. (They'll also want to save a new Emergency Kit, since it will differ from the first one.) Then they'll have to set up their devices again. I believe that's as close as we currently come to providing a way for you to automatically force them to update their info.
0 -
Thanks for following up. That seems to partly cover my question but I'm still looking for a more complete picture. I'm going to update this thread after I've studied the Teams whitepaper more and seen whatever else I can find on the subject. Meanwhile, if you or anyone else has additional info that would be much appreciated...
0 -
If you're willing to help clarify your question, I might have an answer for you. Here's the question from the first post:
If I want to replace all account keys and master passwords once every three months, what would be the best procedure for doing so please ?
Here is the response I gave:
You can accomplish this using the recovery options. This will require users to come up with a new Master Password and regenerate their Account Key. (They'll also want to save a new Emergency Kit, since it will differ from the first one.) Then they'll have to set up their devices again. I believe that's as close as we currently come to providing a way for you to automatically force them to update their info.
Is there another question in your first post that I'm not seeing? Or have I not explained how using the recovery options would achieve this goal, even if it wasn't designed specifically with quarterly changes to users' Account Keys and Master Passwords in mind?
0