SUGGESTION - Allow modification of Account Key like Password Generator (Pronounceable!)
Hi Agilebits team, this is my first time posting so I hope to be helpful.
TL;DR
Please allow us to adjust the parameters of the Account Key on a 1Password for Families/Teams account to make it easier to remember and use
EXTENDED VERSION
I've been enjoying using 1Password for over 4 years now. I unfortunately purchased 1Password version 1 just a few months before version 4 for Windows came out, and as such I couldn't justify spending even more than the first time to upgrade to the more polished version, so I'm still stuck on version 1. But it's otherwise been working well... Until 1PasswordAnywhere stopped working.
Seriously guys, I spent quite a few hours trying to figure out what went wrong and Googling and reading all the discussion to figure out what has been going on. And really it was so unnecessary. Just a simple, clear, explanatory email to all customers about 1PasswordAnywhere being shut down would have been sufficient, not a quick posting in the 1Password Discussion Forums. Please, for future reference, if any service, offerings, features, non-features or anything else 1Password software related is being shutdown or discontinued, please just send us a quick email about it. You already have all our email addresses from when we make a purchase. It doesn't take long, but it goes a long way towards keeping good relations with your customers and keeping us informed before something major happens to software features that we rely on that suddenly disappear and catches us off guard. Anyway, admonishing tone finished.
I'm really happy that you have been working on a new synchronization method using your own servers and backend, it's definitely the way to go and keep everything in-house. However, I've been giving all the Windows software a test-run (UWP, Desktop 6 Beta, Web login) and I see there's still a long way to go. I know that the guys are working hard to put it all together, and I appreciate that, thanks! I'm not saying hurry up, just rather that I'd love to start paying a subscription for your hard work, but it's still not usable enough to get stuff done. I don't need to list all the things that need fixing, you guys already know what I mean. Here's hoping enough has come together by August 2nd that I can start giving you guys the payment you deserve for your hard work.
I wanted to give one suggestion for creating new accounts for 1Password for Families (and I assume Teams as well). I didn't know anything about the Account Key or what it was for when I first activated my account with Families. I almost assumed it was a registration/activation code and quickly skipped it or closed the window. I think there needs to be more clear emphasis that the Account Key is IMPORTANT, and the Emergency Kit must be PRINTED and/or kept in a safe place digitally. How to do this? Try and simplify the directions and force a pause on the webpage to encourage people to read the simple prepared directions.
Also, when I saw the length of the Account Key and the jumble of numbers and letters, I was overwhelmed. And I've been using 1Password for years. The idea of remembering such a long Account Key is nuts to me. I realize that it's only necessary when using 1Password on a new device or location. But the most likely use case for NEEDING this number is an emergency situation that leaves me without my phone, tablet or laptop. And then I likely don't have my Account Key on my person. I realize this Account Key is unavoidable because of 2 factor authorization, but wouldn't it be possible to allow some variation and limited changes to the Account Key, to make it much more memorable? Passphrases perhaps? A shorter minimum length that is still strong? If this method is truly to be a 1PasswordAnywhere replacement, then I need to be able to adjust or change the Account Key. Previously I had two passwords I ever needed to remember, my Dropbox password and my 1Password password. If we are to get the same level of security/usability, then the ability to make a memorable yet secure Account Key for ourselves is a must.
Looking forward to hearing back from you guys and what you think!
1Password Version: Windows 1.0.9.342 & 6.0.173d Beta
Extension Version: 3.9.21.90 & 4.5.7.90
OS Version: Windows 10
Sync Type: Dropbox & 1Password Families
Comments
-
Hi Agilebits team, this is my first time posting so I hope to be helpful.
@Starmatrix: Well, that's awesome! Welcome to the forums! :chuffed:
I've been enjoying using 1Password for over 4 years now. I unfortunately purchased 1Password version 1 just a few months before version 4 for Windows came out, and as such I couldn't justify spending even more than the first time to upgrade to the more polished version, so I'm still stuck on version 1. But it's otherwise been working well... Until 1PasswordAnywhere stopped working.
First and foremost, I'm sorry for the confusion there! 1Password for Windows version 4 was released in June 2014 — just over two years ago — and is a free upgrade to anyone who purchased 1Password for Windows in 2013 or later. If that 18 month free upgrade window applies to you, be sure to email us at support+licenses@agilebits.com and we'll get things sorted out for you! And even if it doesn't apply to you, email us anyway and we'll see if there's something else we can do to help! :) :+1:
Seriously guys, I spent quite a few hours trying to figure out what went wrong and Googling and reading all the discussion to figure out what has been going on. And really it was so unnecessary. Just a simple, clear, explanatory email to all customers about 1PasswordAnywhere being shut down would have been sufficient, not a quick posting in the 1Password Discussion Forums. Please, for future reference, if any service, offerings, features, non-features or anything else 1Password software related is being shutdown or discontinued, please just send us a quick email about it. You already have all our email addresses from when we make a purchase. It doesn't take long, but it goes a long way towards keeping good relations with your customers and keeping us informed before something major happens to software features that we rely on that suddenly disappear and catches us off guard. Anyway, admonishing tone finished.
I'm really sorry for the inconvenience there. Those sound like perfectly reasonable ways to handle it, until we consider that it would mean spamming everyone who ever bought 1Password to accomplish what you propose. That's not something we'd be happy about being on the receiving end, so likewise that just isn't something we're willing to do. While 1PasswordAnywhere had broken a number of times in the months leading up to its end, it wasn't clear until relatively shortly beforehand (which is why we announced it here on the forums) that this would be the final nail in the coffin when it comes to Dropbox supporting 1Password.html loading external resources. So while it's certainly a frustrating user experience, mass emailing every AgileBits customer isn't okay — and besides, we don't have the email addresses for anyone who's purchased through the App Store, which isn't an insignificant number of people. But there's been a lot of discussion of other things we can try in the future, because we agree that we can do better. Thanks for sharing your thoughts!
0 -
I'm really happy that you have been working on a new synchronization method using your own servers and backend, it's definitely the way to go and keep everything in-house. However, I've been giving all the Windows software a test-run (UWP, Desktop 6 Beta, Web login) and I see there's still a long way to go. I know that the guys are working hard to put it all together, and I appreciate that, thanks! I'm not saying hurry up, just rather that I'd love to start paying a subscription for your hard work, but it's still not usable enough to get stuff done. I don't need to list all the things that need fixing, you guys already know what I mean. Here's hoping enough has come together by August 2nd that I can start giving you guys the payment you deserve for your hard work.
@Starmatrix: Honestly while I appreciate your restraint, patience, and understanding, we'd really love to hear from you about what you're looking for in particular! Whether there's an existing discussion in the Windows beta category where you can chime in with "me too" for a particular feature, or starting a new discussion there for something that others haven't mentioned, it's great to hear from passionate users, and it also helps us see which improvements are most desired. To be clear, August 2nd isn't the release date for 1Password for Windows version 6, though it will be released in August. But we'll certainly do our best to get it done sooner rather than later!
I wanted to give one suggestion for creating new accounts for 1Password for Families (and I assume Teams as well). I didn't know anything about the Account Key or what it was for when I first activated my account with Families. I almost assumed it was a registration/activation code and quickly skipped it or closed the window. I think there needs to be more clear emphasis that the Account Key is IMPORTANT, and the Emergency Kit must be PRINTED and/or kept in a safe place digitally. How to do this? Try and simplify the directions and force a pause on the webpage to encourage people to read the simple prepared directions.
Indeed, this is something we've struggled with, and we continue to work on new ways to improve the experience there. Just to review, when signing up, we first illustrate that your data is secured using both your Master Password and Account Key:
Next, we explain that you'll need it to access your data, and that we won't be able to give it to you:
And upon logging in for the first time, you're prompted to save the Emergency Kit with your Account Key:
And just to be sure, saving the Emergency Kit is still Quest #1 — before inviting others or creating a vault:
We've revised the text and design a number of times, and we'll continue to do so. Can you tell me specifically how you'd like to see it made clearer? Granted, depending on when you signed up, it may have already changed substantially. Let me know!TL;DR Please allow us to adjust the parameters of the Account Key on a 1Password for Families/Teams account to make it easier to remember and use
Coming back to your original suggestion (since it seemed to fit in this context), this almost certainly isn't going to happen. The Account Key is used to strengthen your Master Password, so that no one can perform a brute force attack against your Master Password alone — they'll need to have the Account Key as well. And having it be long, strong, unique, and random is what makes that relevant. Allowing us mere mortals to choose this defeats the purpose, as it does not provide the same security benefit. More on this below.
Also, when I saw the length of the Account Key and the jumble of numbers and letters, I was overwhelmed. And I've been using 1Password for years. The idea of remembering such a long Account Key is nuts to me. I realize that it's only necessary when using 1Password on a new device or location. But the most likely use case for NEEDING this number is an emergency situation that leaves me without my phone, tablet or laptop. And then I likely don't have my Account Key on my person. I realize this Account Key is unavoidable because of 2 factor authorization, but wouldn't it be possible to allow some variation and limited changes to the Account Key, to make it much more memorable? Passphrases perhaps? A shorter minimum length that is still strong? If this method is truly to be a 1PasswordAnywhere replacement, then I need to be able to adjust or change the Account Key. Previously I had two passwords I ever needed to remember, my Dropbox password and my 1Password password. If we are to get the same level of security/usability, then the ability to make a memorable yet secure Account Key for ourselves is a must. Looking forward to hearing back from you guys and what you think!
I think this may be the source of the misunderstanding: you're not expected to memorize the Account Key, only your Master Password. This is reflected in the signup process, where you're prompted to type the Master Password to login, and then to save the Emergency Kit with the Account Key. The reason for this is that once you've authorized a device, you will only need to enter the Master Password to login/unlock. And so long as you're able to remember your Master Password to do that, you'll be able to access your Account Key within the app/website itself, even if you've lost the Emergency Kit. It's not reasonable to design a critical security architecture for the 1% (or less) scenario. If there are things we can do which won't decrease security for the other 99% of typical usage, that's different. But making the Account Key user-generated to accommodate hypothetical situations lowers the security bar for everyone for questionable benefits.
I'm sorry if that sounds harsh, but security is something we take very seriously. So many security exploits involve ill-conceived "convenience" affordances. They're implemented for rare "emergency" situations where someone needs to regain access to important information...at the expense of normal usage for all users. 1Password Families (and Teams), however, is a great solution to this kind of problem: invite your loved ones, executor, etc. so they can either access information directly for you, or help you recover your own account if you lose the Account Key or forget the Master Password — or just don't have access to an authorized device when you need to. These people are just a phone call away. And it doesn't have to be your phone. There are phones — and people with phones — just about everywhere. And after all, if you're in a true emergency situation without contact with the outside world, 1Password is the least of your problems. I think it's important to keep perspective when it comes to just what we can expect of 1Password. And at the most fundamental level, that means recognizing and accepting that we will not have access to our data without the data and proper credentials to access it.
But that's certainly not the end of it! Be sure to let me know if you have any other questions, comments, or suggestions about this. These are some interesting issues, and it's good that you brought them up! :pirate:
0