Can a family administrator see other family member's passwords?

dcorsi
dcorsi
Community Member

After years and years of 1Password use I'm moving to the 1Password account platform and switching to Families. I'm doing this primarily as my oldest is 11 and is beginning to use 1Password quite a bit for her school and various kids site's passwords but I want to begin to remove the temptation (which has struck yet thank god) for her to realize that 1Password also contains significant passwords to more adult (banking, shopping etc.) sites that she shouldn't be using.

My question is this... As a family administrator is there a way to see or police which sites she is saving passwords to? If she loses her account key or master password I know I can "recover" it as the family manager but what does that really mean, does that give access to her account to my wife and I? The easy and obvious solution is to ensure she uses a master password we know but I'm just trying to understand how the product works.

Thanks, Happy Holidays agilebits!


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • khad
    khad
    1Password Alumni
    edited December 2016

    Hi @dcorsi,

    Thanks for asking about this. :)

    The short version is that each family member has a private vault called "Personal". Only the family member to whom it belongs can see its contents.

    There is also another vault called "Shared". Everyone in the family can add, edit, and remove items from the Shared vault.

    1Password is designed as a privacy tool more than it's designed as a parental monitoring tool, so it would never be possible to completely prevent your daughter from storing secrets of her own in her Personal vault.

    However, you could create a new vault that only you and your daughter have access to (as opposed to the Shared vault that everyone in the family can access). Then encourage her to use that vault and do the following to steer her in that direction:

    • Always start in the new vault when opening 1Password.
    • Remove the Personal vault when viewing All Vaults.
    • Set the new vault as the vault for saving.

    Learn how to do all that in our article:

    Use All Vaults to see all your items at once

    Happy Holidays to you as well!

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    Let me now address the other part of your very interesting question. @khad has offered a couple of tips that should help you manage things appropriately, but the question of "how is is possible for a family organizer to be able to recovery a family member's account without being able to learn its secrets" is a very interesting question.

    In fact, I tried (and failed) to explain this in a recent talk I gave on how recovery works. I made the mistake of trying to talk through this diagram:

    Abbreviate recovery protocol

    The short answer is that as the owner, you have the capability of decrypting the keys to anyone's vault. But the service only gives you those encrypted keys (that you can decrypt) under certain circumstances (like during a recovery). Furthermore, even if you get those keys and can decrypt them, you are not granted access to the actual encrypted data in the Personal vault. So the server won't give you the data even though you might have the ability to decrypt it.

    What you do with these keys is that when the recovering individual re-signs up, you (the Organizer) re-encrypt their vault keys with their new public key.

    Now if you control someone's email and perform recovery for them, you can talk over their account. But that involves actually taking over the account instead of just peeking into it.

    I really wish there were a simpler way to explain this.

This discussion has been closed.