It would be great to have a backup master password with secret splitting

bob_smith
bob_smith
Community Member
in Mac

With 1Password I create a master password, which I use to access my vault. If I run on, or sync with, an iPhone I can also use Touch ID to access my vault. What I'd like to see added is a feature which I believe can solve for two use cases: #1 I forget my master password and #2 I pass away, or am incapacitated, and would like a way for my survivors to access the copious valuable data stored in my vault.

I'd like to have the ability to add one or more backup master passwords which I can split in to a user defined number of shares and where a user defined number [subset] of those shares must be present in order to unlock the vault.

Use case #1 - Because I'm forgetful I know it's possible I may inadvertently lock myself out of my own vault. In addition to my daily-use master password I create a backup master password, I then split the backup master password in to 5 shares and configure 1Password to require at least three of those shares in order to unlock the vault. Then like a squirrel with a pile of acorns I ferret away my five backup master password shares - one in my favorite book, one in my car, I store one in a draft email, one in my home safe and one in my wallet. If I ever need my backup master password and I forget where I put all those acorns then it's okay - I only have to remember where I put three of them in order to unlock my vault. At the same time if my wallet is stolen my vault is not at risk - with only one of my backup master password shares stored in my wallet the vault cannot be unlocked.

Use case #2 - I realize that life is fickle and I might get hit by a bus, which would likely go badly for me, and I'd want my survivors to be able to access the data in my vault. I create another (in addition to the one I created for use case #1) backup master password, I then split the backup master password in to 5 shares and configure 1Password to require at least four of those shares in order to unlock the vault. I pass one share to my wife, one to my child, one to my best friend, one to my banker and one to my estate attorney. If I do get hit by a bus, no problem - the people in my life could come together to open the vault. If one or two of the people in my life go rogue and try to break in to the vault, no worries - it would take at least four of them conspiring to be able to open the vault. If one of the people in my life was on vacation at the same time as I was hit by the bus, no problem - the remaining four people in my life could form the quorum required to open the vault.

To make a feature like this more user friendly it would be great for me to be able to expire or invalidate the backup master password(s). It would also be great for me to be able to notate each backup master password with a short text memo describing what I used the backup master password for, e.g. "my backup way in" and "family emergency way in".

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:password splitting

Comments

  • Drew_AG
    Drew_AG
    1Password Alumni

    Hi @bob_smith,

    I am sorry it took us longer than usual to get back to you! Thanks for taking the time to write us with your ideas about how to reset a master password or access a deceased family member's data.

    This is actually already possible with 1Password Families (though in a different and less complicated way). A member of a Families account can be set up to recover other members' accounts in the case of a forgotten master password. We explain more about that here: Recover accounts for family or team members

    As for family members being able to access your data if you pass away, the account recovery process could potentially be used for that as long as someone else can access your email. Another approach would be to keep a copy of your Emergency Kit with your will, or in a safe deposit box.

    Hopefully this helps, but please let us know if you have more questions or suggestions. Cheers! :)

  • bob_smith
    bob_smith
    Community Member

    Drew-

    Thanks for your response. Yes, I was aware of the methods you mentioned but was hoping for something a little more secure.

    The two weaknesses that I believe exist with the current approach both lead to potentially simple, single-person account take-over attacks. First, by writing or storing my entire master password in cleartext (e.g. the Emergency Kit approach) we create a situation where a single person that has access to my Emergency Kit could access my entire 1Password vault without my knowledge. Second, by allowing a single other person to reset my master password (e.g. the Families approach) we create a situation where a single person tied to my Families account could change my master password without my authorization, though at least I would become aware of this change the next time I tried to access my vault. Given that [by design] my vault could contain enough information to steal my identity and potentially even bankrupt me, leaving this much power in the hands of someone that could become an angry ex or a rebellious teen might prove a tad bid dangerous.

    Both of the approaches mentioned are probably okay if only used after my death but both fail to protect my valuable data during my life. Also, in cases where a death or legal separation could be messy placing all of the power in a single set of hands seems dangerous.

    In the security field we're taught that we shouldn't assume that people always act honorably - security systems based on the implication of honorable actions always fail while systems that assume bad actors stand much stronger. Trust but verify may be appropriate for the sorts of situations we're discussing but the current approaches don't include any verification.

    -Bob

  • AGAlumB
    AGAlumB
    1Password Alumni

    @bob_smith: Indeed. So if someone else accessing your Emergency Kit is a concern, don't store it in the open — and consider not including your Master Password. Unfortunately you cannot have it both ways: you either need to accept the responsibility of being the sole bearer of the "keys" to your data, or accept the risk involved in making them accessible to someone else. But I'm not sure where you're getting the idea that someone preforming recovery for your 1Password Account gives them access to your data or the ability to change your Master Password; it's simply allows them to allow you to do so if you've forgotten it. It seems like a large part of your scenario is predicated on that, so be sure to let me know if you have questions about how this works.

  • bob_smith
    bob_smith
    Community Member

    @brenty - The purpose of my post was to make a feature request. Posting on AngelBits appears to be how your team receives feature requests, my apologies if I've misused your forum.

    I can understand if your feedback was, "we haven't heard a request like this before," or, "this sort of thing isn't in-line with our product vision," or even, "this ask is too difficult to implement," but I/m struggling to understand your response. AngelBits' primary business is to make a secure password and information storage/management product, and my feature request is the third option behind your response of, "you can't have it both ways."

    My assertion/request is that the status quo around the master password in 1Password is insufficient for cases where the user is locked-out, deceased or incapacitated, and I have provided a sound rationale for that. First, trusting that an important secret written on a scrap of paper won't somehow slip out in to the wild isn't a sane security practice and to support this I'd point to the 1Password product itself - if passwords written in plain text on scraps of paper were sufficient AngelBits wouldn't exist. Second, it's easier to stomach the unlikely possibility that multiple trusted acquaintances must come together to override the security of the master password rather than simply placing all trust in one single person [i.e. conspiracies are less frequent and harder to pull off].

    From a technical perspective my request isn't impossible and from a product perspective it isn't all that difficult to implement, though I do understand that since you are running a for-profit business all features must be valuable and stack-ranked for implementation.

    For information on the long understood concept of secret sharing, or as RSA calls it distributed credential protection,
    check out articles like "DNSSEC Root Key Split Among Seven People" and "Splitting passwords up to increase security", or simply do a Google search for many others.

    Due to the growing complexity of password management and the steady rise of 2-factor authentication I would think that my suggestion for master password recovery would be a good feature add for AngleBits' product line as it demonstrates taking the next step in improving authentication for the masses. Users that have already paid for 1Password, or a similar product, are statistically uncommon - very few people who use passwords pay for this sort of capability - and I would think that AngelBits mission would be to make this capability user friendly, thoughtful and affordable for the masses.

    Lock-outs are a very common reality in the world, many companies have entire teams dedicated to supporting locked-out users so having a capability like this seems like part of the base feature set for a password manager. The common thread among all of those companies that routinely deal with user lock-outs - none of them tell their users that thy must choose between writing their passwords on a scrap of paper or loosing all of their data.

    As for the 1Password Families option, it's very possible that I didn't/don't understand the recover an account capability in Families but having just looked at the information on thew AngleBits website I am struck by three thoughts. First, this feature only appears to solve for the case where the user is locked-out but not the case where the user is deceased or incapacitated. Second, in order to take advantage of this feature I must buy a Families account, quite a steep price considering that the only feature I need is a secure way to reset my master password and flow information to my designated survivors - given the nature of your product I would think that this capability should be part of the base product otherwise it's a bit like buying a $50k car and being told that if you lose the keys you permanently lose the entire car. Third, it appears that in order to use a Families account I must extend even more trust to AngelBits to not intercept my password or misuse this feature for any reason, including secret court order, malicious employee or programmatic mistake, all of which have happened many times before. Number three is a bit more complicated as I must trust the 1Password product anyway but somehow it feels like moving any of my passwords to a SaaS or SaaS-like service is extending more trust than I am with a stand-alone application and more than I would like to. Passwords unlock everything in modern life this really means trusting AngelBits even more with the very most important information in my life.

    -Bob

This discussion has been closed.