Bunch of questions

Just started a teams trial (business?) and have several questions.

  1. When we save a login with 1password where is the data saved? On my devices or on your servers? If it is on your servers, where physically are your servers located?
  2. I don't completely understand what "shared vaults" are used for and how they would work. Can you explain?
  3. Does your system work with logins for desktop applications such as Quickbooks?
  4. One of our biggest issues is the use of the same passwords on multiple logins. As we add logins to 1password we haven't yet changed the password. What is the best procedure to change passwords after the login has been saved in 1password? Is there a tool for doing this?
  5. Is there a tool or procedure to automatically change or set a reminder to change passwords on regular intervals?
  6. As an admin, what are the best practices for when an employee leaves?

Likely more questions to come but that's a start.

Thanks
Jim Turner


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • LarsLars Junior Member

    Team Member
    edited March 2018

    Welcome to the forum, @JimTurner! Glad to hear you're taking 1Password Teams for a test-drive. :)

    1. In all 1Password accounts (including 1Password Teams), you have a local cache of your data (for times when you have no internet connection, so you won't be unable to access your data without one), but the data resides on our servers. We use Amazon's AWS, and the physical server locations are: US-East (N. Virginia) for 1password.com, Canada (Montreal) for 1Password.ca and Germany (Frankfurt) for 1Password.eu.
    2. This page is probably the best explanation for that.
    3. No. Desktop OSes like Windows and Mac currently don't allow for that sort of tie-in; it would have to be done by a specific arrangement between developers, with them allowing us to place some of our code directly within their applications.
    4. No specific tool, because it's safer and better security to give users full control. However, this is the procedure.
    5. No. There's a good explanation of why no auto-change tool here, and another recent discussion of changing passwords on a set schedule here (short answer: we don't recommend it, and neither does NIST).
    6. That's an excellent question! And one without a one-size-fits-all answer. It depends on your industry, your threat model, your overall comfort level with risk, and a host of other factors. I'd be happy to give you some general guidelines, but what I'm really thinking might be best is if I have one of our 1Password Teams folks get in touch with you via email. Would it be OK if I made someone on that team aware of this conversation and gave them the email address you used to sign up for this forum to get in contact with you so you can feel free to discuss more-specific things that maybe should be best left off this public forum?
  • Lars,

    Thanks for the very detailed and helpful information.

    So it looks like the trial I signed up with is the .com (not .ca) site, I would prefer that no data was stored in the USA. Can this be changed when we establish a permanent account or should we start over? (I haven't setup much yet)

    I had to laugh a bit regarding password changes, we are in the process of switching to a new outsourced IT provider and they were telling us that they were going to implement some program to force periodic password changes (that's why that question came up). I think I am going to push back on that!

    Yes, I would like to talk to your team regarding best practices. Specifically, and I understand there will be different situations, but what is your vision of how you see you program fitting in with a small business. How should an employee use their account (what is private, what is shared). Roles of the administrators etc.

    One thing we noticed when playing around with shared vaults is that the password for a login can be viewed (and therefore easily written down) by the sharee. Might it be a good idea that shared logins passwords could be used by the sharee but not viewed? My specific example is I would like to share my Staples account with the girl that orders the office supplies, she could have access to the account but wouldn't really have the password. I am probably overthinking this...

    Again thanks for you help.

    Regards

    Jim Turner

    1. it's technically possible - Sticky Password has this option. But it's very unreliable. For example in Corel PhotoPaint is impossible save any file. Without any error visible to man. Silent error ... is it very confusing. I like that 1p doesnot have this feature.
  • brentybrenty

    Team Member

    So it looks like the trial I signed up with is the .com (not .ca) site, I would prefer that no data was stored in the USA. Can this be changed when we establish a permanent account or should we start over? (I haven't setup much yet)

    @JimTurner: To be clear, all 1Password data is encrypted locally before being sent, so that's all the server gets to store. But if you prefer 1Password.ca, I'd recommend creating an account there and copying your data over now. Since they're completely separate, there is no way to do this in the account itself. You'd need to create another one there.

    I had to laugh a bit regarding password changes, we are in the process of switching to a new outsourced IT provider and they were telling us that they were going to implement some program to force periodic password changes (that's why that question came up). I think I am going to push back on that!

    Oh good god please do! Not only is it a huge pain without any security benefit, it encourages most users to use (and reuse) weaker passwords. I hope they'll listen to reason!

    Yes, I would like to talk to your team regarding best practices. Specifically, and I understand there will be different situations, but what is your vision of how you see you program fitting in with a small business. How should an employee use their account (what is private, what is shared). Roles of the administrators etc.

    You're really going to have to be more specific, but we're happy to help in any way we can. Here at AgileBits we store work-related stuff in our company accounts: those items which are specific to us (for example, my forum login) goes in the Personal/Private vault, and those which are shared go in the appropriate shared vault (e.g. Twitter login in social vault).

    One thing we noticed when playing around with shared vaults is that the password for a login can be viewed (and therefore easily written down) by the sharee. Might it be a good idea that shared logins passwords could be used by the sharee but not viewed?

    That's an option that's available in 1Password Teams Pro accounts because it's been heavily requested, but we're always careful to tell people that this is not magic: if you give someone access to the login, even if they can't visually see the password, you're allowing them to fill it (where they could simply grabbing it from the webpage after) or potentially change it. Secrets you share cannot be taken back; you'd need to change the password to revoke their access to that account later on.

    My specific example is I would like to share my Staples account with the girl that orders the office supplies, she could have access to the account but wouldn't really have the password. I am probably overthinking this...

    You're not overthinking it, it just isn't obvious. Certainly many non-techy people aren't going to know how to get around that or even think to try, but someone malicious who really wants to will be able to figure out the password or change it so that they do know it. Food for thought.

  • brentybrenty

    Team Member

    @Ludvik: Yeah, it's definitely a tough one. I understand the impulse. It would be great if something like that could be relied on. It's certainly possible that developments in the field could change that in the future, but change is slow. We've been stuck with passwords for how many decades now? Many have proposed replacements, but nothing's really taken off.

  • LarsLars Junior Member

    Team Member

    @JimTurner - I've asked the 1Password Teams folks to get in touch with you via email to discuss things more specifically related to your own setup. You should be hearing from someone soon. :)

  • JimTurnerJimTurner
    edited March 2018

    Ok, so I switched the account to the .ca site and am pretty much ready to go ahead and purchase a subscription, just a couple of questions. Do I need to get all users setup before subscribing? If our users go up or down is our billing adjusted and how do we do that? (I would be using the annual billing option) If we signup now does the subscription actually start at the end of the trial period? (no big deal if it doesn't).

    Thanks
    Jim

  • LarsLars Junior Member

    Team Member

    @JimTurner - excellent! When you create a new 1password.com account you get a 30-day free trial starting from the date/time the first person (presumably you) signed up. From that moment, the clock is ticking down to your first charge. At the end of your free trial (assuming you've added a credit card), you'll have a charge for however-many users you've added up to that point. So, from that perspective, yes: it's a good idea to set everyone up within the 30-day window.

    However, if you don't, it's not the end of the world: when you add new members during a billing year (assuming you're paying annually), the system will calculate how many days until the next annual renewal and charge you a pro-rated, per-diem amount multiplied by that number of days, so everyone can renew all at once when the annual renewal happens.

    If you remove users, you will not receive a direct refund, but you'll get the corresponding per-diem amount added to your account as a credit, so that at the next annual renewal you'll be charged (whatever the total is) minus that credit amount. Or the credit will be used the next time you add a new member, whichever comes first.

  • Excellent, we are all signed up!

    Thanks
    Jim

  • LarsLars Junior Member

    Team Member

    @JimTurner - that's awesome! We look forward to helping all of you secure and use your most important data. And we're always here if you or any of the team have questions or run into issues (well, OK, sometimes we sleep. 😉). Welcome to 1Password Teams!

This discussion has been closed.