Some Questions About 1Password

Flappination
Flappination
Community Member

I have really, really stupid family members when it comes to password security. 99% of the time they don't know their password to their own gmail/facebook account and i'm stuck trying to remember it for them which usually just means I end up resetting it. Because of this i'm currently debating between using Lastpass and 1Password for your Families subscription (or teams if absolutely necessary). Both of them seem like capable pieces of software but I have some questions on 1Password.

  1. I've noticed that LastPass routinely has teams like Google's Project-Zero audit their software for security concerns. Does 1Password do this?

  2. I'm a bit confused about where vaults are stored. I have done some reading here and it seems like vaults are stored both locally and in the cloud. Which is it and when? Also, if they are stored locally, whenever I sign into the website and access my passwords there, is a local copy saved as well?

  3. If I sign into myfamily.1password.com from a machine that does not have any 1Password software installed (browser extensions, desktop application, etc), will I be still able to access my passwords, and is it still secure?

  4. How exactly do Guests work and what are they capable of? I would assume they have to create their own 1Password account, get their Account Key, etc and then they have access to whichever Vault I want them to have access to, correct? Doesn't this defeat the purpose of a "guest", since 1Password is not free? I'll admit, I didn't look into this one much myself.

  5. In the event that I would disappear and my family would need access to my passwords, would they be able to get them by doing the "restore a family members account" procedure?

  6. It looks like the family plan includes 5 licenses (1 for myself and 4 for family members). If I needed more than that, would I have to switch to a Teams subscription or could I use the "guest" feature?

That's all I can think of for now.

Thanks!

Steven


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni

    I have really, really stupid family members when it comes to password security. 99% of the time they don't know their password to their own gmail/facebook account and i'm stuck trying to remember it for them which usually just means I end up resetting it.

    @Flappination: First of all, thanks for your interest in 1Password, and good on you for "taking one for the team" and helping your loved ones improve their security! :chuffed:

    I've noticed that LastPass routinely has teams like Google's Project-Zero audit their software for security concerns. Does 1Password do this?

    To clarify, no one has Project Zero audit them; they act independently. 1Password has been audited by them. I just want to be clear that this isn't something they do for us; it's for the greater good of the security industry as a whole, and they are beholden neither to us nor to any others.

    I'm a bit confused about where vaults are stored. I have done some reading here and it seems like vaults are stored both locally and in the cloud. Which is it and when? Also, if they are stored locally, whenever I sign into the website and access my passwords there, is a local copy saved as well?

    If you use the standalone 1Password apps, vaults are stored locally, and are optionally sync'd using Dropbox or iCloud. With a 1Password.com membership, the encrypted data is stored on the server, which you can access from your devices by signing into the account (no sync configuration required); but the data is cached locally in the app at that point as well, so you can also access it offline.

    If I sign into myfamily.1password.com from a machine that does not have any 1Password software installed (browser extensions, desktop application, etc), will I be still able to access my passwords, and is it still secure?

    Probably. We go to a lot of trouble to protect your data both on our servers, in transit, and also as you access it...but the caveat is that if you access sensitive data on a compromised machine, or simply one which someone else controls, you may be in trouble, as someone malicious could simply capture data as it is decrypted for you to access it. So that isn't something we recommend. It's better to acess sensitive information only in an environment which is safe.

    How exactly do Guests work and what are they capable of? I would assume they have to create their own 1Password account, get their Account Key, etc and then they have access to whichever Vault I want them to have access to, correct? Doesn't this defeat the purpose of a "guest", since 1Password is not free? I'll admit, I didn't look into this one much myself.

    I'm not sure I understand this part: "Doesn't this defeat the purpose of a 'guest', since 1Password is not free?" But guests are essentially just limited users in your 1Password Families (or Teams) account. Like a regular family (or team) member, they each have their own account credentials and can use all of the apps. However, they do not have a Personal/Private vault, and can only access a single vault you share with them. So generally these are used for 3rd parties you want to share some data with (lawyer, accountant) or a family member you want to help manage things (children, grandparents).

    In the event that I would disappear and my family would need access to my passwords, would they be able to get them by doing the "restore a family members account" procedure?

    No. They'd need to have your Emergency Kit, which you could leave in a safe deposit box for them, or with an attorney in case of your passing. You could (and some people do) use account recovery for this too, but the family member would need to have access to your registered email account in order to do that; and it's important to keep in mind that if you give them access to your email account today, there's nothing stopping them from doing account recovery today as well (provided their own 1Password.com account is an Organizer in the family plan).

    It looks like the family plan includes 5 licenses (1 for myself and 4 for family members). If I needed more than that, would I have to switch to a Teams subscription or could I use the "guest" feature?

    They're not really licenses, as the account just includes everything. So, regardless of how many devices any given family member has, they just need to sign into their account to use 1Password there. Five family members are included in the base price of a 1Password Families plan, but you can always add more for about a dollar a month each.

    I hope this helps. Be sure to let me know if you have any other questions! :)

  • Flappination
    Flappination
    Community Member

    To clarify, no one has Project Zero audit them; they act independently. 1Password has been audited by them. I just want to be clear that this isn't something they do for us; it's for the greater good of the security industry as a whole, and they are beholden neither to us nor to any others.

    Got it, I was under the assumption that they were paid by companies to audit them. Basically the answer here is yes, you do have your software audited then (not that I don't trust you guys, i'm mostly just curious on that front).

    If you use the standalone 1Password apps, vaults are stored locally, and are optionally sync'd using Dropbox or iCloud. With a 1Password.com membership, the encrypted data is stored on the server, which you can access from your devices by signing into the account (no sync configuration required); but the data is cached locally in the app at that point as well, so you can also access it offline.

    I am assuming by standalone app you are referring to the Windows, Mac, IOS, and Android apps?

    Also, is there any way to disable storing vaults locally and just keep them in the cloud?

    Probably. We go to a lot of trouble to protect your data both on our servers, in transit, and also as you access it...but the caveat is that if you access sensitive data on a compromised machine, or simply one which someone else controls, you may be in trouble, as someone malicious could simply capture data as it is decrypted for you to access it. So that isn't something we recommend. It's better to acess sensitive information only in an environment which is safe.

    I agree with you there, I really only plan on accessing the passwords on my phone and home computers. I'm mostly just concerned with family members signing in basically anywhere to lookup a password. I plan on getting them to just use their phones as well but you never know.

    If they sign in to myfamily.1password.com on a computer without a browser extension or any app installed, would that cache a local copy of their vault?

    I'm not sure I understand this part: "Doesn't this defeat the purpose of a 'guest', since 1Password is not free?"

    That was pretty terribly worded on my part, sorry about that but you got it and answered my question :chuffed:

    No. They'd need to have your Emergency Kit, which you could leave in a safe deposit box for them, or with an attorney in case of your passing. You could (and some people do) use account recovery for this too, but the family member would need to have access to your registered email account in order to do that; and it's important to keep in mind that if you give them access to your email account today, there's nothing stopping them from doing account recovery today as well (provided their own 1Password.com account is an Organizer in the family plan).

    That makes sense and I have no problems with that. Just out of curiosity, do you guys have any plans on implementing the "Emergency Access" feature that Lastpass and Dashlane use? Or do you consider the "Emergency Kit" your implementation of that? (it essentially is just not automated).

    Five family members are included in the base price of a 1Password Families plan, but you can always add more for about a dollar a month each.

    By "about a dollar a month each" are you referring to adding them as guests? Or is there an option to add additional family members beyond 5 that I just completely missed? And by adding additional family members i'm referring to them having their own private/personal vault, which guests do not.

    Thank you for the super fast response and helpful answers!

  • Lars
    Lars
    1Password Alumni

    @Flappination

    Basically the answer here is yes, you do have your software audited then...

    Yes. And not just by the Project Zero folks, but by other outfits as well. Here’s a list, if you’re curious

    Also, is there any way to disable storing vaults locally and just keep them in the cloud?

    Not really. We need to have local caches of data because users are often times in situations where they're temporarily away from wi-fi or out of reach of wireless connectivity. If your 1password.com account were cloud-only, you'd be out of luck in terms of accessing all your most important data the instant you lost internet connectivity. Not good.

    However, I hear you on wanting to keep family members secure, even from themselves, as much as possible. I think if you can tell them to make sure they use 1Password only in the apps themselves instead of in a web browser, that should (probably) work. There is also a box on the web sign-in page which you can instruct family members to check which will NOT save their Secret Key or email address in browser memory:

    The Emergency Kit feature isn't designed to be automated. Indeed, any system which stores or can derive either your actual en/decryption key or the secrets used to derive it, can by definition access your data. In 1Password Families, we've implemented a feature called Account Recovery, by means of which anyone with Admin privileges ("Family Organizer" in 1Password Families) can help you recover your account if you can't sign in. We recommend every 1Password Families account have at least one OTHER Family Organizer besides the account owner, because that way there's not a single point of failure: even if the owner loses his/her Secret Key or forgets the Master Password, someone else will be able to recover his/her account.

    By "about a dollar a month each" are you referring to adding them as guests?

    Nope, you get up to five simultaneous guests in addition to your family members, at no extra cost.

    Or is there an option to add additional family members beyond 5 that I just completely missed?

    We don't advertise it, but yes, additional family members can be added for about $1/mo to your account. And yes, they would be full-fledged members with their own Private vault as well as access to the family-wide Shared vault.

This discussion has been closed.