Permanently delete single item from team trash

kingy
kingy
Community Member

I accidentally added a private password to a team vault via a populated form, and seemingly there is no way to permanently remove it.

I moved the item to trash, but then the only option is to empty the whole team trash, but apparently trash is archived anyway so still doesn't permanently delete.

I've read 2 other posts on this forum where the 1password team explains this is intended functionality, and makes analogies to macOS trash and this is why there is no fine grained removal, but it's nonsensical to adhere so dogmatically to a UI paradigm when coming to shared passwords.

I expect a certain level of fine grained control to force delete things in a shared database, without blasting the whole team's trash, and then having it archived anyway.

All sorts of things crossed my mind. I could empty the trash, but people may notice, and it may occur to them that there was something sensitive within the trash, which can be recovered anyway, and my very attempt to fix my error will draw attention. I contemplated just leaving it there, what are the odds someone would sift through it, and be able to make any sense of it? This very contemplation is evidence of an anti-pattern at work.

This experience makes me angry and resistant to using 1password. It's an unsafe tool that will scrape my forms and permanently commit the results to a shared repository.

While the UI paradigm of "macOS trash" is nice, there is another, more important principle of UI design relating to safety. Actions must be safe to reverse and undo. I do not feel safe using 1password.

I found a workaround by 'moving' the item to my private vault and then trashing it (and emptying the trash), but this workflow is not obvious and just shifts the problem 1 level.


1Password Version: 7.0.7
Extension Version: Not Provided
OS Version: 10.13.6
Sync Type: Not Provided

Comments

  • Hi @kingy,

    I think you're right, it'd be great for us to have the ability to choose a single item in the trash and send it to the archive. Unfortunately that's not something we support at the moment. We should always look to do better though.

    What you read about the archive state may be out of date though. As of a few months ago, it's now possible to look at the archived items and choose one for permanent deletion. So in theory you could empty the trash, then go into the archive and destroy that one item completely.

    I found a workaround by 'moving' the item to my private vault and then trashing it (and emptying the trash), but this workflow is not obvious and just shifts the problem 1 level.

    Unfortunately this isn't a workaround. The 'move' from the shared vault to the private vault actually creates a copy of the item and the original stays around but is moved to the trash.

    Rick

  • kingy
    kingy
    Community Member

    Unfortunately this isn't a workaround. The 'move' from the shared vault to the private vault actually creates a copy of the item and the >original stays around but is moved to the trash.

    Great job guys, "move" means "copy".

    As of a few months ago, it's now possible to look at the archived items and choose one for permanent deletion.

    You built fine grained control of the trash-of-trash (archive) but not the first trash?

    I will leave the password in there. Hopefully nobody notices it. Apparently there's no remedy and 1password has actively decided against building such a feature for years.

    Out of curiosity I had a search through our team trash. It seems others have made this mistake. Out of a sample size of ~100 employees, I have seen at least 5 instances of seeming mistakes placing passwords into the team vault by mistake.

    1password is unsafe to use, I will not continue to use it, and argue against it's introduction to any new teams.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @kingy: I'm sorry you feel that way. I agree that it would be nice to have more option in this area. But I don't understand why you'd be saving data to a shared vault if you don't want it to be shared. 1Password isn't "unsafe", and won't even do that unless you tell it to. By default, it will be saving items to the Personal/Private vault, which no one else will ever have access to. You'd have to explicitly either select a shared vault at the time of saving or set the shared vault as the default vault for saving. If this is a common problem facing your team, I'd like to get a better sense of your workflow so that perhaps we can take it into account as we continue to develop 1Password — especially for use by teams to share vaults.

  • kingy
    kingy
    Community Member

    We don't have a defined workflow for adding things to a shared vault. These are users of varying backgrounds (software engineers, data scientists, product managers, support staff) all making similar mistakes. If a tool needs a defined procedure and checklist to not make catastrophic un-recoverable mistakes I would suggest maybe the UX of the tool is the problem, not the workflow or users.

    I only noticed of the severity of my mistake upon looking in significant detail. I initially assumed i could just change the password, subsequently realising there is a complete history of changes, and that history is immutable. Ok I thought, I'll just delete it. Ok, it goes in the trash. Ok I thought, I'll delete it from the trash. Nope. No possible way. I decided to "move" the item to my personal vault, trashed it, cleared the trash. Nope, move secretly means copy-and-trash. I didn't even realise this until the above poster mentioned it. So I contemplated deleting the whole team's trash and whether that would attract attention, and if I would even have access to manipulate the archive, which would significantly compound my mistake. I googled 1password permission settings, eventually deciding I could probably manipulate it. I cleared the trash, only to find the mac app does not allow you to manipulate the archive. Of course, I thought. Silly me. It's literally impossible to recover my error from the mac app. I log into the web version and eventually delete my shared password after a couple days.

    How I accidentally added something to the shared vault was by clicking "yes" when 1password offered to add for me while I was changing the password to an account I wished to share with the team. I assumed it would generate a password for me, but instead it just scraped the web form, including tons of extraneous fields like name, date of birth, city, etc, including the existing password, and was impossible to remove or amend as outline above.

    I'm actually struggling to think of anything with an equivalent level of resistance to recovering from errors.

    What is especially irksome from this experience is that 1password has repeatedly posted denials this constitutes any problem at all, even lauding your own genius of the "trash" UI paradigm equivalence, and deliberate decision not to build fine grained control.

    Even mac trash has fine grained "delete immediately".

    1password fails the "least surprise" and "safe recovery" principles of UX design. I was surprised several times on several levels, and couldn't recover from mistakes. I was surprised and made these mistakes as a professional app developer. Regular users have no hope, as evidenced by the litany of errors contained in our team vault, and I suspect many team's vaults.

  • Thanks for the continued feedback on this issue, @kingy. It seems it would be worth having another brainstorming session on how this should work based on expectations.

    Ben

  • AGAlumB
    AGAlumB
    1Password Alumni

    @kingy: Thank you for the followup! Just to clarify, I wasn't suggesting a "defined procedure". I honestly don't know what that could be, since your use case is probably different that mine, etc. I was just trying to get a better sense of how your team's workflow differs from ours, since I often find myself encountering the opposite problem: saving something I need to share in my Private vault, since that's the default for saving and I'd have to explicitly select another to save an item elsewhere. Anyway, I'm sorry for being too vague.

    In your case, it seems to me you could recover from the mistakes you've described by copying the item to another vault and changing the password there. Any copy of the item in the original location will not be updated. We do err on the side of recovering from errors, just not the specific one you're talking about here. Most often we hear from customers who want to make sure they don't lose data, as opposed to trying to get rid of it. Since everything in 1Password is encrypted, our "safe recovery" has been on making sure people don't lock themselves out of accounts by destroying data. To most "regular users" this offers "least surprise". But in some group settings that may take a backseat to other concerns. So it's good to get another perspective. Thanks for sharing yours. :)

This discussion has been closed.