Question about migration to Family subscription

earthtrip
earthtrip
Community Member

Hi -

I'm thinking about moving to a family subscription from my single license 1Password 6 and have some questions that I didn't see answered exactly in the FAQ or when searching the forum.

1) If I get a family subscription with 5 members on it, how are members tracked? Each family member has multiple devices (phones, iPad, laptop). Does a device count as a "member" or is it just via their account credentials and we could have 5 "accounts" but 20 devices?

2) I have a shared vault in 1Password 6 with another party. They aren't upgrading to a subscription service at this point and maybe never. Can I still read in our shared vault in that is sitting in Dropbox and perform CRUD operations on the data using the latest 1Password?

Thanks for any info!

Mike


1Password Version: 6 and 7
Extension Version: Not Provided
OS Version: Mac OS, iOS
Sync Type: Not Provided

Comments

  • earthtrip
    earthtrip
    Community Member

    Also why does creating an account require you to generate a URL with the family name in it. I mean it seems like you can make it anything but why even have a custom URL at all? It seems pretty insecure to have a public facing web URL with a users last name (I'm assuming that's the normal situation most people are in when they add their family name) that is directly tied into all their personal data/passwords they have. e.g. say I'm a hacker and I find that Mr. Smith has millions of dollar in income from publicly available information and I say to myself.. lemme see if he has a 1password vault full of goodies - I'll just mozy on over to smith.1password.com and see if I can break in and get access?

    Maybe in practical terms that's almost impossible but the documentation and web videos that AgileBits have about signing up are all about how easy it is and don't really speak to any of the broader security questions that I think people using a system like this would like to know. . Yeah it's great that AES-256 is the encryption algorithm at rest but what makes it difficult for hackers to just go to your personal family URL and start attempting to break in. Do I have to enter that "key" that gets generated when the account is signed up every time I log in to the website? Are there other pieces of data required? Note I'm not talking about if someone steals may laptop or phone and it's unlocked - I just am referring to public facing entry points into the system.

    Thanks for any intel. I plan on using the family subscription (I've had 1password dropbox sync for years and find it indispensable) but I'd like to get more granular details about what this system is doing then your FAQ and documentation seems to show. Digging through hundreds of forum posts isn't getting me what I'd like to know.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @earthtrip: Thanks for getting in touch! Good questions. :)

    1) If I get a family subscription with 5 members on it, how are members tracked? Each family member has multiple devices (phones, iPad, laptop). Does a device count as a "member" or is it just via their account credentials and we could have 5 "accounts" but 20 devices?

    Nope. Each person you invite to your family plan will have their very own 1Password.com account, with a Master Password of their choosing, a Secret Key unique to them, as well as their own Personal/Private vault which no one else can ever access. And they can use that account on an unlimited number of devices. So the number of people — 5 included in the base price — have no device restrictions that count toward that.

    2) I have a shared vault in 1Password 6 with another party. They aren't upgrading to a subscription service at this point and maybe never. Can I still read in our shared vault in that is sitting in Dropbox and perform CRUD operations on the data using the latest 1Password?

    You can, but I'd recommend inviting them as a guest. That allows them to access a single vault you share with them, and is much easier to deal with than configuring sync with Dropbox on each device. :)

    Also why does creating an account require you to generate a URL with the family name in it.

    It doesn't. You can call it "picklecracker" if you want to (though that may be taken...) :lol:

    I mean it seems like you can make it anything but why even have a custom URL at all?

    A custom URL allows everyone you invite to have a shared login portal as part of your family plan.

    It seems pretty insecure to have a public facing web URL with a users last name (I'm assuming that's the normal situation most people are in when they add their family name) that is directly tied into all their personal data/passwords they have. e.g. say I'm a hacker and I find that Mr. Smith has millions of dollar in income from publicly available information and I say to myself.. lemme see if he has a 1password vault full of goodies - I'll just mozy on over to smith.1password.com and see if I can break in and get access?

    I don't think so. Even if your Master Password is awful (please make it awesome!), they'd still need to guess your 128-bit, randomly-generated Secret Key. Good luck to them. ;)

    Maybe in practical terms that's almost impossible but the documentation and web videos that AgileBits have about signing up are all about how easy it is and don't really speak to any of the broader security questions that I think people using a system like this would like to know. . Yeah it's great that AES-256 is the encryption algorithm at rest but what makes it difficult for hackers to just go to your personal family URL and start attempting to break in.

    Attempting is easy. But no one on the planet has the resources to (both as far as life expectancy, as well as time and money) to successfully guess a Secret Key, and they'd also need to simultaneously guess your Master Password to be successful.

    Do I have to enter that "key" that gets generated when the account is signed up every time I log in to the website? Are there other pieces of data required? Note I'm not talking about if someone steals may laptop or phone and it's unlocked - I just am referring to public facing entry points into the system.

    You're asking those two very different questions at once, so I'll answer both: if someone steals a device you've already authorized with your account, they will need your Master Password to access your data; if they are just using the public website or app on their own device, they will also need your Secret Key (based on your previous comments, we'll assume they already know your email address and sign in URL). Neither of those are ever transmitted to us, so they would have to guess them (infeasible) or get them from you personally (more practical).

    Thanks for any intel. I plan on using the family subscription (I've had 1password dropbox sync for years and find it indispensable) but I'd like to get more granular details about what this system is doing then your FAQ and documentation seems to show. Digging through hundreds of forum posts isn't getting me what I'd like to know.

    Sure thing! Being a long time Dropbox user myself, I wasn't sure I really needed 1Password.com. But being able to easily share vaults securely and help family members recover their accounts if they get locked out — along with many other benefits made a huge difference for me and my loved ones. It sounds like you'll probably want to check out the security white paper, and be sure to let me know if you have any other questions! :)

  • earthtrip
    earthtrip
    Community Member

    @brenty thank you VERY much for your detailed reply. You answered and addressed all my concerns in a timely manner.. Another great reason to use 1Password is that this forum is pretty outstanding in that within 24 hours a knowledgable employee as yourself can communicate at varying levels of complexity.

    Thank you again for all your help with this. I'm back to feeling confident :)

  • AGAlumB
    AGAlumB
    1Password Alumni

    @earthtrip: Wow. Thank you! And you're very welcome! Glad to be of help. I really think you'll enjoy 1Password Families. As you can imagine, I'm very comfortable using 1Password and Dropbox, but the time I've saved in aggregate by using 1Password.com with my family is priceless. And if you — or your loved ones — have any questions along the way, you know where to find us. :chuffed:

This discussion has been closed.