Reporting and policies to protect against weak passwords within the team/business account?

1password is great, but it's lacking some key compliance functionality for teams & businesses. The main one for us is the lack of reporting/policies to protect against weak passwords within the team. We can't rely on users to go to the app and perform a security audit themselves, it would be great to see this functionality within an admin section of https://team-xxxx.1password.com.

Ideas:

  • Admins can find weak passwords used within the organisation and either prompt the administrators of that vault (or the owner if it's a private vault) to change the password
  • 1password should have the option to add policies, for example it could be setup to remind users to change passwords X number of months, update weak passwords within X days before an admin is alerted etc.
  • An overall health score of passwords could be displayed on some reporting screen, so that as a Data Protection Manager I can ensure that password strength within the organisation is acceptable

1Password Version: 6.8.8
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:Reporting

Comments

  • Hi @willemmerson,

    You're right, that would be a pretty killer feature. We want to bring some of the Security Audit features that exist in our desktop apps to the website which would help a little towards this, but probably not enough for your liking.

    You bring up a good point.. that there's a good chance that the weak or duplicate passwords exist in someone's private vault. Right now there's no way for an admin to see anything inside of someone's private vault. Through account recovery 1Password will provide the admin with the keys of those vaults, but never the contents. Due to this, there's no way that we can run a search into those vaults.

    We would love to provide a way for to do this though. It would require that we make it clear to employees that their Private vault isn't quite as private as they might expect though. It's critical for us to ensure that those expectations aren't broken.

    Rick

  • willemmerson
    willemmerson
    Community Member

    Hi Rick,

    Thanks for your quick reply. There definitely is a need to have private logins within a team account, but at the same time from a company point of view we still need some control over these private logins. They might be individual logins, but they're still logins to what could be critical systems.

    Don't get me wrong...1password is infinitely better than LastPass, but one thing that LastPass did do well was reporting and there folder structure supports this by having three different categories of password storage:

    • Passwords that aren't shared (still can be analysed by admins in weak password reporting, without admins actually having access to the password)
    • Shared password folders
    • Linked personal accounts

    In 1password I feel as though team accounts with private vaults is confusing the concept of linked personal accounts? If 1password could be linked to another 'personal' account, then the user could still access 'private' and 'shared' folders, which are then can be reporting on and checked over by admins to maintain compliance?

    Kind Regards,

    Will

  • @willemmerson,

    I think we're mostly in agreement here. The challenge we're facing is in how to present this information to the user. We understand that some companies require access to those "Private" vaults, and we'd like to make that an option at a company level. But that information must be conveyed to the user. If my bosses can see into a vault of mine, I need to know.

    It's a problem that we'd like to solve. We just don't have the solution ready to go yet.

    Rick

  • 4l3x
    4l3x
    Community Member

    Hi Rick,

    I guess 2 years later, this topic is still not resolved, as I did not find this functionality anywhere.

    As a manager, I don't need to see into private Vaults. The only thing I need is a company-wide Watchtower, that shows me whether employees are reusing passwords, what the average password strength of the employees is and whether they are adopting 1Password (# of passwords in their accounts, or insights into which accounts are connected on an individual basis). Currently, I can only see that for my own account. Competitors such as Dashlane provide this functionality.

    I'm not aiming to spy on our employee's private logins, I just want to know that all of our company's logins are safe.

    Alex

  • ag_ana
    ag_ana
    1Password Alumni

    @4l3x:

    We have an internal discussion to track this, so we can add your thoughts there. Thank you for taking the time to share your feedback with us :+1: :)

  • precisionroy
    precisionroy
    Community Member

    My POV is that anything on work accounts is not private or should be assumed to not be private. We make it a point where I work to tell people that work tools like Slack, their email, and 1Password are not private in the sense that admins can reset their email password and then gain access to any and all systems they use.

    As an admin I'd love to get more insight into the security of password entries. As bad as LastPass is (🤮), they do a solid job with their security reporting.

  • ag_ana
    ag_ana
    1Password Alumni

    Thank you for sharing your point of view with us @precisionroy! :+1: :)

  • spencerogden
    spencerogden
    Community Member

    I agree with previous commenters. Some basic reporting which does not breach any privacy would be very useful:

    • Number of reused password
    • Number of passwords which are weak or terrible

    In other words, having the counts of various Watchtower categories for each user would go a long way towards identifying a problem. This wouldn't require admins even seeing what the names of the logins are, let alone the passwords.

  • ag_ana
    ag_ana
    1Password Alumni
    edited July 2020

    Thank you for sharing these ideas with us @spencerogden, noted :+1:

    ref: dev/b5/b5#7102

  • pahanello
    pahanello
    Community Member
    edited June 2021

    I absolutely agree with the above commenters.

    Some basic reporting which does not breach any privacy would be beneficial:

    • Number of reused password
    • Number of passwords that are weak or terrible

    In other words, having the counts of various Watchtower categories for each user would go a long way towards identifying a problem. This wouldn't require admins even seeing what the names of the logins are, let alone the passwords.

    It's almost 3 (!) years passed since opening this topic.

    When are you planning to implement this feature?
    Quite strict, but at least it's fair for us to know what to expect.

    Thanks!

  • Hi @pahanello! Apologies for our delay in getting back to you here.

    We don't have anything new to share at this time, but I have personally passed your feedback along to the proper team for consideration. Thanks for chiming in here with this feedback; we genuinely appreciate it. :smile:

  • dfuentes
    dfuentes
    Community Member

    Is there any way we can get an update on a timeline or if this feature request is even on any road map?

    There are several posts in the community forums requesting this feature dating back to 2016 and this functionality still doesn't exist in the 1Password Business admin dashboard. We can educate users as much as we want, but there should be an easy way to at least have a visual of weak passwords for individual users.

    @ag_joshua @ag_ana @rickfillion

  • Hi @dfuentes,

    No updates or new information to share right now. We don't typically post any roadmaps or timelines before releasing features, as development is unpredictable and things can change along the way. We do, however, definitely understand the importance of the feedback brought up by numerous people in the thread, so thank you for staying engaged.

This discussion has been closed.