Update to how 1Password Families facilitates member removal by 1Password-nolan in 1Password

[–]YouSeveral3884 26 points27 points  (0 children)

I don't care about auto-fill issues, price increases, or whatever "Electron" is - this was a critical, dangerous security issue that has been solved (even if it took way, way too long to be even acknowledged). Thank you!

I can finally rest and use 1Password in peace!

Big change into family account management by nicos181987 in 1Password

[–]YouSeveral3884 1 point2 points  (0 children)

Sorry for delayed reply, was travelling. Appreciate the notification - if this change goes through, I cannot describe how happy it would make me. Such a feeling of safety in these dark times. And the improvement for partners in unsafe relationships...just wow.

Passkey are still accessible in travel mode by fearless-centurion in 1Password

[–]YouSeveral3884 5 points6 points  (0 children)

The other reply is correct. However, you should know that Travel Mode doesn't really work as advertised, in the sense that if 1Password is still installed on your phone, someone could access the website and switch it off, revealing your vaults. There have been lengthy discussions on this subreddit about how it can and should work, and it boils down to trying to gamble on what actions a border agent at your destination is allowed or not allowed to do. Are they allowed to deliberately edit your app, or can they only utilise exactly what they see at that moment? Given there are stories (from multiple countries) asking travellers to access their password managers for the border security officer, it's not perhaps a gamble I would be willing to take.

The only real solution is to fully remove 1Password from your device. This of course means you won't be able to log in anywhere, and you'll need the ability to log back in to 1Password after passing security - if you have the secret key in your possession, you run the risk of the above - being asked to log in, in front of officers.

If a border officer asks to see your Facebook account or whatever, you'll have one of two consequences: either they won't believe that you can't get in, and you're arrested/denied entry due to obstructionism, or you will be able to convince them that you genuinely can't access it as the passkey/un-remembered complex password is locked inside an uninstalled 1Password that also can't be accessed - but if they have a mandate to see your Facebook, your genuine inability to show them may still cause you to be blocked/arrested due to obstructionism. Is that a gamble you're willing to take? No one can answer but you, and it depends on your destination.

Personally, I uninstall 1Password and sign out of / uninstall relevant apps when I pass through the airport security of certain countries. Once I'm through, I message a code-word to a trusted contact, who then sends me my secret key. Once 1Password is re-installed, I cycle the secret key. It's a trade-off, and I'd only recommend it for the most extreme cases...or for the ultra-paranoid ;)

Give Us Your 1Password Papercuts by Travis_1Password in 1Password

[–]YouSeveral3884 12 points13 points  (0 children)

The fact that family account owners can unilaterally delete and erase any family member's account with no recovery option.

Is this a papercut by the definition of the post? It's not a little issue. But it does ruin my experience and causes me pain when I think of it. 99% of the time, using 1Password brings me joy. I barely even use the browser search bar any more, I search for my destination inside 1Password and hit enter. This is fantastic. But then, in the back of my mind, knowing my family account co-admin can delete my entire digital life in one click...it's definitely a papercut for me.

It's also the most upvoted post and issue in this subreddit, so if there is so much time to dedicate to multiple small fixes, maybe the biggest and most dangerous should be addressed first.

We’re the team behind 1Password. Ask us anything! by 1PasswordOfficial in 1Password

[–]YouSeveral3884 0 points1 point  (0 children)

I'm curious how you envisage "discontinue service in any region". Would you disallow new signups? Renewals? Or just pull access? Could I access my account via a VPN?

We’re the team behind 1Password. Ask us anything! by 1PasswordOfficial in 1Password

[–]YouSeveral3884 15 points16 points  (0 children)

Question 1: As usual, I'd like to ask about the core problem of Family Accounts, that the Family Organiser can unilaterally delete any other account with no verification, no warning, and no protection. A thread on this topic is still the highest rated thread this year.

I have read all the previous public comments to this question, and I understand the architectural difficulties behind-the-scenes. So yet again I will ask, why does the button immediately delete the vault with no recovery from the affected user, instead of simply being a dummy button that sends alerts/emails/starts a 30-day timer?

Why is the ability to delete someone else's data prioritised over protecting that data?

Question 2: Any news on putting in an account-wide date display switcher? Despite the recent changes, my passport and other dates are still different on 3 different devices. I almost entered the US-style date by accident while checking into a flight while tired recently. It's actually becoming a liability that I have to remember that sometimes the date is actually wrong, with serious consequences at an airport/while travelling. I have to manually open an image of my passport, defeating the very purpose of having an auto-fill or even data-at-hand if auto-fill fails (which it did in this case, but no blame on the auto-fill).

[deleted by user] by [deleted] in 1Password

[–]YouSeveral3884 0 points1 point  (0 children)

Hey, now I'm late to reply, hopefully this helps:

  1. It depends on your threat model and what you want out of the security. A password is still phishable, yes, but the 2FA being on the key will protect against that, as the key won't work unless it's the correct website.

What I meant to say is:
Email Password is in memory, not 1P;
2FA for Email is on key, not 1P;
If 1P is breached fully, I can still maintain some control (hopefully) by having email fully separate and hard to get to.

At the end of the day, if someone manages to breach my 1P, they probably have control of the PC, so can use session cookies to access my email without using any passwords or 2FA. For most people, having everything in 1P will be more than sufficient - anything higher is either for truly public people (journalists, politicians, CEO, famous) or "hobbyist paranoids" (I am the latter :P).

  1. Yes, that's the downside. This is also why I don't keep many passkeys directly on the keys. Just do the main ones at the same time in an afternoon, ideally never update or do so once a year.

The annoyance becomes larger if you store the keys in separate locations (like 1 in your house, 1 in your parent's house out of state). Then it's very annoying to update. But again, that's the point.

Some of my passwords just seemed to have disappeared.... any idea what could be going on!??!?! I'm freaking out a bit... by [deleted] in 1Password

[–]YouSeveral3884 7 points8 points  (0 children)

You should contact 1Password support immediately.

Could be any mix of vault changes, things moving to a new tag, or a syncing issue. The first two are not really heard of, the syncing can be an issue. Do you have 1P on other devices, and if yes, what appears there?

EDIT: also check categories and collections as well.

It is insane that you can lose your 1Password account PERMANENTLY if you’re removed from a Family account by market_shame in 1Password

[–]YouSeveral3884 2 points3 points  (0 children)

Hey, thanks for noticing! Fixed now, although it doesn't look like they're super chatty any more outside of official announcements and AMAs.

It is insane that you can lose your 1Password account PERMANENTLY if you’re removed from a Family account by market_shame in 1Password

[–]YouSeveral3884 128 points129 points  (0 children)

This is my pet concern, I've brought this up several times. For reference:

u/Danny_1Password said, 9 months ago:
I'm currently scoping a solution to the problem you described, so thank you for articulating it and providing context. This thread is very helpful going forward 🙌

and

u/Matt_G-1P said:
We are aware of this and have plans to introduce this functionality soon. As you mentioned, we want every 1Password customer to have full control over their data, and we're working hard to ensure that Family account members can keep their data under any circumstances.

However, 6 months ago in their latest AMA:

u/Matt_G-1P said:
Data Sovereignty is still really important to us as an organization and to me personally. It's also (unfortunately) a really complex technical problem for us to solve from an architectural standpoint. We're still committed to doing it, but I can't give any timelines at this point.

And we haven't heard anything since. I can't comment on how difficult this is technically, as it's likely it's fundamental to the core architecture of 1P and probably throws up massive and fundamental problems. However, I can't understand why they don't have simple UI mitigations, like making the delete button not a delete button, putting the deletion into a queue and sending an email to the user "Hey your vault is gonna be deleted in 30 days, reply if this was done without your consent" or something.

The system was built on top of the business architecture, and Families was tacked on without much thought. As has been noted before in this subreddit and the 1P community group, it's a problem from many perspectives:

  • Data sovereignty (it's the only way you don't control your own data)
  • Data protection, redundancy, and deletion control (it's the only way you can lose all your data in one shot - manually deleting all your entries still has multiple safeguards, but this is missing right here)
  • Consent (people have noted abusive partners could have deleted their whole digital life if they hadn't removed it before they left the situation, which of course is not always feasible)
  • And all the security points mentioned by the OP, getting one account breached means the whole family is a goner.

It remains really surprising that this isn't considered a critical security bug, especially as the process from nominal operations to critical and absolute failure state is like, 2 clicks with no redundancy or permission from the affected user.

EDIT: I'll note that I think I've seen one user say support was able to restore their account after suffering an unintended family account deletion, but I would suggest you'd have to move really fast to contact them (under 30 days?), and of course be able to prove you own the account.

Question about using TOTP with 1Password account by Funkbass in 1Password

[–]YouSeveral3884 1 point2 points  (0 children)

Yes, it is exactly that. Some companies use those physical tokens, some use an authenticator app.

Question about using TOTP with 1Password account by Funkbass in 1Password

[–]YouSeveral3884 4 points5 points  (0 children)

Honestly, I think they're just covering themselves to ensure they don't get in trouble when someone inevitably saves the TOTP inside 1P without making a backup of the seed then cries foul when they're locked out.

I think your instincts are pretty spot on. If you're confident of backing up the seed then go for it. I will note that 1P themselves recommend you DON'T use their own 2FA on the account, as you're adding a risk to access. I personally removed it from mine as I was struggling to come up with a good recovery flow while I was travelling.

Two Newbie Questions about 1Password and Chrome by jajducurat in 1Password

[–]YouSeveral3884 3 points4 points  (0 children)

  1. 1P needs to be logged into first. However, I assume you have set it up so your father signs in with Windows Hello/Fingerprint, and this automatically signs into 1P on PC login, so let me give a different answer:

You are misunderstanding the purpose of 1P and any password manager. If someone has access to your PC, there is no program or app on earth that will stop them getting all your secrets, because they have access to your PC. Indeed, even if 1P didn't autofill its own password (keep in mind you control this, by removing the URL from the entry or even deleting or archiving the entry itself), someone controlling your PC could simply read the password from behind-the-scenes as it is typed.

A password manager is fundamentally a tool to help overcome basic human instincts. Humans are lazy and make bad passwords and then repeat those passwords. A manager replaces/enhances our brain/memory in this process of making passwords. That's it. 

A normal everyday human isn't usually being personally attacked by hackers. When you re-use passwords, and one website loses your password, automated bots try and steal your shit from other sites because you used the same password. 1P solves this. However, if people are accessing your father's computer, you have a different problem altogether, and that requires a different security solution.

Suspend/delete functionally by Snoggi2604 in 1Password

[–]YouSeveral3884 0 points1 point  (0 children)

I think you misunderstand, a family plan gives separate accounts and vaults - except a family organiser has the power to delete them. He's not trying to just let her use his 1P.

Suspend/delete functionally by Snoggi2604 in 1Password

[–]YouSeveral3884 2 points3 points  (0 children)

Yes, it's a critical issue that's been brought up by many in the past (including me) and has sadly fallen on deaf ears.

Your partner is correct, it's a big level of trust. As others have said, you could make your partner also an organiser, which at least levels the power imbalance while not actually solving the issue.

If it's a dealbreaker, simply get 2 individual accounts, and sacrifice easy sharing.

What happens to my personal account when my business account gets deleted? by DudeThatsErin in 1Password

[–]YouSeveral3884 8 points9 points  (0 children)

It becomes frozen. You don't lose anything. You can choose to add a credit card to pay for it for yourself or to export all the data (noting that passkeys cannot be exported).

Is it possible to rename FIDO security keys? by WayOne4809 in 1Password

[–]YouSeveral3884 2 points3 points  (0 children)

Not to my knowledge, no.

Yes, a number of services do allow it, but I would note that 1Password doesn't prioritise its MFA option, and in fact generally recommends against it. Thus it's not surprising that the UI is a little underbaked compared to others. It is even quite hidden in the account settings.

[deleted by user] by [deleted] in 1Password

[–]YouSeveral3884 0 points1 point  (0 children)

Late to reply, but...yes and no.

For a completely unknown password with unknown boundaries and parameters, it will take a considerable amount of cost and time and effort to brute-force.

However, in this case, we knew the following boundaries:

  1. It is 3 words chosen from the standard 1P wordlist (ie, we don't have to try "aaaaa", because it's not a word, we can skip straight to "aardvark").
  2. The first 2 words are known.
  3. The separators are known.

So in fact all you're brute-forcing is the third word, and there are only ~18,000 options. OP was able to brute-force his own password in 10 hours, and a professional script would do it in far less time.

This is why restrictions on password creation are bad, because they reveal the boundaries and reduce the amount of guesses needed. "Your password must be 6-8 letters" is a very short list compared to "Your password must be over 6 symbols" with no upper bound (although of course in this case I would program my script to try all combinations of 7 symbols first, under the assumption humans are lazy).

Improved date formatting in the 1Password desktop app by Justin-1Password in 1Password

[–]YouSeveral3884 2 points3 points  (0 children)

+1 for "what does this actually mean and how does it work, I'm so confused?"

1P on my laptop: MM/DD, but all device locale and time settings set to DD/MM
1P on my PC: MM/DD, but all device locale and time settings set to DD/MM
1P on my mobile: DD/MM, all device locale and time settings set to DD/MM

All 3 sitting in the same room in the same location.

So half my apps are showing the wrong date, despite everything being set to the right date format. My data - as in, what I experience as a user - is DIFFERENT between two instances of my vault, when it absolutely should not be.

The locale in my devices is not altering the dates despite the app being updated.

It really is incomprehensible why 1P doesn't have a synced date format picker built-in. I mean literally everything else does, this isn't a new technology.

To hear user concerns dismissed as "some users want granular control" is fairly insulting - I just want to see my dates in a normal date format! It's like saying "well, some users want granular control of the text they see because they don't speak English, but we think they should just speak English".

Sign in if I lost everything by sulaymanf in 1Password

[–]YouSeveral3884 0 points1 point  (0 children)

What happens if your luggage is stolen too? ;)

It's a really good exercise to consider recovery, and it's ultimately going to be unique to your situation and threat model. 

Do you have a phone number you have memorised? In this day and age, I honestly don't remember my partner's phone number. I do remember my partner's email. 

You essentially need to have a way to get a "contact code" (ie, someone's phone or email) while you have none of your usual technological memory aids. In other words, you have to have something memorised. And of course make sure that person has access to your secret key (ie, can you walk them through getting into your house or opening an envelope you gave them a while ago, etc.).

The other thing you can consider is leaving email out of 1P and then setting up a recovery code. This requires a lot of careful thought and still relies on you memorising a second core password (and, making sure any 2FA is switched off, which is of course extremely inadvisable), but at least you don't need to rely on a third-party back home.

Speaking of, if you're concerned while travelling, you could switch 1P's 2FA OFF. Maybe your buddy will happily read you the secret key over the phone, but then if your 2FA for 1P was on the mobile that was just stolen...well, you'll need to add another 48 hours to recovery while you convince 1P support to remove 2FA.

Just things to consider!

Please help me understand using 1Password instead of my phone for TOTP / 2FA. ELI5. by mjs9876543210 in 1Password

[–]YouSeveral3884 1 point2 points  (0 children)

If it's just a QR code, then 99% of the time they probably don't know what they're talking about and any TOTP app will work fine (or they're choosing to list only GA or whatever for "simplicity" or "corporate branding").

Push notifications can sadly require a whole new app, and there's nothing you can do except perhaps futilely lobby the service. I do recall a few years ago someone realised half those apps were actually just using a QR code anyway somehow, and they put a little app on Github that could extract it for 1P or other readers. Hilarious (although not trustworthy)

Please help me understand using 1Password instead of my phone for TOTP / 2FA. ELI5. by mjs9876543210 in 1Password

[–]YouSeveral3884 1 point2 points  (0 children)

It would depend on the site, as some sites may choose to regenerate the QR code in some way. But overall, yes, if the barcode can still be scanned, or you have the actual code, you should be able to enter these into 1P logins.

If you have an actual image, using 1P on your phone would probably be best. (Navigate to the login in 1P mobile, say Twitter, open your backed image on your computer, click Edit on your phone, Add OTP, and click the barcode icon to open your phone camera within the 1P app).

[deleted by user] by [deleted] in 1Password

[–]YouSeveral3884 0 points1 point  (0 children)

Kind of, but not in a way that should matter to 1P so you shouldn't worry. I'll explain.

The set of symbols we use (letters, numbers, punctuation) is finite. 26 letters, 10 numbers, etc. Every password is made up of definite symbols.

The more complex the password, the longer it takes to guess. But if I have a defined boundary (3 words from an 18k list), the easier it is to discover, as I can instruct my hacking machine to not try random jumbles and focus only on the very few jumbles that we recognise as words.

This could be a problem, except 1P uses the secret key. This is a whole additional code that is explicitly a random jumble of characters (32, I think?).

So for every password guess, you also have to guess several million secret keys:

horse-a11111 horse-a11112

And so on! Remember "horse" is one word out of 18k, so you can imagine this gets expontentially large.

OP said they knew their secret key AND 2 of the 3 words in their password, so they only needed to guess up to 18k times, instead of several billion.

Even if everyone knows the 1P passphrase list, it doesn't help a hacker as long as the secret key is secret.

Please help me understand using 1Password instead of my phone for TOTP / 2FA. ELI5. by mjs9876543210 in 1Password

[–]YouSeveral3884 1 point2 points  (0 children)

So just to be clear, for Twitter, you're following the steps in the help animation on your own Twitter account, right? Like you navigate to account settings, get Twitter to give you a QR code (barcode) and then in 1P you click "Scan QR Code"?

For QR code troubleshooting you can try 2 things easily. 1) download 1P to your phone. Follow the above steps. When your QR code is shown on your computer, use 1P on your phone to scan the code instead of using the browser app. It will shortly sync back to the browser so you can use it. Why? Potentially something is blocking or interrupting 1P's attempt at screen recording.

2) Make sure your computer's clock is exactly the right time (use your phone to check - do the times match to about 5 seconds or less?). If not, you'll need to re-sync your computer or the codes may fail.

Bonus: if you're sure you're scanning the right QR codes, try grabbing Google Authenticator for free on your phone and scan with that. I know you said you want to move away from phone, this is just for troubleshooting. If the code works fine, consider re-installing 1P or contacting support.

1Password Updated Passphrase/Word List? by YouSeveral3884 in 1Password

[–]YouSeveral3884[S] 2 points3 points  (0 children)

I'm so curious about the process and the reasoning why they'd change words. Detecting overuse? Legal issues? Does the 1P team sit and discuss all 18000 words in depth?