how do I set a second password that offers restricted access to the vault

p1inorbit
p1inorbit
Community Member
edited March 2015 in Mac

My primary reason for purchasing 1password was to secure my company passwords by preventing them being seen or known by staff members whilst still giving them access to password protected sites.
How do i create a "sub" account that restricts the level access so that passwords remain concealed but users can login by clicking the link inside the browser extension ?

Comments

  • p1inorbit
    p1inorbit
    Community Member

    Does anyone have a solution ?

  • littlebobbytables
    littlebobbytables
    1Password Alumni

    Hi @p1inorbit,

    If I've understood your query, you're looking for a way to offer a read-only vault while at the same time keep passwords permanently concealed, is that correct?

    So there are the two parts to the query.

    With the read-only aspect, while 1Password doesn't support a read-only mode at the moment it is at least possible to add such a feature. For the moment, if used with Dropbox for Business you could have it where the sync location is ready-only for the users and only you have write privileges. It wouldn't stop the user from locally changing or adding an item but it would stop those changes being pushed to all the other users of that vault. It would be worth noting that even if a vault is read-only, unless each website that you use has strict controls on changing passwords, the users could change the password on the sites.

    The second part, the request to keep passwords concealed, here unfortunately 1Password is unable to do this. I would actually go as far as saying any password manager claiming to keep keep your passwords concealed is ignoring one significant aspect and that is the password needs to be submitted to the web page in an unencrypted form. With a small snippet of JavaScript anybody can read a password sitting on a web page so my position is as this is the case, anything we do would only create a false sense of security, one that is easily side-stepped with a google search. I don't believe there is any way to stop it either unless you keep JavaScript completely disabled as well as any browser based debugger. Given this I personally feel it's best to know the users have access so you know to change the passwords when required in contrast to falsely believing they couldn't know.

    Of course you may disagree with some aspect of my response and I would encourage you to reply.

This discussion has been closed.