Audit Password Decryption in Activity Log

So the change log for vaults is a great first step. May I encourage you to go a step further and to provide a log for anytime a password is decrypted or viewed or otherwise accessed?

This will be critical for us in a Teams environment to know what passwords we may have to change following the departure from our company of any individual who potentially had access to a password vault without necessarily having to change every item within that vault.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • khadkhad Social Choreographer

    Team Member

    Hi @addilapi,

    Thanks for letting us know you would be interested in this.

    However, I should point out that in that scenario, the only prudent thing to do would be to change all the passwords. Someone could have viewed a password a loooooooong time ago and written down on paper. Then they could use that password whenever they want to without 1Password ever knowing about it (and thus unable to log anything).

    Stay safe out there!

  • Yes, but for new passwords going forward.... activity log should be something like this:

    User1: Changed password for Website1
    User1: Viewed password for Website1
    User1: Changed password for Website2
    User1: Viewed password for Website2
    ... (time goes by)
    User2: Viewed password for Website1
    ... (User2 leaves the team)
    User2: Deleted from vault, consider changing password for "Website1"

    So in the above scenario User2 never looked at Website2 so we don't need to change the password for that one. But we should change the password for Website1.

    This may not be obvious to folks at AgileBits but those of us working in an Enterprise environment have literally thousands of secrets (passwords and others) that potentially need to be shared across highly dynamic arrays of hundreds or even thousands of staff. Having the ability to hone in on only those items which may have been compromised by staff departures is absolutely necessary.

    Also, the vault setup is not ideal for this large environment scenario. Currently to reduce the exposure of passwords we try to create many vaults but this does not align perfectly with groups of individuals that may need access to a given secret. It would be far better for us to have the ability to control and audit access per secret/password so that only those people who might actually need it have the ability to decrypt it and even then we would rather know that those people never did if the membership of the team/group changes.

  • khadkhad Social Choreographer

    Team Member

    @addilapi,

    We certainly understand the enterprise environment. Many of us have years of experience in exactly that type of environment.

    For now, you will need to use vault-level permissions to control access as you have been doing, but I'll pass your feedback along to the developers! There is always room for improvement. :)

  • Firstly, thanks for implementing the new activity log feature that I've also been waiting for. I haven't yet explored it fully but I would like to add my vote to what @addilapi has said. This would also enable us to know how much users are profiting from 1Password in our environment and provide extra training when necessary.

  • brentybrenty

    Team Member

    @nudge: That's a great point about discovering where there may be room for improvement within your team! Thanks for the feedback! :)

  • I'd like to add my vote for a more detailed audit record for each password decryption. I agree that rotating all passwords is prudent, but prioritizing these activities is also important.

  • BenBen AWS Team

    Team Member

    Hi folks,

    Just to give myself a better idea here... Are you looking for a log of each time the password is decrypted (including any time it is filled by one of our browser extensions), or just any time that it is revealed (the user actually visually sees it)?

    Thanks. :)

    Ben

This discussion has been closed.