Vault Privacy


I'm looking at moving from 1Password 4 for Windows to 1Password 6 on a Families subscription. One thing I did on 1Password 4 was to create a separate vault for work specific passwords, such that if I'm sharing my screen and need to login to a site, there is no possibility that someone might observe a list of other sites where I have an account.

While I could mimic this by creating a vault that is only shared to me in my Family account, how can I stop a fellow Families administrator from granting themselves access to my work vault?

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided


  • I have two vaults in my Family account. One for private an one for work related codes. You can easily search your codes in both your vaults at the same time.
    The Shared vault is not used yet so I guess I don't have any codes that I would like to share ;)

    When you have two vaults you can select to show all vaults at the same time but you can also select to show a list of items from just one vault. In your situation I would make a new vault and copy the items to this vault that you don't mind others to see in the list. And then select this vault as the current shown vault.

    Also note that you automatically get logged out of your vault when using the browser after 10 minutes (or there about cant remember) so sharing your screen would then not expose your vault list.

  • An Family administrator can not ever get access to your private vaults.

  • @SoftAllan how would a 10 minute logout prevent anyone watching a presentation from seeing my list of accounts if I need to pull up some details in a presentation?

    With 1Password 4 this was simple, I had a vault that contained nothing but work related sites. With 6 and family sync, I can't guarantee that a vault (other than my personal vault) is private as any family administrator could access it.

  • @TheDave I may have misunderstood you when I told you that the 10 minutes auto logout would prevent viewing your codes. So forget about that, it was just to tell you that it wasn't visible for all time until you log out.

    But did you understand my suggestion about creating a work related vault? It is essential the same that you have done in 1Password 4. When you have selected the vault only items from that vault are shown.

    I am petty sure that a family administrator can not view your vault items unless it is shared with them.

  • On another note what you are seeking is more control of a members access and maybe a Team account for your colleagues and you would be better for you? Then you could have better control of who is able to do what and have all your private stuff in a Family account.

  • Ultimately I'm just using this for me and family, I was completely unsuccessful at getting any of my colleagues on board with a team account.

    Creating a dedicated vault is a great idea, and in fact it was my original idea when initiating this thread, except, it becomes available to any family administrator who wants to grant themselves access and take a peak, which is a massive privacy problem.

  • RomanRoman AG Alumni

    @TheDave - Giving someone admin rights is an act of trust, that's how I see it. An admin (like the Family Manager) has the keys to the kingdom (sans the Personal vault), there's no way around that. Currently, there's no way to create a new vault that mimics the properties of a Personal vault. I'd agree that it could be a good idea to be able to do that, but I'm not sure how the rest of the teams sees the implications of allowing that, so no guarantees from me at this point! :)

  • Trust is one thing, contractual obligations are totally separate.

  • rickfillionrickfillion Junior Member

    AgileBits Team Member

    I agree with that stance, @TheDave. I would love for us to do something better there.


  • For this reason alone, I haven't given anyone else administrator privileges. If their account ever gets compromised, so too would my non-Personal-but-connected-to-only-me-vaults.

    What about the ability to have an administrator account without viewing access to any accounts? In the normal sense, this wouldn't work either, but if the authorization code and password were kept in a physical lock-box of some sort access to the admin account could be made by the authorized person, or willed down to the next.

    I guess this could be done already, but you'd have to sacrifice one of the family member accounts to do this. But then there's the issue of being able to revoke administrative privileges from those that already have it, including my own account. I don't think you can do that, can you?

  • brentybrenty

    AgileBits Team Member

    @skippingrock: If I understand you correctly, you're talking about a sort of "Emergency Admin Kit" you could whip up and lock away somewhere safe. That's a pretty cool idea, and you bring up other good related points. Maybe down the road we could have something like an Admin-only account: no vaults or data, but having the ability to manage the team as needed. It wouldn't need to take up one of your user "slots" since it couldn't really use 1Password for the most part, and it could be something used by people with actual user accounts for administrative tasks — sort of as a contingency and/or compartmentalization (i.e. I have Admin access, but without using those credentials most of the time). Just bouncing some ideas off of yours. ;)

  • Thanks @brenty, I was thinking of this a bit more afterwards. In some ways this might be a good idea, but in others it might not. Especially if it happens that this admin only account was the only admin. If this Emergency Admin Kit was locked in a Safety Deposit Box but was destroyed in say an Earthquake or Tsunami (both possibilities where some of us live). Then there with it goes the access ability.

    I guess storing this in a far off-site location might help, but it also puts that admin access further out of your control to access.

    Survivorship becomes the real issue, especially when it comes to how my young children might need to become an admin (or not) or a guardian might need to step in based on step in with an activated sleeper admin account (or not) based on dates and ages that I specify. I'm not going to give an 8 year old admin access, if something were to happen, but I also don't want to unnecessarily give admin access to a guardian that isn't needed. If the 8 year old is 18, and I determined that s/he is admin-worthy then the guardian shouldn't get any access. But if the 5 year old is now only 15, and both parents and the admin-aged eligible child have perished, then I'd want this guardian sleeper admin account to be activated.

    I go more into the details of this in the following post:

    Cheers, @skippingrock.

  • brentybrenty

    AgileBits Team Member

    @skippingrock: Ah, excellent points. Definitely things we can keep in mind as we develop going forward, as these are very much problems we'll all be facing eventually. :blush:

  • Another thought, I'd like to be able to define a recovery process where initiating the process triggers a notification to all admins, and then applies a waiting period before proceeding.

    The use case is that unless I'm in the hospital or dead, I'll be able to decline the request and beat whoever thought it was cute to initiate the recovery process, but, if I am dead, it'll take a lot longer than a week for power of attorney and probate and similar to grant access.

    Ideally I would be able to define either a guest or a member as recovery eligible. In this case, I might create a guest account and place the recovery information with my will or file it with my lawyer.

    Why not just include my recovery kit? Well, I'm going to change my password periodically and I hate going to the safe deposit box. I literally might die before I get around to updating the recovery kit, wherever I store it.

    But this not only protects me, it also ensures that I know someone is trying to gain access and I can take appropriate precautions.

    All admins should be notified (since any would be capable of granting access), notifications should go out via email and in all client UIs. This should be noisy. The default should be to decline (in fact, I'm not even sure an admin needs an "approve" button, the simple fact that an admin successfully logged in is sufficient to cancel the process).

    One final consideration, I don't think it's technically possible to build such a system that 1Password couldn't bypass. Specifically, the timeout could be overridden. I'd be willing to trust that 1Password wouldn't do so, especially since it's still cryptographically protected by the recovery account's security key and password).

  • ssorokassoroka AG Alumni

    Hey @TheDave,

    Great suggestions. We've been considering something along these lines. While we haven't done anything to this effect yet, there is something you could do in the mean time that is the closest to what we would end up implementing in the future: Add an admin (or "family organizer" in the case of family accounts) named "lawyer", "estate planning", or something similar. Generate an account key and random password for this user as part of the standard user creation process. Print out the emergency kit, write down the random password on it, and include it with your lawyer as part of your estate planning, etc. This avoids trying to solve all the problems with software, and the lawyer can take appropriate measures as instructed if you are no longer available. When we build something to handle this scenario, it'll be somewhat along these lines, possibly with a few added features to prevent early access, like you suggested.

    One big advantage to this solution (and why we like it), is that it doesn't require us to hold on to decryption keys to your data. They're stored in escrow with your lawyer, which is probably the safest place for it.


  • Does this admin account require full access, or can it be a guest account?

    (I have several guest accounts available, but no regular ones - once all the kids are old enough)

  • It occurs to me that aside from creating an intentional delay, a customer could build a lawyer based recovery process today by creating a guest account which has access to one vault called "Recovery" and then placing recovery information for the other accounts into this vault.

    Still, this would take manual effort to ensure that the recovery vault is updated when you change your password or other details.

    Hopefully a proper Agilebits solution won't consume a license. Also, it should work even if an account is in read-only mode (assume that after I die my credit cards are terminated today, while the recovery might not even get started for a few weeks.

    edited March 2017

    @TheDave Good thinking! Storing my own Emergency Kit in a separate vault for a dedicated guest account could solve my problem of insufficient regular accounts to add an "admin" to cover the case when something bad happens to me.

    Unfortunately it won't solve my other problem/fear: what happens if I ever decide to change my master password and something goes wrong and I get locked out? Since I'm the only administrator my entire family will be locked out. I really wish more family members could recover my account, without being admin (being able to unintentionally mess up vaults).

  • Agreed. You would need to take appropriate care in this situation to make sure your password is properly saved in the guest vault (and if something else goes wrong, you're still vulnerable). AgileBits can do a better job (including an enforced delay).

  • brentybrenty

    AgileBits Team Member

    Some fantastic hacks and ideas for future improvements. Thank you! :chuffed:

    Just to clarify for anyone it might help, each 1Password Families account includes 5 Guests (access to a single shared vault). 1Password Teams include at least 5, depending on the plan. Cheers! :)

This discussion has been closed.