Reporting and policies to protect against weak passwords within the team/business account?

1password is great, but it's lacking some key compliance functionality for teams & businesses. The main one for us is the lack of reporting/policies to protect against weak passwords within the team. We can't rely on users to go to the app and perform a security audit themselves, it would be great to see this functionality within an admin section of https://team-xxxx.1password.com.

Ideas:

  • Admins can find weak passwords used within the organisation and either prompt the administrators of that vault (or the owner if it's a private vault) to change the password
  • 1password should have the option to add policies, for example it could be setup to remind users to change passwords X number of months, update weak passwords within X days before an admin is alerted etc.
  • An overall health score of passwords could be displayed on some reporting screen, so that as a Data Protection Manager I can ensure that password strength within the organisation is acceptable

1Password Version: 6.8.8
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:Reporting

Comments

  • rickfillionrickfillion Junior Member

    Team Member

    Hi @willemmerson,

    You're right, that would be a pretty killer feature. We want to bring some of the Security Audit features that exist in our desktop apps to the website which would help a little towards this, but probably not enough for your liking.

    You bring up a good point.. that there's a good chance that the weak or duplicate passwords exist in someone's private vault. Right now there's no way for an admin to see anything inside of someone's private vault. Through account recovery 1Password will provide the admin with the keys of those vaults, but never the contents. Due to this, there's no way that we can run a search into those vaults.

    We would love to provide a way for to do this though. It would require that we make it clear to employees that their Private vault isn't quite as private as they might expect though. It's critical for us to ensure that those expectations aren't broken.

    Rick

  • Hi Rick,

    Thanks for your quick reply. There definitely is a need to have private logins within a team account, but at the same time from a company point of view we still need some control over these private logins. They might be individual logins, but they're still logins to what could be critical systems.

    Don't get me wrong...1password is infinitely better than LastPass, but one thing that LastPass did do well was reporting and there folder structure supports this by having three different categories of password storage:

    • Passwords that aren't shared (still can be analysed by admins in weak password reporting, without admins actually having access to the password)
    • Shared password folders
    • Linked personal accounts

    In 1password I feel as though team accounts with private vaults is confusing the concept of linked personal accounts? If 1password could be linked to another 'personal' account, then the user could still access 'private' and 'shared' folders, which are then can be reporting on and checked over by admins to maintain compliance?

    Kind Regards,

    Will

  • rickfillionrickfillion Junior Member

    Team Member

    @willemmerson,

    I think we're mostly in agreement here. The challenge we're facing is in how to present this information to the user. We understand that some companies require access to those "Private" vaults, and we'd like to make that an option at a company level. But that information must be conveyed to the user. If my bosses can see into a vault of mine, I need to know.

    It's a problem that we'd like to solve. We just don't have the solution ready to go yet.

    Rick

  • 4l3x4l3x

    Hi Rick,

    I guess 2 years later, this topic is still not resolved, as I did not find this functionality anywhere.

    As a manager, I don't need to see into private Vaults. The only thing I need is a company-wide Watchtower, that shows me whether employees are reusing passwords, what the average password strength of the employees is and whether they are adopting 1Password (# of passwords in their accounts, or insights into which accounts are connected on an individual basis). Currently, I can only see that for my own account. Competitors such as Dashlane provide this functionality.

    I'm not aiming to spy on our employee's private logins, I just want to know that all of our company's logins are safe.

    Alex

  • ag_anaag_ana

    Team Member

    @4l3x:

    We have an internal discussion to track this, so we can add your thoughts there. Thank you for taking the time to share your feedback with us :+1::)

  • My POV is that anything on work accounts is not private or should be assumed to not be private. We make it a point where I work to tell people that work tools like Slack, their email, and 1Password are not private in the sense that admins can reset their email password and then gain access to any and all systems they use.

    As an admin I'd love to get more insight into the security of password entries. As bad as LastPass is (🤮), they do a solid job with their security reporting.

  • ag_anaag_ana

    Team Member

    Thank you for sharing your point of view with us @precisionroy! :+1::)

  • I agree with previous commenters. Some basic reporting which does not breach any privacy would be very useful:

    • Number of reused password
    • Number of passwords which are weak or terrible

    In other words, having the counts of various Watchtower categories for each user would go a long way towards identifying a problem. This wouldn't require admins even seeing what the names of the logins are, let alone the passwords.

  • ag_anaag_ana

    Team Member
    edited July 18

    Thank you for sharing these ideas with us @spencerogden, noted :+1:

    ref: dev/b5/b5#7102

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file