I see a lot of posts asking people help recover their account

JohnJimmy

I was under the impression that AgileBits has no access to the master password or secret key or any other information related to logging into the account. How are employees able to help people recover lost login information? Isn't this a giant problem for employees being fooled by a scammer or someone phishing for information? I am currently on the free trial, but I do not want to sign up for a membership if this is the case.

---

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

AGAlumB

@JohnJimmy: Due to public key exchange when users setup their accounts in a family or team setting, Organizers and Owners can put accounts into recovery mode so the user can generate a new Secret Key and choose a new Master Password if they've lost them:

Recover accounts for family or team members

You can learn more about how this works behind the scenes in the 1Password.com security whitepaper. But neither AgileBits nor anyone who is not an admin on the family/team plan will be able to help someone recover their account. It just isn't possible cryptographically since we aren't part of that key exchange. So people can try to scam us all they want; we simply don't have the ability to grant anyone access to an account, even the legitimate owner.

pervel

@JohnJimmy: You're right that lots of people are asking for their accounts to be recovered. But if you read the replies, you will see that the answer is always negative. AgileBits cannot recover their accounts.

AGAlumB

Indeed, the best we can do is suggest where they might look on their own for the information they need, or to get help from an admin in their team/family. :blush:

danco

And, I believe, if the worst comes to the worst, AgileBits can delete the account and let the user create a new account.

Ben

We don’t delete accounts, but we can help the account owner delete their account.

Ben

JohnJimmy

I guess my confusion is coming from employees on this forum asking people to request help over email since there is private information. I don't know exactly what information that is other than perhaps name, address, phone number, credit card, etc., but a lot of that information is either public knowledge or can be aquired. I would feel uncomfortable if someone who is not me but knows such information, is able to request help to unlock my account.

Ben

@JohnJimmy,

We can only discuss account related matters by email, that is true. We’ll only correspond regarding an account (or even confirm the existance of an account) with the email address that is on that account. If someone can send and receive email from the email address associated with your account that is indeed a problem, as they would be able to delete your account. It is critically important that you use a strong and unique password for your email. Fortunately 1Password helps make that possible.

As for what information we have you can read more about that in our privacy policy:

Privacy Policy | 1Password

I hope that helps!

Ben

AGAlumB

@JohnJimmy: Indeed, but while a person having that information could get help from us, it wouldn't do them any good unless they already have control of your account (we can't grant anyone access, since we never have the "keys" to any customer's data), but more importantly they also wouldn't need to bother trying to get information out of us if they already have it to use to pose as you in the first place. Not to make light of such a bad situation, but we're not in a position to make things worse for that person, if that's some consolation.

To clarify, we consider anything that a customer (or potential customer) shares with us as part of signing up for an account here in the forum, for a 1Password membership, purchasing a license, etc. as being nobody else's business. For example, while I know this unfortunately often isn't the case in today's day and age, I think that it's reasonable for me to expect that when I share my name and email address with a company to use their product that only they have that information.

Obviously, in many cases, as part of agreeing to "terms of service", etc. we're granting a company permission to share (or outright sell) a lot of that sort of information with others. That's technically legal (within limits), but it's not something I appreciate (to put it mildly), and it's also not something that 1Password stands for either; quite the opposite. This is so important to us, and you can find more details about our policies in the link Ben shared above.

But the short version is that we avoid collecting user information wherever possible, because even with the best of intentions mistakes and misuse can happen. We prefer to not be in that position in the first place. But of course we do have to know some things about you in order to provide a service — e.g. recognizing you when signing into your account, and charging you for it. Our only source of revenue is our customers though, and there's no fine print: we make 1Password, and you pay us for it so we can continue doing so.

While there is information that we absolutely must have in order for 1Password to be useful to you and for us to get paid so we can support you as our customer, we take pains to discuss things in the most general terms we can in public, or even privately when we cannot (or have not yet) verified who you are. It can be frustrating at times both for us and for a customer when we don't have specifics about them or their account (or simply cannot reference them due to security and privacy concerns), but there's actually a lot we can do to point people in the right direction, or offer instructions for resolving the issue which doesn't at all involve sensitive* information. For instance, if you didn't come out and say "I am using 1Password Families" here, I won't reference that even if I happen to already know that's what you're using; that should be your choice, just like you choose a forum username to identify yourself, and the other details you choose to provide. This is also great because many people can find the answers to their questions when others have asked them before.

However, sometimes we do need to discuss the specifics of a person's account, exchange diagnostics, etc., so moving the conversation to email not only allows us to privately verify any personal information as needed, in addition to being more comfortable for a lot of people, but it also means we can dig down deeper into the issue and provide instructions specific to the account type, devices, and vault setup which would only be relevant to you — in addition to being things you might not want to discuss publicly, if you happen to use the names of family members or pets or something embarrassing as the account name, etc. It's a responsibility we take very seriously.

I hope that this helps illuminate this topic a bit. There are many facets to this, and we want to respect our customers' privacy just as we want our own respected. At the end of the day, not all of us care equally about privacy or are particularly at risk, but just because you or I have nothing to hide doesn't mean we have any less of a right to it than someone else. If we want to overshare on the internet, that should be our choice. ;)

*We consider your name, email address, etc. to be sensitive information in the context of 1Password, since you're not giving them out here publicly (and please don't!) — even if you choose to share them somewhere else on the public internet.