Deleting family members (or vaults) also removes their data

vishalvishal
edited April 2016 in Families

I tried various aspects of 1Password Families a few weeks ago to see if it would work for my family members. There were no problems except for a potentially serious design flaw. If, as an administrator, I delete another member's account, they immediately lose all their data, including their personal vault! I would understand if, upon account deletion, a member were to lose access to shared vaults. However, their personal vault is...well...personal. It likely contains very important data, such as banking passwords. Shouldn't it be kept as a local vault? Or, at least, shouldn't the deleted account holder be given a chance to export their data?

Now I don't have any intention to delete one of my family member's account. However, I don't feel comfortable inviting them to store their usernames and passwords in a place where they can be easily wiped by me.

Did I missing something?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

«13

Comments

  • roustemroustem AgileBits Founder

    Team Member

    @vishal,

    I am not sure what would be the solution there. It is pretty difficult to delete a user by accident -- you are required to type the user's name to proceed:

    At the same time, there are cases when you might need to delete the user immediately. As the owner of the account, the power should be yours.

  • roustem,

    I am not sure what would be the solution there.

    One possible solution is to leave a local copy of the deleted user's personal vault on whatever device they're using. Currently, it seems once a user is deleted by the owner, their personal vault is also deleted from their devices.

    As the owner of the account, the power should be yours.

    I understand that the owner should have the power to remove a user from the account. However, the data in the user's personal vault doesn't belong to the account, it belongs to the user. If I'm not mistaken, the owner doesn't have the power to look at the data inside a user's personal vault. Why, then, should they have the power to delete that data?

  • BenBen AWS Team

    Team Member

    One possible solution is to leave a local copy of the deleted user's personal vault on whatever device they're using. Currently, it seems once a user is deleted by the owner, their personal vault is also deleted from their devices.

    An interesting idea. I could potentially see leaving at least a read-only copy of the personal vault.

    However, the data in the user's personal vault doesn't belong to the account

    It does, actually. At least, that is how it has been designed to work thus far. The account owner is paying for the account, so all of the data in the account is owned by them (even if they do not necessarily have the ability to read all of it).

    You do bring up a good point though. 1Password for Families was built upon 1Password for Teams. With Teams, this concept makes sense. With Families, it may not. It is something we can certainly do some thinking on.

    Thanks!

    Ben

  • I think this is an important finding and one that should be considered strongly by the development team. If someone leaves a 1password family, they should not lose their information forever.

  • Unless you really hate the person, I assume that person would have the 1P app on some platform which they can move their Family Personal vault items to their local vault prior to being deleted? As @roustem said, you are going out of your way to delete the user via the delete user screen .. I don't see this being done by accident. Though, I would suggest adding an additional confirmation screen if the vault is not empty.

  • brentybrenty

    Team Member
    edited April 2016

    I think this is an important finding and one that should be considered strongly by the development team. If someone leaves a 1password family, they should not lose their information forever.

    @tastyroadkill: If someone leaves a 1Password Family (or Team) by choice, they can either move their data to a local vault or export it using 1Password for Mac.

    Though, I would suggest adding an additional confirmation screen if the vault is not empty.

    @rr0ss0rr: An additional confirmation screen seems a bit excessive. As you mentioned, since you're intentionally doing something destructive in the first place by deleting it, an opportunity to stop and reconsider before proceeding is a good reality check. I think that simply reiterating that deleting the account also includes all of its data is good. If we go down the road of multiple warnings, I'm not sure where it stops:

    Do you want to delete the user and their data?

    Yes.

    Are you sure you want to delete them?

    Yes.

    Are you really sure?

    Is this a prank? Of course I am! Enough already!

    ;)

  • vishalvishal
    edited April 2016

    @bwoodruff

    Glad that you see my point.

    With Teams, this concept makes sense. With Families, it may not.

    I can give you a concrete example of this. I want to help protect my family from online hackers. So I want to invite my sister to 1P for Families. Now my sister is an adult, and I want to tell her that she can generate and store random passwords in 1P with full confidence. However, if I tell her that I will own all those passwords, she will hesitate to use 1P.

    Vishal

  • BenBen AWS Team

    Team Member
    edited April 2016

    Now my sister is an adult, and I want to tell her that she can generate and store random passwords in 1P with full confidence. However, if I tell her that I will own all those passwords, she will hesitate to use 1P.

    In that case it may make more sense for your sister to have her own Family account, where she owns the data. Do you plan to do any sharing with her? If you do, you could still invite her as a guest to your family, but she could have her own (where her Personal vault lives) as well.

    That way if you decide to delete her account from your family all she loses are the passwords that you've shared with her.

    Ben

  • brentybrenty

    Team Member

    @vishal: I'll also add that we've updated 1Password Families to have an "Organizer" status, since "Owner" has more far-reaching implications. While the Family Organizer (you, in this case, and any else you give that status) can disband the Family or remove members from it, no one ever has access to another person's Personal vault.

    The only risk to your sister's data being a part of the Family where you are the Organizer would be if you wanted to do something malicious like delete the account out from under her...and I'd like to think that if the two of you would be willing have her be a member of your Family that you're on better terms than that. ;)

    But of course, as Ben mentioned, she can always Organize her own Family instead, and then have a Guest account with yours if there's a vault you need to share with her. Cheers! :)

  • SmudgeSmudge Junior Member

    On the Delete Person dialog, you should at least mention that removing them from the Family will delete their vault too. As someone might think it is only removing their access but the data would remain.

    Perhaps a future feature could be to have a checkbox on the dialog where the Organizer has the option to delete the vault or archive it off as a read-only vault.

  • brentybrenty

    Team Member

    @Smudge: I agree. I think it's possible that exactly what will be deleted may be less than clear, depending on permissions, but we could mention that deleting an account takes their data with it. :pirate:

    ref: b5-1390

  • Even worse, if you make someone else a family organizer (such as your wife) which is recommended for password recover, they could accidentally delete your account and wipe your data. Or do it maliciously. Can someone confirm this behavior?

  • brentybrenty

    Team Member

    As illustrated above, that's definitely not something that can be done "accidentally", and — much like allowing someone malicious to take over your computer — if you're inviting malicious people into your Family it will not be possible for 1Password to mitigate that threat. :(

  • Can you clarify the difference between an account owner and organizer? I want to add someone and allow them to reset my password, but she shouldn't be able to delete my account.

    Does this mean I want to make my GF an organizer, but not an owner? Can an organizer reset, but not delete? Can you clarify the difference?

  • (p.s., your forums don't work on iPad)

  • natehouknatehouk
    edited April 2016

    This is particularly important with respect to whole "local backups" subject (https://discussions.agilebits.com/discussion/59098/backup-family-vaults)

    Someone can accidentally delete your account which wipes your personal vault, and you have no local backup of the data. This is definitely a design flaw.

    I can not trust moving my data from my personal local vault to my personal online vault if there is a chance another user could delete my account or my (the account owner and the person paying!) vaults without my consent.

  • brentybrenty

    Team Member

    (p.s., your forums don't work on iPad)

    @natehouk: They definitely do. I use my iPad here occasionally, and I know we have at least one team member who uses his iPad to post here daily. Do you perhaps have a content blocker that's causing issues for you?

    Can you clarify the difference between an account owner and organizer? I want to add someone and allow them to reset my password, but she shouldn't be able to delete my account.
    Does this mean I want to make my GF an organizer, but not an owner? Can an organizer reset, but not delete? Can you clarify the difference?

    I'm sorry for the confusion! "Owner" and "Organizer" are the same thing; the latter is simply the name used now in 1Password Families (as opposed to 1Password Teams), since having a "Family Owner" just seemed weird.

    I can not trust moving my data from my personal local vault to my personal online vault if there is a chance another user could delete my account or my (the account owner and the person paying!) vaults without my consent.

    This is 1Password, where we store our most sensitive, important data. We should not be inviting people we cannot trust, or giving someone we do trust responsibility that goes too far. In 1Password Teams, there are more granular controls, since in a work environment we don't know coworkers to the extent that we do our families, and of course they may quit or be fired at some point. We can certainly consider different options for 1Password Families going forward, but ultimately simplicity is crucial for all of our loved ones, young, old, and in between, to be comfortable using 1Password Families. Building more walls and obstacles isn't the solution to empowering families to be more secure.

  • Zero2CoolZero2Cool
    edited April 2016

    I thought every member has his/her own vault, and if i remove them they have access for a limited time to save his/her passwords or create a own team/family account.

    It's an absole no go, that the family owner can delete the private vault and the user has no opportunity to save the passwords.

    From the perspective of the member, the password in the private vault are not secure. If the family owner go crazy and delete the member its a disaster if the user loses all private passwords.

  • natehouknatehouk
    edited April 2016

    @Brenty,

    I think that is very a naive view of your security model and an incomplete threat analysis. I go to great lengths to secure my 1password database. Granting another user, regardless how trusted, the ability to delete my data either accidentally through user-error, or maliciously (such as during a nasty divorce) is unacceptable.

    I completely agree with Zero2Cool -- it is a completely blocker to having a second organizer if they can destroy my data. Perhaps my answer is simply to not have a second organizer, but this prevents the ability to reset my master password if needed which is a very desirable feature.

    It's an absole no go, that the family owner can delete the private vault and the user has no opportunity to save the passwords.

    p.s. -- yes I'm using a content blocker on iPad, thanks for pointing that out, my mistake. Too late to edit my comment above.

  • BenBen AWS Team

    Team Member

    Hi folks,

    I go to great lengths to secure my 1password database. Granting another user, regardless how trusted, the ability to delete my data either accidentally through user-error, or maliciously (such as during a nasty divorce) is unacceptable.

    Just curious: Does that person have an administrative account on your computer?

    If they do, and that level of risk is acceptable to you, then it sounds like backups are likely the difference?

    Ben

  • Zero2CoolZero2Cool
    edited April 2016

    If the second family organizer remove one family member the private vault of them will deleted. Or not ? If yes, its unimportant if the second family organizer has admin account on my computer. He can delete it on his own computer.

    I don't unterstand why there is such an big fault in 1Password Team/Family .

  • BenBen AWS Team

    Team Member

    My question is unrelated to 1Password. I'm simply asking if you've trusted other people with administrative access to your computer (if you share an account that would also apply).

    Ben

  • I can see the argument that this is dangerous .. but the warning is clear .. A person that cannot understand the the meaning of the warning should not be an organizer .. Unfortunately, unlike Teams where my team mates are technically savvy, I cannot say the same for family members. But they are already use to calling me if they are confused about anything .. especially if it contains my userid.

    One thought is to have a built in recovery userid that only the Organizer knows .. one that doesn't count against your 5 (Almost like the root userid)

  • This has nothing to do with warnings, if a family member is deleted it should has access to his own private vault, maybe 2-4 weeks.

  • BenBen AWS Team

    Team Member
    edited April 2016

    If a family member still needs access to their Personal vault then their account should not be deleted.

    I understand your argument, and we'll have an internal discussion about it, but that is the current state of things.

    Ben

  • I think you don't want do understand the problem.

    "From the perspective of the member, the password in the private vault are not secure. If the family owner go crazy and delete the member its a disaster if the user loses all private passwords."

  • BenBen AWS Team

    Team Member

    If there is a distinct possibility of the family organizer (there are no more "family owners") going crazy and deleting everyone's data, they probably shouldn't be the organizer.

    Like I mentioned, I understand where you are coming from, and that you'd like an additional layer of protection / failsafe here. We don't have that right now, and I can't promise that we will. But we will talk about it.

    Thanks.

    Ben

  • Zero2CoolZero2Cool
    edited April 2016

    The family organizer can be trustworthy to 99.99%, but in the last 0.01% he can delete all private vaults of the user. I think this is a acute shortage. Of course this should never happen, but it can! The vaults from all members should be safe.

  • @bwoodruff Is this type of setup in Teams?

  • BenBen AWS Team

    Team Member

    @Scuba629,

    It is not. Deleting a 1Password account deletes the Personal vault associated with it, regardless of whether you use Families or Teams.

    Ben

This discussion has been closed.