Deleting family members (or vaults) also removes their data

2

Comments

  • "My question is unrelated to 1Password. I'm simply asking if you've trusted other people with administrative access to your computer (if you share an account that would also apply).

    Ben"

    @bwoodruff

    Absolutely 100% no, I am the only administer to my computer. My computer would be insecure otherwise.

  • BenBen AWS Team

    Team Member

    Understood. With that mindset, I wouldn't necessarily recommend that you have another organizer for your family. It will be critically important then that you have your Emergency Kit saved somewhere sensible.

    Ben

  • And from the perspective of the members, these shouldn't join a family account because all their private passwords owns the family organizer, right?

  • JacobJacob

    Team Member

    @Scuba629 A failsafe against someone deleting a user? No. Honestly, we can't protect you against yourself, and in this case the other members on your account. If you decide to give them the ability to do manage the account and they decide to completely delete all the users including yourself, that's not something we can stop. It's your account, after all. That's what makes Families really nice — it puts everything in your hands and we aren't able to touch it. Of course, it's a double-edged sword I suppose. ;)

  • brentybrenty

    Team Member

    Indeed, it's impossible to give someone the ability to help you manage your 1Password Family and also not allow them to do so. Giving someone the keys to your car so that they can move it for you in the morning so you don't have to wake up means they can also back it into the house across the street. True story. Trust is a many-splendored thing.

  • natehouknatehouk
    edited April 2016

    @penderworth @bwoodruff @brenty

    Ideally, I want to be able to designate a user that is able to help reset my master password if needed but is unable to delete users (i.e., less powerful than the Team Organizer but more powerful than the Standard user).

    This way I would remain the sole "Team Organizer", but still be able to potentially reset my password in case of memory loss (such as falling and hitting head).

    My current setup is as follows:

    • Locked down local 1password personal vault with 50 character memorized password. Master password is not written down anywhere. This vault contains 500+ highly sensitive items.
    • Copy of my master password inside my online 1password personal vault, as well as a copy of my Apple ID password. These are the ONLY two items in this vault. This vault is secured with a different 50 char master password than my local vault, and stored within my local personal vault (this password is not memorized).
    • Designate a trusted third party as a team organizer (in my case, it's my GF) to my online 1password family/team.

    In the absolute worst case scenario:

    • Slip, hit head, forget master password
      And/or

    • All computers and harddrives stolen/burn in fire

    I can bootstrap back online by:

    1) Asking my trusted third party to reset my online 1password family master password. They do this by logging into the online 1password family account using their own credentials (account key + master password), which they have secured using their own offline 1password vault. Because they are also a team organizer, they can reset my account key + master password.
    2) Once I have regained access to my online personal 1password vault, I can access the stored AppleID password from my online personal vault, as well as my local 1password master password.
    3) Buy a new iOS device, install 1password
    4) Sync local 1password vault to device using my AppleID password and iCloud. This restores my large local vault of 500+ items.
    5) Unlock local 1password vault using master password retrieved from step 1.

    This is a covulated setup, but is ideal because:

    • My offline master password is not stored or written down anywhere. It is only in my head. I do not need to store an emergency kit anywhere.
    • I do not need to trust a third party with any of my master passwords.
    • If my third party is malicious, they can do me no harm. There is no way for them to get into my local personal vault, nor can they access my online personal vault. At worst, they can delete my onlinel 1password user account, but in this case I only lose the two passwords stored in my online personal vault and I can restore them from my local vault. I can them remove that malicious user from my online 1password family account to re-secure it. NOTE: My third party might not be malicious intentionally -- it could simply be that my GF herself is hacked and that hacker is malicious.

    IMO this is the ONLY currently secure way to use the entire 1password system such that:

    • There is is no way for a malicious user to delete my data or prevent me from accessing it.
    • I am able to regain access even if all devices are lost/stolen
    • I am able to regain access even if I slip and hit my head and forget my master password

    Ideally I would like to move ALL my 500+ items to my online personal 1password vault, and delete my local vault. I believe this aligns with how AgileBits wants 1password to be used in the future. This however is currently untenable because of the following scenario:

    • Trusted third party turns malicious towards me or has computer stolen or gets hacked, and therefore their 1passowrd online team organizer account is compromised.
    • My online 1password user account is deleted. Therefore I lose all items in my vault.
    • I do not have local backups due to the fact local backups of the online vaults currently do not exist.

    My full transition to 1password families will be complete once the following feature are added:

    • Local backups of my online vaults
    • Ability to designate my trusted third party with the ability to "reset passwords" but NOT delete accounts.

    I truly appreciate the excellent customer service you guys are providing by discussing these issues and would like to make it known that I have been a very satisfied power user of 1password for many years and love supporting the company. AgileBits has proven itself to understanding the deeply complex world of security and cryptography over the years by publishing and documenting its security models openly in white papers.

    The reason I am I find this discussion HIGHLY relevant and potentially worrisome, and the reason some of the response so far have given me pause, is based on words that were written by AgileBits itself five years ago in this blog post:

    https://blog.agilebits.com/2011/09/23/two-factor-or-not-two-factor/

    One of my biggest fears, as outlined in that blogpost, is not that I will get hacked or compromised, but that I will make a mistake or experience a data loss which causes me to be locked out of my own accounts accidentally. With this high in mind, I do not think it is paranoid to consider that you must protect yourself from accidental data loss from a malicious or inept second team organizer who deletes your user account. I think this is a real risk, that some of your users will experience eventually either due to 1) user error or 2) malicious intent.

    The fact that the current design allows my entire personal vault and user to be deleted by a second team organizer is highly concerning and a security threat that can not be ignored. My current system prevents this, but is much more consulted than it needs to be if some tweaks were made to the current security model such as allowing this additional user level (reset passwords, but not delete vaults/accounts) + local backups.

    You are correct that you can't protect me from myself, but you can protect me from other members on my account by providing the proper access restrictions.

    Thank you for the fine piece of software and pleasant discussion. So far I am very impressed with this new online product, and I look forward to how things evolve. I do, however, think there is a massive risk to AgileBits reputation by taking this new product out of beta until some of these issues are worked through and considered. In its current state, it feels like a beta product. I am optimistic though for where things are headed.

  • It sounds like the data can be restored anyways. In another thread they mention a cool down period before a vault is totally removed. Maybe that process is limited? Can a personal vault be restored even if the user is deleted?

  • brentybrenty

    Team Member

    It sounds like the data can be restored anyways. In another thread they mention a cool down period before a vault is totally removed. Maybe that process is limited? Can a personal vault be restored even if the user is deleted?

    @Scuba629: While it's something we're evaluating, so the exact details may change in the future, you are correct. Essentially there's no difference between a deleted user and a deleted vault when all we're talking about in both cases is encrypted bits marked for removal. Restore is a possibility, though what form that may take isn't certain at this point. Suffice to say that "undeleting" is possible since data isn't purged from the server immediately. This is even possible on local drives when the deleted data is not overwritten. In the case of 1Password Families/Teams, this just isn't something that's exposed to the user currently.

  • @brenty I think just having the ability to undelete goes a long way to solving this problem. And as a bonus it sounds like some type of restore is also possible.

    This is of course assuming the Organizer wouldn't be able to remove files from either of these methods.

    Do you think users will see some type of restore coming to the UI? Also if not what would the turn around time be for an undelete or restore request?

  • brentybrenty

    Team Member
    edited April 2016

    @natehouk: First of all, thank you for your kind words and constructive criticism. I'm glad we're having this important discussion! :)

    Ideally, I want to be able to designate a user that is able to help reset my master password if needed but is unable to delete users (i.e., less powerful than the Team Organizer but more powerful than the Standard user).

    I agree that would be ideal for the situations you describe, but to me that sounds more like a company environment — and you even used the word "Team". Indeed, this is exactly what 1Password Teams is setup to do: allow you to have granular control over exactly who can do what.

    I think that may ultimately be more appropriate for the scenarios you outlined, since it means you can grant someone only access to help you recover, not destroy data or delete your account. And it sounds like having access to a means to restore data in the web interface or locally would satisfy the "worst case scenario" aspects as well. Let me know if I'm missing anything.

    You are correct that you can't protect me from myself, but you can protect me from other members on my account by providing the proper access restrictions.

    That's just the thing: the access restrictions are something you set up. You choose who you invite, and we don't grant de facto "admin" rights by default to anyone you've invited; that's a choice you make.

    The more I read, the more it seems to me like what you really want is 1Password Teams. We won't be making 1Password Families as complex, even if we make some tweaks here and there. Part of that is developing, testing, and supporting more features and the interactions between them has a real cost, but it's also true that a Team inherently involves trusting people you don't know well enough to know whether you can trust them or not. We'll see if there are changes that are appropriate for 1Password Families, but based on your comments I think you'd be much happier with 1Password Teams, now and in the long run.

  • brentybrenty

    Team Member

    @Scuba629: Got a little mixed up there, since I guess you were replying at the same time I was. :lol:

    Do you think users will see some type of restore coming to the UI? Also if not what would the turn around time be for an undelete or restore request?

    I can't say for certain if or when, or what form it might take, but it's something we'd like to make available. After all, if the data is still there on the server, it makes sense to make it useful. And the best part about all of this is that "permissions" aren't policy-enforced; they're encryption-enforced. That's a pain when you want to do things that cross those boundaries (like item sharing), but it means that an admin can't restore deleted Personal data to try to circumvent security: it's still encrypted.

  • @brenty I'd guess we would have to contact support if some of the examples here did happen. i.e. GF went nuts and deleted all users and vaults.

  • BenBen AWS Team

    Team Member

    At the moment that would be the case, yes. From Roustem:

    We are considering adding an option to restore deleted vaults. Currently, most of the information is only marked as deleted and it will be possible to restore it.

    Even the account deletion should not destroy the data immediately but only after a certain "cool-down" time.

    Ben

  • rr0ss0rrrr0ss0rr
    edited April 2016

    Maybe have a stated time for deletes ie 30 days and still list that vault in dashboard but marked as deleted .. permanently removed on xx-xx-xxxx (with a restore button to undelete it)

    After reading this thread, I really didn't want my wife as an Organizer, so I created another ID called "root admin" and gave it Organizer. Saved its Emergency Kit in my Primary vault so I can log into it if needed. It's wasting a userid, but as of now I don't need 7.

  • JacobJacob

    Team Member

    @rr0ss0rr Hmm. You'd like to see a deletion not made permanent until 30 days have passed, sort of like how most mail clients do things with deleted messages? That could also work like the Trash currently does. This is hypothetical though. ;)

  • Just a thought ;-)

  • brentybrenty

    Team Member
    edited April 2016

    ;):+1:

  • I really like the subscription model, but the fact that "owner of the family" can anytime delete all others data is deal-breaker for me.

    Anybody anytime can get crazy and delete other members of family. The argument "he should not be the organizer" is not valid. Family members argue between each other. For Team it is OK concept - there is owner of the team. But for family this concept is deal-breaker for me.

    I think you should remake the concept of whole Family thing. I would imagine Family subscription like this:

    Every family member has an account independent from the family. I will buy the subscription and invite people to my 1pass family. Their personal vaults are not connected with the shared family vaults. As the family owner I pay for the subscription. If I don't want anybody to be part of my 1pass family, I will "release" him or her from my family. His account will be still active, he will just not be part of my family and his personal vault will remain untouched. The member may join another family of buy his own subscription (and of course he could be part of more than 1 family at the time). I know that everybody has a possibility to sync their own vault through Dropbox and "live independently" but the fact that after inviting somebody to 1pass family he has a "personal vault" in his account is misleading. It would be cool if I sign in at 1pass website and I can see my "shared family vault" AND my "really personal independent vault".

    Some additional detail. After "releasing" some member from the family he will get copy of shared vaults to his account. He can merge those shared vaults w/ his personal vault, or delete them or whatever.

  • brentybrenty

    Team Member

    @vlad777: That sounds like completely independent "individual" 1Password Accounts, and it's certainly something we're considering for the future. However, that would be alongside 1Password Families (and Teams). Much like in real life, I won't accept an invitation to someone else's family unless I trust them. With 1Password, it means they own the Family account (they're paying for it after all), and with a living situation it means they own the house. So I'll only join someone's family if I'm confident that they won't burn down the account or the building while I'm in them. We'll continue to iterate on 1Password Families, but it sounds like what you're really looking for is something solely for yourself, not to share with others, which is good to know. Thanks for the feedback! :)

  • Partially you are right, I'm looking for something for myself but I would also like to use features of family sharing.

    Much like in real life, I won't accept an invitation to someone else's family unless I trust them.

    I don't think there is any difference between:
    1. current situation - somebody invites me to open account in his family
    2. somebody invites me to join his family with my current account

    In both situation I have to trust the person who invites me otherwise I won't accept his person's invitation.
    I think sharing can work also today, but I would change the concept of "deleting user inside family" to "disconnect user from family".

    If I have brother, wife and I want to share some passwords with them, nobody of us would accept the situation, that somebody of us could anytime delete others personal vault.

  • brentybrenty

    Team Member

    I don't think there is any difference between:
    1. current situation - somebody invites me to open account in his family
    2. somebody invites me to join his family with my current account

    @vlad777: In theory, yes. In practice, no; this is not currently possible, though it's an interesting idea. Again, it comes back to individual accounts.

    1Password Families and 1Password Teams were designed from the ground up with sharing in mind, so every "individual" is in fact part of a Family/Team. This makes it easy (both from a user perspective and technically) to share keys to grant someone access to shared data without making it easy for someone to accidentally share with someone they shouldn't, outside the Family/Team. After all, that could have disastrous results.

  • I really think you guys are missing the forest for the trees here. Just because I grant someone access to my safe deposit box at the bank, doesn't mean I give them access to delete my entire bank account.

    A simple solution to this problem could be to:

    • When creating new account, mark the new account #2 as as being created by account #1. The intial account is the root account.
    • Accounts are only allowed to delete other accounts which they have created.

    Even simpler:

    • Make it so the root account can never be deleted.

    I think if you surveyed your customers, you would find that nearly everyone has added a second team orgainzer so that they can recover the password to the first team organizer if needed, but that they do NOT want them to have the ability to delete their account.

    I really can't think of ANY scenario where the first team organizer would WANT the second team organizer to have the power to delete their account. For example:

    1) User signs up for 1password families (inputs their credit card, sets everything up, fills up their vault with secrets, etc).

    2) Add a second team organizer (as recommeded by the quests) to allow for password recovery.

    3) Second team organizer deletes first team organizer. First team organizer is still paying the monthly bill.

    In fact, in this scenario, the first team organizer still has their credit card saved and is paying for the 1password for families account, but now no longer has access to go in and cancel the subscription. How do they cancel the subscription in this scenario?

    I also bet if you surveyed your users, you would find that a large majority of your current paying 1password family subscribers (i.e., the early adopters), are 1) a higly technical, security concious, person who was already using 1password and 2) who has upgrade to 1password for families in an attempt to get their family members to also improve their own security. These are the users you WANT to be advocating your software. However, as it stands, they are required to take a downgrade in their own security, in order to adopt this new cloud model.

    After reading the entire 1password teams whitepaper (and ignoring the numerous sections which are not yet written/published), as it stands, the ONLY regression in security I see is the fact that my data can become unavailable if a team organizer deletes my account.

    It is true that previously, using vault sharing via dropbox, a family member could delete my data by deleting the shared vault file. However, the only vault they could delete was the SHARED vault. They could never delete my personal vault. Now, with 1password for families, my PERSONAL vault is at risk of deletion, unlike before.

  • It would have been better if everyone within the Family is a Vault Manager for their own vaults, creating and sharing vaults that they create, Then have a Family Manager that can invite/remove/recover family members. I actually created a 2nd Organizer named Root Admin to handle my recovery, just in case since I didn't trust my wife (to remember her password). The Organizer (or Family Manager) should not be allowed to add themselves to a shared vault if they were not invited.

  • khadkhad Social Choreographer

    Team Member

    I think if you surveyed your customers, you would find that nearly everyone has added a second team orgainzer so that they can recover the password to the first team organizer if needed, but that they do NOT want them to have the ability to delete their account.

    I agree, @natehouk. An important aspect of security is data availability. If someone can delete my passwords at any moment — whether by accident or malice, it makes no difference — then I consider that to be a weak spot in the security.

    I trust my wife with my life, so my passwords are not that big of a stretch. The shared vault works very well for us. But we do each keep our personal data in a local vault that we sync with Dropbox.

    I also bet if you surveyed your users, you would find that a large majority of your current paying 1password family subscribers (i.e., the early adopters), are 1) a higly technical, security concious, person who was already using 1password and 2) who has upgrade to 1password for families in an attempt to get their family members to also improve their own security. These are the users you WANT to be advocating your software. However, as it stands, they are required to take a downgrade in their own security, in order to adopt this new cloud model.

    I think you've hit the nail on the head. Thanks for this. 1Password wouldn't be what it is today without the support of awesome users such as yourself. I am advocating for some improvements here, so that we can all put our personal data in family accounts without the risk that it could ever be deleted by someone else.

    It is true that previously, using vault sharing via dropbox, a family member could delete my data by deleting the shared vault file. However, the only vault they could delete was the SHARED vault. They could never delete my personal vault. Now, with 1password for families, my PERSONAL vault is at risk of deletion, unlike before.

    I will be honest and say I didn't think this through for my wife and I quite as thoroughly as it has been discussed in this thread, but it is clear that my instinct to keep our personal data out of the family account did have a logical basis.

    ref: B5-1390

  • khadkhad Social Choreographer

    Team Member
    edited April 2016

    I actually created a 2nd Organizer named Root Admin to handle my recovery, just in case since I didn't trust my wife (to remember her password).

    That's a very innovative solution, @rr0ss0rr! :)

    The Organizer (or Family Manager) should not be allowed to add themselves to a shared vault if they were not invited.

    I think this is a separate issue, but it is also an important one. I'm on your side with this one as well. I hope we can improve things in this area as well.

    ref: B5-1468

  • I'd just like to chime in and say I'd like to see some safeguard to my data ever being deleted as well especially since I pay the bill. Even if it's something like 30 days until it gets deletes, that is plenty of time to back up the data and fix the situation. User gets an email notifying them they have been removed, and that gives time to backup the data and move on.

    I understand the need for "trust" within Families, but there's several levels of trust here. I may trust someone to start a recovery process for me, but not trust them with permission to delete my data. You may trust your spouse, and I wish you the best, but let's not pretend relationships have never ended in a big fight or done anything they regret while drunk. To steal AgileBits' own favorite phrase, I prefer for things to be secure by design, and not rely on trust.

    I could see the argument in Teams for immediately removing access, but any good IT team will assume you memorized the passwords and remove your accounts from everywhere it matters. So allowing a person to have access to their personal vault in a read-only mode for a bit longer shouldn't be a security risk.

  • BenBen AWS Team

    Team Member

    @BrianE,

    Thanks for the vote!

    Ben

  • I really like what you wrote, @natehouk @rr0ss0rr

    Personally I don't think an account should be allowed to be deleted period. I think Suspended is good enough. A suspended account should not count towards the subscription member/guest allotment.

    You could then have for those suspended users trying to login to their account on web an interface to contact an organizer to un-suspend or transition their account into their own family/team that would have their Personal Vault and additional vault's they originally created.

    As far as organizers... An organizer shouldn't be able to be suspended or deleted. I think they should be demoted to a normal user first.

    I think with that model whenever kids grow up, divorces, or whatever reason. They have ability to leave the family and transition their account to their own family/team account.

    I think something on those lines will prevent deleted data that is tied to their account (email/username) and can easily carry on.

    Just a thought.

  • BenBen AWS Team

    Team Member

    Thanks for the feedback, @mdmangus! We do have an open issue to consider separating 1Password accounts from any particular 1Password Team or 1Password Family. The proposal is to have it be such that an account could be associated with multiple (or no) Teams and/or Families.

    It is only in the brainstorming phase at this point, so I can't make any promises about what direction we might go with it, but it is being discussed. :)

    Ben

    ref: B5-1376

  • I actually created a 2nd Organizer named Root Admin to handle my recovery, just in case since I didn't trust my wife (to remember her password).

    @rr0ss0rr

    Can you elaborate on your thought process here and how this would work? Isn't it fair to say that if you forget your master password to your main account, you probably also have forgotten your master password to the "Root Admin" account?

This discussion has been closed.