'General use' computers and 1Password for Teams

SebbySebby
edited April 2017 in Business and Teams

I realise this probably isn't how 1Password for Teams is intended to be used, but I'm wondering if anyone has any thoughts on the best practice here.

We have staff with dedicated machines and for all of these users they have their own team login. But we are also a shop and most of the computers are general use, with a single Windows login (and let's just say for argument's sake that they have to stay this way).

The staff that access these machines all have a requirement for one vault of passwords, and no requirement to store their own passwords.

Would it work to have a general team user created with access only to the particular vault housing these logins?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • brentybrenty

    Team Member

    I realise this probably isn't how 1Password for Teams is intended to be used, but I'm wondering if anyone has any thoughts on the best practice here. We have staff with dedicated machines and for all of these users they have their own team login. But we are also a shop and most of the computers are general use, with a single Windows login (and let's just say for argument's sake that they have to stay this way).

    @Sebby: Please don't take offense, but I do need to mention this for everyone who might come upon this discussion: sharing user accounts in an OS is not recommended, as it can result in the one person's insecure behaviour affecting all of the others who share the account.

    The staff that access these machines all have a requirement for one vault of passwords, and no requirement to store their own passwords. Would it work to have a general team user created with access only to the particular vault housing these logins?

    That said, for the sake of argument, that could work. But I'd also take into account what I mentioned above when deciding what exactly to give that account:

    • Limit vault access
    • Restrict permissions to make changes, both of the data and also for the team as a whole
    • Store less sensitive data, and don't share logins that could be used to escalate an attack (email, for example)

    But I think that all of this may really be unnecessary. If we remove the criteria that everyone needs to use the same user account, it opens up a lot of other options. Sure, you may not want to pay for separate accounts for all of these people, and frankly, they may not need the full privileges of regular team members anyway (no Personal/Private vaults, as you mentioned). And we've built the Guests feature into 1Password Teams for this very reason: some folks don't need to be full members:

    Share passwords and other items with guests

    Each 1Password Team includes some number of Guests based on the plan (at least 5, for the Standard plan), and these accounts have their own Master Password and Secret Key, but only have access to a single vault you share with them. So depending on your needs, this might be good fit, allowing you to have some limited users without having to sacrifice security at the OS level or within your 1Password Team.

    I hope this helps. Be sure to let me know if you have any other questions! :)

  • Hi @brenty

    No offence taken at all. Without going into too much detail, if I told you how these passwords are shared at the moment, you'd probably feel a lot happier. :)

    Truthfully the money doesn't really come into it, it's just that it's over-complicating things I think. The guests feature looks like it might just do the trick; thank you! So are you suggesting just one guest account to be used as the general use one?

  • BenBen AWS Team

    Team Member

    No offence taken at all. Without going into too much detail, if I told you how these passwords are shared at the moment, you'd probably feel a lot happier.

    Heh, fair enough. ;)

    So are you suggesting just one guest account to be used as the general use one?

    Exactly. If you're going to go this route, a guest account would accomplish your goal of this shared user having only one vault. Just be aware with this setup that if the guest account will have R/W access to the vault in question there will be no way of knowing which individual made changes.

    Thanks.

    Ben

  • brentybrenty

    Team Member

    @Sebby: When I mentioned Guests I actually had in mind each person having a separate user account on the computer and a Guest account in your 1Password Team. I think it's important to limit exposure (OS level) and access (team level) to mitigate threats.

    That said, it's totally your call. You'll have a better sense of the risks in your organization, after all. I'm just thinking in general terms of an ideal security setup...but of course we don't operate in an ideal environment, so take the tools and make the best use of them you can depending on your needs. Cheers! :)

This discussion has been closed.