Question about sharing password with the team

Hi

I'm new to your tool. I signed up for it as I need to give access to certain online tools to my team and want to keep the passwords to those tools hidden.
I just figured out that in spite of giving my team member the lowest level of authorization (can view items in this vault), she is still able to reveal and copy the password I have given her access to. What is the correct way to set things up in order to avoid that?

I want her to be unable to see the password but that it's filled in directly via the browser extension.

Thanks in advance.

Roberto


1Password Version: Not Provided
Extension Version: 1.14.3
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:reveal

Comments

  • Lars
    Lars
    1Password Alumni

    Welcome to the forum, @cavallopazzo83! So, a few words about password sharing and revealing. 1Password Business represents our most detailed level of fine-grained permissions control over which users can access what resources. In any vault or group a user belongs to, you can set the permissions by clicking the gear icon next to their name in the relevant portion of the Admin Console, as shown here:

    The indicated permission is the one you want to set. This will prevent that team member from being able to copy or reveal the password in the 1Password app or extension(s).

    That last bit in italics is important to understand, because it's not really possible to both share a thing with someone and simultaneously NOT share it. What I mean is: the user in question will be able to use 1Password to fill these passwords into the appropriate fields in their browser...and from there, we cannot control what they do with it. There exist tools out there which trivially reveal obfuscated passwords in the browser environment, so if you've allowed someone to USE a given password, you must assume they can also reveal it. It may take more work than just clicking "reveal" in 1Password, and we can prevent them from doing it in our apps...but it is possible. That's just one of the reasons why sharing access to a resource in 1Password is something that should be considered carefully before taking action on it. And also why, when someone leaves, any resources to which they had access should have the passwords changed. Yes, that can be and often IS a significant chore...but it's best practice from a security standpoint, and it's also something 1Password make much easier to do. Hope that helps! :)

  • cavallopazzo83
    cavallopazzo83
    Community Member

    Hi Lars

    Thanks for your quick reply. Ok, I understand what you're saying about the password sharing.

    So if I understand you correctly to achieve what I want I need to untick "View and copy passwords".
    Strangely the options I see there are a lot more limited than yours though.

    Here's what I'm seeing:

    Seems like I'm not even able to untick the Allow viewing permission.
    Do I have to change something in the general settings maybe?

    Thanks

    Roberto

  • @cavallopazzo83

    Advanced permissions are a feature of our 1Password Business level of membership. If you're currently using 1Password Teams or another level you may need to upgrade to get this option. I'd recommend reaching out to our business team at business@1password.com to confirm what you currently have and see what options are available. They'd be in the best position to help with that end of it. :+1:

    You can read more about 1Password Business here:

    About 1Password Business

    And you can read more about how permissions work here:

    How vault permissions are enforced in 1Password accounts

    I hope that helps. Should you have any other questions or concerns, please feel free to ask.

    Ben

  • cavallopazzo83
    cavallopazzo83
    Community Member

    Hi Ben

    Ah I see. So just to confirm: I won't be able to remove copying/revealing rights on the teams plan, correct?

    Thanks

    Roberto

  • Correct; it would require the 1Password Business membership level.

    Ben

  • cavallopazzo83
    cavallopazzo83
    Community Member

    Ok, thanks. I upgraded to business and successfully changed the user rights as desired..

    Now my employee seems to have another issue though. While the login I want her to have access to shows up in the vault she's a member of , when she uses the browser extension it doesn't show there. She manages to login to 1Password via your website, but she doesn't get prompted to log into 1Password when she opens the extension. So not sure why that is.

    This is what she sees:

  • Lars
    Lars
    1Password Alumni
    edited April 2019

    @cavallopazzo83 - has she restarted her computer since you changed the account? If not, give that a shot first.

  • JSav
    JSav
    Community Member

    Hope it's okay to comment on this. I'm more concerned to annoy by starting a new thread on same topic. I had the same problem as the OP and came here for answers. I'm pretty mad though because the tutorial section for Teams is extremely lacking in detail. So I granted all permissions to my guest, assuming that the entire point of Teams was to HIDE the p/w while sharing. I looked for explicit tutorial and there was none. My guest told me they could view the p/w which also shows the secret naming convention I use. I'm so unhappy about the lack of instruction that should have prevented this that I might not renew this month (after 3 years of being a Teams customer.) Anyway...

    I've since clicked the gear icon to restrict that guest's permissions, but I still don't know what the heck any of these things are! And your screenshot above does not explain what "edit items" explictly allows. So I'm still feeling vulnerable here which is the exact opposite of what I pay 1Password to do for me. In the short term, I need an answer now about what "edit items" allows someone to do and what happens if I turn it off/on. In the long term, there needs to be a Help Section walk through about each of those settings. Thank you.

  • Ben
    Ben
    edited May 2019

    Hi @JSav

    Thank you for writing to us with this concern. We truly appreciate that you took the time to do so.

    Hope it's okay to comment on this. I'm more concerned to annoy by starting a new thread on same topic. I had the same problem as the OP and came here for answers.

    Certainly; no worries. If we get off the subject of the original thread we can always split the conversation into a new one. Likewise if a new thread is started that directly relates to another we can merge them. So don't worry about that. :)

    I'm pretty mad though because the tutorial section for Teams is extremely lacking in detail. So I granted all permissions to my guest, assuming that the entire point of Teams was to HIDE the p/w while sharing. I looked for explicit tutorial and there was none.

    I'm sorry that we failed to properly set expectations and offer adequate training material here. 1Password really doesn't have have much if anything to do with hiding secrets from people they are shared with. That isn't a goal of the offering. That would be an unrealistic goal, anyway. In order to use a secret someone has to have access to that secret. Even if the secret is obfuscated from them (which is the one thing we do offer) if they have any technical savvy they'll be able to discover it. We talk about this a bit in the guide on how permissions are enforced that I linked above:

    A team member who is determined can easily overcome client-enforced permissions on their own device, so they’re most valuable as simple safeguards for people you already trust. A team member has to act deliberately and intentionally to violate these restrictions. These permissions shouldn’t be relied on to prevent hostile behaviour or enforce trust.

    I won't illustrate here how someone can do that, largely because I'm not sure it is relevant to the current discussion, but it wouldn't be very difficult for someone to determine the contents of a secret that has been shared with them.

    My guest told me they could view the p/w which also shows the secret naming convention I use.

    If by this you mean that you use some convention to come up with passwords I have to strongly urge you to stop this practice. This would really be not much if any better than using the same password for everything. Computers are incredibly good at pattern recognition, and so complete randomness (along with uniqueness) is what is essential for passwords. That is the primary purpose of 1Password, or any password manager: to enable you to use completely random and unique passwords for each service. Because 1Password remembers these passwords for you it isn't necessary (or advisable) to have a convention that would allow you to come up with the password. The ideal situation is to use the Secure Password Generator in 1Password to generate a long unique password for each site.

    I'm so unhappy about the lack of instruction that should have prevented this that I might not renew this month (after 3 years of being a Teams customer.) Anyway...

    I am sorry that we've let you down. We do have some instruction on this subject here:

    That said I can see from your post that more could be done in this regard. I'll have a conversation with our documentation team to see how we can improve.

    I've since clicked the gear icon to restrict that guest's permissions, but I still don't know what the heck any of these things are! And your screenshot above does not explain what "edit items" explictly allows.

    Edit items allows someone to view all of the details of items, to change those details, to add new items, and to delete items. There is a descriptor below the "Allow Editing" permission that gives a brief explanation of this. It basically gives them the ability to do everything with the exception of affecting other people's access to the vault (which is what "Allow Managing" does).

    In the long term, there needs to be a Help Section walk through about each of those settings.

    Thank you for the feedback. As mentioned I will speak to our documentation team to see how we might be able to improve in this area.

    Ben

  • JSav
    JSav
    Community Member

    Thanks for the fast reply, Ben. I turned off editing entirely for them, because now that you've explained, I know that I don't want my guest to make ANY changes. I only want them to be able to use the p/w.

    I do understand that it's not a foolproof thing to share using the app, but for trusted individuals, avoiding them blatantly seeing it helps keep them from memorizing it. Some kind of best-practices tutorial would help. For example, if I'd understood better, I'd have changed my p/w before putting it in a shared vault in the first place. Will definitely change it after revoking access.

    The reason I haven't used the randomized p/w generator is there are too many times when I need to know a p/w outside of places that 1pw works. For example, phone/ipad apps. I know I should probably open the 1pw app each time to copy, but I find that tedious from mobile devices. So I still use a naming convention.

    More tutorials that are really simplified and explain best practices would be great. Especially about the settings choices. Thanks.

  • Thanks for the fast reply, Ben.

    You're very welcome.

    For example, phone/ipad apps

    We have a solution for that. :) You can learn about it here:

    Use 1Password to fill and save on your iPhone and iPad

    For the times that doesn't work, yes, copy & paste is probably the way to go. That should be few and far between, mitigating some of the inconvenience. A few apps are still a little "clunky" in this regard, but I can't recall any apps that I use that don't work with Password AutoFill at all.

    I know that I don't want my guest to make ANY changes. I only want them to be able to use the p/w.

    I would say that seems reasonable, and I'd suggest always defaulting to the lowest level of permissions you think might be acceptable, and then only elevating when the need arises. Giving someone too little access is more easily fixed than giving someone too much access.

    I do understand that it's not a foolproof thing to share using the app, but for trusted individuals, avoiding them blatantly seeing it helps keep them from memorizing it.

    Again I'd recommend caution here: this can lead to a false sense of security. If you assume that the password hasn't been memorized because the person doesn't have "reveal" permissions it might cause you to not change a password when it really should be changed.

    So I still use a naming convention.

    I would argue that especially now that convention might not be so secret anymore it is time to reconsider that practice.

    More tutorials that are really simplified and explain best practices would be great. Especially about the settings choices. Thanks.

    Thank you again for the feedback. :)

    Ben

This discussion has been closed.