A few years back, AgileBits decided to change the business model for 1Password from a standalone, one-time purchase to a subscription service at 1Password.com.
With 1Password.com, AgileBits took over syncing of our vaults, gave us a web interface, and with the subscription service they’ve been able to build in more enhancements than ever before. I don’t want to go through all the angst about subscription fatigue, but rather I want to talk about how great 1Password.com is and how it saved a good friend of ours.
In order to tell the story properly, I have to throw our friend Sydney completely under the bus. He gave me his permission to do this because the story is pretty interesting.
A few years ago, Sydney and Myrna expressed an interest in learning about how to secure their passwords. On a visit to see them, I sat down with Sydney and gave him the basic lesson on 1Password, but we didn’t get a chance to really dig in and start working on his passwords. A few weeks later Myrna contacted me and we did a screenshare where I was able to remotely teach her how to use it.
We set up a family share account for the two of them at 1Password.com with Myrna as the administrator since she seemed a bit more into it than Sydney. As the admin Myrna on 1Password.com, Myrna can do things like reset passwords for those in her shared family and do other things to help the family members use the tool.
Fast forward to last week. Sydney and Myrna built a gorgeous house in the mountains so we went out to visit them. Between hiking, eating, drinking, playing with our dogs, and learning to play Canasta, we did find some down time to geek out. Sydney asked me if I’d help him finally get in gear on 1Password. Of course I was delighted that he wanted to do it and I was glad to help.
Sydney hadn’t been into his vault in a long time, so he fetched his paper copy of what AgileBits calls the 1Password Emergency Kit. Members are issued one of these when they create their initial log in. You get a very long secret key on this page, and a QR code to scan instead of typing it in. There’s also a place to record your Master Password. You don’t need this crazy secret key very often — pretty much just the first time you log in on a new device.
Armed with his Emergency Kit, Sydney had his Master Password and we were able to get to work. Resetting passwords on websites is really annoying and some sites are more annoying than others. Sadly the first one we worked on was a total mess. It was hard to find the right page to reset it, it seemed to forget the password we created with 1Password and it probably took us over an hour. We were tired after that and decided to wait till the next day to fix another password.
That night happened to be a Sunday so Steve and I were going to be broadcasting the live NosillaCast from their house. Sydney graciously allowed me to use his home office from which to broadcast, which has a lovely view of the mountains. Steve was relegated to the guest room … which also has a lovely view of the mountains.
When it came time to do the live show, I decided that instead of having my Logitech C920 webcam pointing at me, it might be more fun for the audience to get to look at the view. I turned the camera on and mounted it facing out the window.
Sydney has been in the live show before, but not in a long time. Steve got him set up with a Discord login (at podfeet.com/chat) and he went to town playing with the other live show listeners.
Part of the fun of the live show is how we have a bunch of silly rituals. Kevin is Steve’s self-appointed wingman. He takes his duties very seriously. His main job is to protest whenever I give Steve a hard time for something (like forgetting to mute himself). But his other job is to remind me to save. I’m pretty sure he has a TextExpander snippet for it, because he always says, “SAVE and add chapter marker Podfeet because Steve commands it!”
I’m pretty good about noticing his messages but sometimes I get on a roll and I forget to save or make chapter markers. And that’s exactly what happened when we were at Sydney and Myrna’s house. The whole chat room was hollering at me to save and I was missing it.
So Sydney figured out a great way to get my attention. He grabbed a piece of paper and scrawled SAVE on it in giant letters. He ran outside and slapped the paper against the glass so I could see it out the window. It was hilarious!
Well, hilarious until Steve and Kaylee and others noticed something awful. The paper he had chosen on which to write SAVE, was his 1Password Emergency Kit! To be fair, he wrote on the back of the paper, so the secret info was facing him, not us and the paper looked opaque. But for me, with the sun shining through the window, I could see right through the paper, and read all of the secret information. And if I could see it, that meant the camera could see it, which meant YouTube Live could see it which means the Internet could see it!
Yep – his secret key, the QR code and his Master Password were now on the Internet. Quite quickly Steve announced to the live audience that we would be shutting down the live stream and he quickly deleted the stored video from YouTube. But as we all know, nothing is ever truly deleted from the Internet, right?
While we all had great fun at Sydney’s expense, and he was a great sport about the kidding he received, we had some work to do. Here’s where the awesomeness of 1Password.com comes into play.
After I was done recording, Myrna logged into their 1Password family account at 1Password.com. Since she’s the admin, she was able to go to the People section, click on Sydney and then on his page, click the 3 dots next to More Actions and choose Delete User. It was interesting to watch how quickly and decisively she did that! We took this sledge hammer approach for a couple of reasons.
She could have simply reset his Master Password, but I wasn’t certain whether it would generate a new Secret Key. Since both were compromised, we had to burn the house down.
Had Sydney created more than one login on his 1Password account, we could have shared his vault to her, and then destroyed his account, but as it was the only login he had created was already in a shared vault.
The really cool part of the 1Password experience was on Sydney’s side. He had 1Password open on his Mac and was looking at his vaults when Myrna hit the Delete button on her side. Instantly the 1Password screen sort of collapsed in on itself and vaporized! It was crazy cool.
After she was doing nuking him, Myrna was able to make a new person for Sydney. He was able to follow the invite link that came to his email and set up his new account. 1Password issued him a new Secret Key (we double checked) and he went over to Bart’s awesome xkpasswd.net tool to create his new long, secure and yet memorable Master Password. He recorded the new password and then Myrna took custody of the paper for safe keeping.
I’d like to say it all went as easily as this but there were a few interesting hiccups to the story, and the solutions may be of service to others.
When Sydney went into 1Password with his shiny new password and secret key, we saw his shared vault with Myrna. But I noticed the interface in 1Password looked different from mine. I realized that he was running 1Password 6, not the new, shiny 1Password 7. With version 7 you get some huge enhancements.
In the older version if you have a login you want to move from one vault to another, say to share with a family member, you have to right click on it, drill down through a bunch of menus and then choose Move or Copy. With 1Password 7 you can simply drag and drop between vaults. I love this feature.
The other big deal is that AgileBits has integrated the Have I Been Pwned tool into 1Password 7. Troy Hunt created this web-based tool at haveibeenpwned.com. He crawls all of the hacked databases and will tell you if your email or password is in any of them, telling you if you’ve been pwned.
Even if you’ve been using a password manager for a long time and practicing good hygiene with long, complex passwords, you can’t guarantee that the sites you visit will keep good care of your data. With HaveIBeenPwned built into 1Password 7, you can always see what work you need to do to stay safe.
These two things, drag and drop and integration of HaveIBeenPwned made me want Sydney to upgrade to 1Password 7 right away. They were entitled to 1Password because they were subscribed to 1Password.com.
When I upgraded him to 1Password 7, things got weird. Remember that he could log into 1Password 6 with his new password. But when we installed 1Password 7, he could not log in on his Mac. However he could log in with that password on his iPhone. If I had not been sitting right next to him, and sometimes typing it myself, I would never have believed that it wasn’t user error. I tried uninstalling 1Password 7, installing from both the AgileBits website and then the Mac App Store. For the life of me I couldn’t figure out how to get him into his account.
We shot off an email to support at AgileBits and in very short order our little friend Gareth wrote back. He explained it like this:
Your Mac app is currently pointed to your previous vault and locked with your previous Master Password. We’ll need to reset it so that we can attach it to your new vault. The option to reset all the 1Password data is pretty well hidden, mainly because we don’t want people doing it by accident, but it’s super quick and easy to do once you know where it is.
He gave us the link to the support article explaining the process. The basic idea is you choose Help > Troubleshooting > Reset All 1Password Data and follow the onscreen instructions.
Well this suggestion was dandy – we were finally able to log Sydney into 1Password 7. But oddly, he had no vaults when he got in! After a few more exchanges, Gareth suggested Sydney delete the 1Password that I’d downloaded from the Mac App Store, and install the version from their website. Finally, Sydney could log in, and more importantly, he could see his vaults.
The upgrade process wasn’t as smooth as I would have hoped, but I do think that the continued revenue stream of the subscription model allows AgileBits to pay Gareth’s salary so that he was there to help us. He responded very quickly, was super knowledgeable and fixed all of the problems we were having.
As I mentioned, the new subscription model gives us access to Have I Been Pwned, and immediately after Sydney enabled it on his account, he discovered that his password on Amazon had been compromised. Without any assistance from me, he had 1Password create a long, complex password for him, changed it on Amazon, and while he was there turned on two-factor authentication! I was so proud of him.
The bottom line is that 1Password’s family account available through their subscription service is well worth the money. If you’re going to spend money on any subscription, the safety of all of your passwords seems like a good place to spend it.
As Sydney said when we were all done, “I stay patched, and stay secure.”
This was a great story! Thank you for sharing.
Looks like we have some improvements we need to do on the Mac side when resetting accounts. We’ll look into that but just so you know, there is an option on 1Password.com to generate a new Secret Key as well as changing your Master Password. Hopefully this doesn’t happen again, but if it does, changing your Secret Key and Master Password this way will give you a much smoother experience.
By the way, I’m a huge huge huge fan of Bolivia! It’s very similar to Canasta but has some additional rules that make for a really fun game.
Cheers!
++Dave Teare
1Password Founder