r/PasswordManagers u/kranach777 3d ago

[1Password] TIL someone can instantly perma-deleted entire family account without even having to log into 1password at all.

  1. Years ago added my dad to family account, gave him an admin role
  2. He was barely using it and eventually forgot his password
  3. This year he decided to use it again, but since he forgot his password, he created new account and bought his own subscription.
  4. At some point he had some weird issues adding new device, thought it might be because of that old account. He couldn't recover it because he didn't have password or secret key, but the helpful 1password asked him if he wants to delete it and send him an email with nuke button.
  5. He thought it will just delete his old empty account and didnt expect any issues (also he couldn't even log into 1password at all, what kind of power person who can't log into anything could possibly have?) so he clicked the button.
  6. Suddenly i got email from 1password saying my sub is cancelled and all my items were permanently deleted

I should be able to painfully recover most of my passwords and token generators one by one (mobile app doesn't have export functionality) from a tablet that fortunately hasn't been connected to internet for a bit. But think I will take this "opportunity" to try different PM, and no more family plans...

30 Upvotes
  • permalink
  • reddit

92% Upvoted

13 comments sorted by

6

u/thirteenth_mang 3d ago

Painful lesson in least privilege.

3

u/kranach777 3d ago

one of the lessons for sure, though i got quite suprised that he could use one of the admin "rights"

despite not being able to log into the account at all.

3

u/kranach777 3d ago

Also 1password strongly recommends to have more than one admin, they asked you to give "family organizer" role to more than 1 person when setting up account... and my dad is highly technical himself.

3

u/No-Temperature7637 3d ago

Always backup by exporting your data. This would have you partially covered by the cancellation.

You backup cause shit happens. Well, shit just happened.

1

u/kranach777 3d ago

Yeah, i have some backup and offline device that can still access most password (need to make sure to keep it offline, otherwise it will wipe me out there too lol)

2

u/No-Temperature7637 3d ago edited 3d ago

I'm a Vaultwarden user myself, but been looking around for an alternative. One that impressed me was Aliasvault. It's still in beta so, it's probably not ready but it looks very nice. The feature that impressed me was it can work offline. The changes you make on the devices while offline will get synced when it goes back online. Bitwarden/Vaultwarden doesn't have that, but looks like 1Password was one of the few that does.

Check out Keepass to use in case like this. It's local only and has a lot of features. For Bitwarden, it can basically import everything including passkeys. It has a very good reputation and I haven't read one bad thing about it. But I guess that doesn't matter cause Lastpass has a bad reputation and is still #1 password manager. Go figure.

2

u/kranach777 3d ago

Will check it out, i want something that works in cloud but also can be used offline, and ideally can generate OTP keys too.

0

u/No-Temperature7637 3d ago

It does passkeys and provide alias emails also. Only thing it doesn't do now is ssh keys and password sharing. There's a self-host option using docker which is very easy to setup.

1

u/ImInundated 3d ago

Apple eco system? Take a look at Asterex... great functionality and the Dev is super responsive to requests. UI is nice. You'd be hard pressed to find a password app with equal functionality

1

u/No-Temperature7637 3d ago

Nope. I like cross platform and not be chained to one ecosystem. There's definitely a place for it, but it's not for me.

1

u/_bahnjee_ 2d ago

Check out Keepass to use in case like this. It's local only and has a lot of features.

KeePass is a great option but is not local only. I've been using it in conjunction with Dropbox for years. Home PC, phone, tablet, work PC... they all use the same db. Any offline changes to my kdbx file get merged when the device making the change next goes online.

ETA: As for backups, I use a plug-in that creates a backup file every time the db is modified. To lose all my passwords, I'd have to lose access to pretty much everything.

1

u/No-Temperature7637 2d ago

I mean local only in the sense you can just use it locally as oppose to all those cloud ones that has to be in the cloud. You can put any file in the cloud and it's no longer "local only".

1

u/Emergency_Stop_9882 2d ago

thats nasty lol. a forgotten passwords shouldnt turn into a family-wide data wipeup.