1Password's Insights tool to help admins monitor users' security practices

Find the clown who chose 'password' as a password and make things right


1Password, the Toronto-based maker of the identically named password manager, is adding a security analysis and advice tool called Insights from 1Password to its business-oriented product.

Available to 1Password Business customers, Insights takes the form of a menu addition to the right-hand column of the application window. Clicking on the "Insights" option presents a dashboard for checking on data breaches, password health, and team usage of 1Password throughout an organization.

"We designed Insights from 1Password to give IT and security admins broader visibility into potential security risks so businesses improve their understanding of the threats posed by employee behavior, and have clear steps to mitigate those issues," said Jeff Shiner, CEO of 1Password, in a statement.

1Password has positioned its tool as a defense against "Shadow IT" – IT systems used without administrative approval or in contravention of policies – and weak passwords.

Shadow IT has been a subject of concern for years and has taken on a new dimension with the rise in remote working. 1Password, citing its own State of Access report "The Burnout Breach," claims that 20 percent of burned-out workers feel their companies' security policies "aren't worth the hassle" and almost half (48 percent) of burned-out workers use unapproved software.

The October 2021 survey of 2,500 North American adults who work full time, primarily at a computer, doesn't define criteria for being "burned out." Rather it's a self-designated category in which 84 percent of security professionals and 80 percent of office workers place themselves.

Insights was created to give IT admins a way to address the "can't be bothered about security" attitude that shows up in the 1Password survey. This is not to be confused with the "can't be bothered to invest in security" attitude evident at many companies.

The breach check capability identifies team members whose email addresses or passwords have surfaced in known breaches. This works for employees whether or not they're using 1Password and includes a way to alert employees to breaches with a single click.

The password health review finds those who insist on using weak passwords or somehow just don't know any better. This is similar to the Watchtower report available to users of the standard version of 1Password.

And the team usage section tells admins which employees have not logged into 1Password or a Private Vault lately – which conceivably could be a sign of people using unapproved IT services instead.

Password managers are widely recommended by security professionals to counterbalance the generally poor password practices most people have, not to mention the difficulty of managing unique passwords for every internet service login – you're not reusing passwords, are you?

But password managers have security issues, so using one doesn't absolve you of the need to be vigilant. 1Password at least audits its software. BitWarden is also well regarded.

In any event, the capabilities of Insights could prove useful to IT admins, though these may prove to be short term fixes if the push to get rid of passwords continues to accelerate.

The death of the password was foretold by Microsoft chairman Bill Gates in 2004. Though the password has lingered longer than expected, there's now a viable alternative.

In May, Apple, Google, and Microsoft joined together "to expand support for a common passwordless sign-in standard created by the FIDO Alliance and the World Wide Web Consortium." 1Password joined as well this month.

Then earlier this month, at its Worldwide Developer Conference, Apple followed up on its password-eradication plan with word of Passkeys, a passwordless login mechanism based on a public key cryptography-based standard called Web Authentication or, for vowel-minimalists, WebAuthn.

You may have 1Password now, but some day, in theory, you won't have any. ®


Other stories you might like

  • RubyGems polishes security practices with multi-factor authentication push
    Faced with rising software supply-chain attacks, package registries are locking things down

    Slowly but surely, software package registries are adopting multi-factor authentication (MFA) to reduce the risk of hijacked accounts, a source of potential software supply chain attacks.

    This week, RubyGems, the package registry serving the Ruby development community, said it has begun showing warnings through its command line tool to those maintainers of the hundred most popular RubyGems packages who have failed to adopt MFA.

    "Account takeovers are the second most common attack on software supply chains," explained Betty Li, a member of the Ruby community and senior front end developer at Shopify, in a blog post. "The countermeasure against this type of attack is simple: enabling MFA. Doing so can prevent 99.9 percent of account takeover attacks."

    Continue reading
  • Mega's unbreakable encryption proves to be anything but
    Boffins devise five attacks to expose private files

    Mega, the New Zealand-based file-sharing biz co-founded a decade ago by Kim Dotcom, promotes its "privacy by design" and user-controlled encryption keys to claim that data stored on Mega's servers can only be accessed by customers, even if its main system is taken over by law enforcement or others.

    The design of the service, however, falls short of that promise thanks to poorly implemented encryption. Cryptography experts at ETH Zurich in Switzerland on Tuesday published a paper describing five possible attacks that can compromise the confidentiality of users' files.

    The paper [PDF], titled "Mega: Malleable Encryption Goes Awry," by ETH cryptography researchers Matilda Backendal and Miro Haller, and computer science professor Kenneth Paterson, identifies "significant shortcomings in Mega’s cryptographic architecture" that allow Mega, or those able to mount a TLS MITM attack on Mega's client software, to access user files.

    Continue reading
  • Password recovery from beyond the grave
    Does your disaster recovery plan include a mysterious missive at a funeral?

    On Call Every disaster recovery plan needs to contain the "hit by a bus" scenario. But have you ever retrieved a password from beyond the grave? One Register reader has. Welcome to On Call.

    Today's tale, told by a reader Regomized as "Mark" takes us back some 15 years when he was handling the IT needs for a doctor's office. The job was relatively simple and involved keeping the systems up and running as well as taking the odd call when things went wrong and he wasn't on-site.

    His contact at the practice worked at the reception desk, and Mark would exchange pleasantries with this individual on his way to deal with whatever that day's needs were. This went on for some time until there was a mysterious lull in contact. There was not a peep from the office until, after a few months, the on-call phone rang. It wasn't his usual contact, and Mark was asked if there any chance he could pop by?

    Continue reading

Biting the hand that feeds IT © 1998–2022