1Password's Insights tool to help admins monitor users' security practices

Find the clown who chose 'password' as a password and make things right


1Password, the Toronto-based maker of the identically named password manager, is adding a security analysis and advice tool called Insights from 1Password to its business-oriented product.

Available to 1Password Business customers, Insights takes the form of a menu addition to the right-hand column of the application window. Clicking on the "Insights" option presents a dashboard for checking on data breaches, password health, and team usage of 1Password throughout an organization.

"We designed Insights from 1Password to give IT and security admins broader visibility into potential security risks so businesses improve their understanding of the threats posed by employee behavior, and have clear steps to mitigate those issues," said Jeff Shiner, CEO of 1Password, in a statement.

1Password has positioned its tool as a defense against "Shadow IT" – IT systems used without administrative approval or in contravention of policies – and weak passwords.

Shadow IT has been a subject of concern for years and has taken on a new dimension with the rise in remote working. 1Password, citing its own State of Access report "The Burnout Breach," claims that 20 percent of burned-out workers feel their companies' security policies "aren't worth the hassle" and almost half (48 percent) of burned-out workers use unapproved software.

The October 2021 survey of 2,500 North American adults who work full time, primarily at a computer, doesn't define criteria for being "burned out." Rather it's a self-designated category in which 84 percent of security professionals and 80 percent of office workers place themselves.

Insights was created to give IT admins a way to address the "can't be bothered about security" attitude that shows up in the 1Password survey. This is not to be confused with the "can't be bothered to invest in security" attitude evident at many companies.

The breach check capability identifies team members whose email addresses or passwords have surfaced in known breaches. This works for employees whether or not they're using 1Password and includes a way to alert employees to breaches with a single click.

The password health review finds those who insist on using weak passwords or somehow just don't know any better. This is similar to the Watchtower report available to users of the standard version of 1Password.

And the team usage section tells admins which employees have not logged into 1Password or a Private Vault lately – which conceivably could be a sign of people using unapproved IT services instead.

Password managers are widely recommended by security professionals to counterbalance the generally poor password practices most people have, not to mention the difficulty of managing unique passwords for every internet service login – you're not reusing passwords, are you?

But password managers have security issues, so using one doesn't absolve you of the need to be vigilant. 1Password at least audits its software. BitWarden is also well regarded.

In any event, the capabilities of Insights could prove useful to IT admins, though these may prove to be short term fixes if the push to get rid of passwords continues to accelerate.

The death of the password was foretold by Microsoft chairman Bill Gates in 2004. Though the password has lingered longer than expected, there's now a viable alternative.

In May, Apple, Google, and Microsoft joined together "to expand support for a common passwordless sign-in standard created by the FIDO Alliance and the World Wide Web Consortium." 1Password joined as well this month.

Then earlier this month, at its Worldwide Developer Conference, Apple followed up on its password-eradication plan with word of Passkeys, a passwordless login mechanism based on a public key cryptography-based standard called Web Authentication or, for vowel-minimalists, WebAuthn.

You may have 1Password now, but some day, in theory, you won't have any. ®


Other stories you might like

  • More than $100m in cryptocurrency stolen from blockchain biz
    'A humbling and unfortunate reminder' that monsters lurk under bridges

    Blockchain venture Harmony offers bridge services for transferring crypto coins across different blockchains, but something has gone badly wrong.

    The Horizon Ethereum Bridge, one of the firm's ostensibly secure bridges, was compromised on Thursday, resulting in the loss of 85,867 ETH tokens optimistically worth more than $100 million, the organization said via Twitter.

    "Our secure bridges offer cross-chain transfers with Ethereum, Binance and three other chains," the cryptocurrency entity explained on its website. Not so, it seems.

    Continue reading
  • Mega's unbreakable encryption proves to be anything but
    Boffins devise five attacks to expose private files

    Mega, the New Zealand-based file-sharing biz co-founded a decade ago by Kim Dotcom, promotes its "privacy by design" and user-controlled encryption keys to claim that data stored on Mega's servers can only be accessed by customers, even if its main system is taken over by law enforcement or others.

    The design of the service, however, falls short of that promise thanks to poorly implemented encryption. Cryptography experts at ETH Zurich in Switzerland on Tuesday published a paper describing five possible attacks that can compromise the confidentiality of users' files.

    The paper [PDF], titled "Mega: Malleable Encryption Goes Awry," by ETH cryptography researchers Matilda Backendal and Miro Haller, and computer science professor Kenneth Paterson, identifies "significant shortcomings in Mega’s cryptographic architecture" that allow Mega, or those able to mount a TLS MITM attack on Mega's client software, to access user files.

    Continue reading
  • Password recovery from beyond the grave
    Does your disaster recovery plan include a mysterious missive at a funeral?

    On Call Every disaster recovery plan needs to contain the "hit by a bus" scenario. But have you ever retrieved a password from beyond the grave? One Register reader has. Welcome to On Call.

    Today's tale, told by a reader Regomized as "Mark" takes us back some 15 years when he was handling the IT needs for a doctor's office. The job was relatively simple and involved keeping the systems up and running as well as taking the odd call when things went wrong and he wasn't on-site.

    His contact at the practice worked at the reception desk, and Mark would exchange pleasantries with this individual on his way to deal with whatever that day's needs were. This went on for some time until there was a mysterious lull in contact. There was not a peep from the office until, after a few months, the on-call phone rang. It wasn't his usual contact, and Mark was asked if there any chance he could pop by?

    Continue reading

Biting the hand that feeds IT © 1998–2022