Reprinted from TidBITS by permission; reuse governed by Creative Commons
license BY-NC-ND 3.0. TidBITS has offered years of thoughtful commentary
on Apple and Internet topics. For free email subscriptions and access to the
entire TidBITS archive, visit http://www.tidbits.com/


                   1Password 7.9Adds Secure Password Sharing

   Adam Engst

   Five years ago, in '[1]Share Passwords Securely with One-Time Secret'
   (13 June 2016), I wrote about [2]One-Time Secret and [3]d-note, which
   allow you to share a password'or any text'without worrying about it
   being intercepted or revealed in an email breach. This capability is
   essential when you're in a group whose account access credentials need
   to be shared with people whose technical platform you might not even
   know.

   Here's how these password-sharing services work. You enter the password
   in a Web form, click a Generate button, copy the provided URL, and send
   the link to the recipient. When they click the link, the site shows
   them the password and immediately deletes the database entry to ensure
   no one else can ever use that link again. Although this is highly
   unlikely, if the recipient tells you that they couldn't retrieve the
   link, you know someone intercepted your message, and you can change the
   password in question.

   I've taken to using yet another similar service'[4]1ty.me'which until
   recently allowed you to enter your email address and receive a
   notification of when the recipient accessed the password. I have no
   idea why the feature disappeared, but I liked getting the notification
   that the recipient had indeed retrieved the password.

   In that article about One-Time Secret, I wrote:

     The problem I solve with One-Time Secret is infrequent, one-off
     password sharing with people whose technical setup I seldom know. If
     you want to share passwords more regularly, better password managers
     like [5]1Password and [6]LastPass simplify sharing as long as
     everyone uses the same app. In an ideal world, 1Password and
     LastPass would integrate the code from One-Time Secret or d-note
     into future versions to provide ad-hoc password sharing too.

   It has taken a long time, but 1Password 7.9, which AgileBits recently
   released, finally adds [7]secure password sharing, even with people who
   don't use 1Password. The interfaces differ slightly between
   1Password.com, the Mac version of 1Password, and the iOS and iPadOS
   versions, but here are the basics of how to use it.

Share a Password Securely

   AgileBits did a good job of making secure password sharing easy:
    1. Select an item in your 1Password vault (in iOS, tap Categories if
       necessary).
    2. Tap the Share button (iOS) or click the Share button and choose
       Share (macOS and 1Password.com).
    3. Choose when the link should expire, either after a single view
       (like One-Time Secret and the others) or after some span of time. I
       recommend sticking with a single view in nearly all cases to ensure
       that the link stops working after one use'anything else opens it up
       to being seen by multiple people.
    4. Choose whether the link should be available to anyone or only to
       specific people. This tweak is an advancement over the previous
       services since you can specify that the recipient must enter their
       email address and receive a verification code before revealing the
       password. That raises the bar on interception since the attacker
       must also know the intended recipient's address. However, it also
       makes retrieving the password a two-step process for the recipient,
       so you have to weigh the annoyance value against the added
       security.
    5. Tap or click Get Link to Share.
    6. In the next screen, tap or click the Copy button at the bottom,
       which helpfully changes to Copied.
    7. Send the link to the recipient however you like. For higher
       security, don't send it in the same channel as the rest of the
       login information'for instance, send most of the login details in
       email and the password link via an end-to-end encrypted system like
       iMessage. That way, if an attacker does intercept or hack the
       recipient's email before they see the message, the account remains
       secure.

Access a Shared Password

   How you access a shared password depends on whether or not the sender
   restricted it to a specific set of people. If they didn't, just click
   the provided link, tap or click the password field, and copy the
   password, as in the rightmost screen below. It's best to verify that it
   works immediately and add it to your own password manager.

   More interesting is what happens if the sender limited the set of
   recipients. In that case, follow these steps:
    1. Tap or click the provided link to open it in your Web browser.
    2. Enter your email address and click or tap Send Code.
    3. Switch to your email and copy the six-digit code from the message
       you received.
    4. Switch back to your Web browser and enter the code.
    5. 1Password displays the login information, with the password
       concealed; tap or click it to bring up options for Copy and Reveal.
    6. Copy the password and immediately try logging into the account in
       question to verify that it works and so you can save the password
       to your password manager.

   Suppose someone gets hold of a 1Password shared password link but
   doesn't enter the email address of an approved recipient. In that case,
   they'll receive an email message telling them the item wasn't shared
   with that address instead of the verification code.

   The only thing I'd like to see AgileBits add to this system is an
   optional notification that a shared password was retrieved. I found
   that quite reassuring with 1ty.me because it helped me close the loop
   and know that my recipient was moving forward with the login task.

   Otherwise, AgileBits has done an excellent job with this
   password-sharing feature, and it's surprising that LastPass and other
   password managers haven't done something similar.

References

   Visible links
   1. https://tidbits.com/2016/06/13/share-passwords-securely-with-one-time-secret/
   2. https://onetimesecret.com/
   3. https://ae7.st/d/
   4. https://1ty.me/
   5. https://1password.com/
   6. https://www.lastpass.com/
   7. https://blog.1password.com/psst-item-sharing/

   Hidden links:
   8. https://tidbits.com/wp/../uploads/2021/10/1Password-sharing.png
   9. https://tidbits.com/wp/../uploads/2021/10/1Password-sharing-iPhone.jpg
  10. https://tidbits.com/wp/../uploads/2021/10/1Password-accessing-iPhone.jpg

.