Level up your business security with free, on-demand training and certification. Explore 1Password Academy today →
Random but Memorable 16.7: What to do if you’ve been hacked
Getting hacked isn’t something anyone likes to think about. But it's possible for even the most tech-savvy and security-conscious person to be duped by an attacker. In this episode, we explain what you should do if the worst ever happens. (Just in case.) Listen now Watch now Episode summary So you’ve been hacked… Now what?! 😬🔐 Glenn Wilkinson, cybersecurity expert and co-founder of Agger Labs, explains what to do if you, someone you love, or your organization gets hacked. From ransomware to compromised email accounts, Glenn shares clear advice on how to respond, recover, and stay calm under pressure. 😌📲 In Crash Course, we break down the meaning of open-source security. Later, in #Ask1Password, we share tips for helping your team actually adopt 1Password Enterprise Password Manager after a rollout. Got questions, or comments about this episode? Let us know in the thread below!
Enhanced Secret Sharing with "View-Only Access & Direct Launch"
Problem Statement: Organizations often need to share credentials with third-party vendors, contractors, or internal teams for specific tasks. Current sharing methods in 1Password typically grant full access to the secret, including the ability to view and copy the username and password. This poses a security risk, as it exposes sensitive credentials to individuals who only require access to the service, not the underlying login details. There is a clear need for a feature that allows users to use shared credentials without seeing them. Proposed Feature Name: "Direct Launch & View-Only Access" or "Secret Tunneling" Core Concept: This feature would enable users to share credentials in a way that allows the recipient to directly launch an application (RDP, SSH, Web App) using those credentials, without ever exposing the username or password. The recipient would essentially be "tunneling" through 1Password to access the target service. Detailed Feature Proposal: Sharing Configuration for the Sender: When a user initiates sharing of an item, a new set of options will be presented: Standard Sharing: (Existing functionality) Allows recipient to view and copy all details. Direct Launch (View-Only) Sharing: (New Feature) Select Launch Type: The sender will specify the intended use case for the shared secret: Remote Desktop (RDP): For Windows servers. Secure Shell (SSH): For Linux/Unix servers. Website/Web Application: For web-based services. Pre-requisite Notification (Optional): The sender can include a custom message to the recipient, e.g., "Ensure you have an RDP client installed." Usage Limit: Single Use: The link/access expires after the first successful launch. Multiple Uses: The sender can specify a fixed number of launches (e.g., 5 uses). Time-Based Expiration: The sender can set a specific date and time for the access to expire (e.g., "Expires in 24 hours," "Expires on 2024-12-31"). Permissions: The core permission for this type of sharing would be "Launch Only" . This explicitly denies viewing or copying of the username and password fields. Other fields like notes or URLs (if not used for direct launch) could still be viewable if the sender chooses. Bulk Credential Support: For RDP/SSH, the sharing mechanism should intelligently parse credentials saved in 1Password items that contain: Username Password IP Address/Hostname (for RDP/SSH) (Optional) Port Number (for SSH/RDP if non-standard) (Optional) SSH Key (for SSH, if applicable) - the feature should be able to utilize the key directly without exposing it. Recipient Experience: Notification: The recipient receives a notification within 1Password (or via a secure share link, if outside 1Password Teams/Business) indicating a "Direct Launch" secret has been shared. Launch Interface: RDP/SSH: Upon clicking the shared item, 1Password will: Check for Prerequisite: (If configured by sender) Display the prerequisite notification. Prompt for Confirmation: "This will launch a connection to [hostname/IP address]. Do you want to proceed?" Auto-Launch: If confirmed, 1Password will initiate the appropriate client (e.g., mstsc.exe for RDP, ssh command for SSH, or configured third-party tools like mRemoteNG, Termius) with the pre-filled credentials and connection details. The username and password will be passed securely to the client without being displayed to the user. Website/Web Application: Upon clicking the shared item, 1Password will: Open Browser: Launch the default web browser. Auto-Fill (Securely): Navigate to the URL and securely inject the username and password into the login fields. The user will see the login page, but the credentials themselves will not be visible in the browser's form fields or developer tools. This might require a browser extension integration for seamless secure auto-filling without displaying credentials. No Copy/View Option: For "Direct Launch" items, the "Copy" and "Reveal" (eye icon) options for username and password fields will be entirely absent or greyed out. Usage Tracking (for Sender): The sender will be able to see how many times the shared secret has been launched and its current expiration status within their 1Password sharing history. Technical Considerations & Implementation Details: Secure Credential Handling: The core challenge is securely passing credentials to external applications without exposing them. This would likely involve: Temporary Tokenization: 1Password could generate short-lived, single-use tokens that represent the credentials, which the launching client would then use to authenticate with a secure 1Password backend that in turn authenticates with the target service. Local Process Injection: For RDP/SSH, 1Password could directly inject the credentials into the command-line arguments or standard input of the client process, or use secure APIs if available, without displaying them on the screen or in process memory that is easily accessible. Browser Extension Enhancement: For web applications, the existing 1Password browser extension would need to be enhanced to perform an "invisible" autofill where the credentials are not populated into the HTML input fields in a way that can be inspected, but rather submitted directly. Client Compatibility: The feature would need to support common RDP/SSH clients across Windows, macOS, and Linux. This might involve a configurable list of client executables or common command-line patterns. Auditing: All "Direct Launch" activities (who launched, what was launched, when) should be fully auditable within 1Password Business/Teams. Error Handling: Clear error messages should be provided if a launch fails (e.g., incorrect credentials, network issue, client not found). Security Disclaimer: A clear disclaimer should be provided to the sender that while 1Password prevents viewing/copying, the target application/service itself might log the login attempt, and the connection itself is subject to the security of the target system. User Stories: As a System Administrator , I want to grant a third-party vendor temporary RDP access to a specific server without them ever seeing the server's administrator password, so I can ensure confidentiality. As a Developer , I want to share SSH access to a staging server with a new team member for a limited time, allowing them to connect directly without knowing the SSH password or private key passphrase, to simplify onboarding and maintain security. As a Project Manager , I need to provide a contractor with access to a SaaS project management tool for a specific task, ensuring they can log in but cannot view or store the login credentials for future unauthorized access. As a Security Auditor , I want to allow an external auditor to access a specific web application for their review, but prevent them from copying the credentials, ensuring compliance with our least privilege policy. Benefits: Enhanced Security: Prevents credential exposure, reducing the risk of unauthorized access, credential stuffing, and phishing. Improved Compliance: Helps organizations meet compliance requirements by enforcing "least privilege" access to sensitive systems. Streamlined Collaboration: Simplifies sharing with external parties and internal teams, reducing friction while maintaining security. Reduced Administrative Overhead: Eliminates the need for temporary password creation, sharing via insecure methods, and subsequent password rotation. Better Audit Trails: Provides clear records of who accessed what and when, even without exposing the underlying credentials. Potential Challenges: Client Integration Complexity: Ensuring broad compatibility with various RDP/SSH clients and web application login flows. Security of Injection: The method of injecting credentials needs to be robust against various attack vectors (e.g., memory sniffing, process inspection). User Education: Clearly communicating the "view-only" nature and usage limitations to both senders and recipients. Community Decision: This feature addresses a critical security and usability gap in current secret management. We believe implementing "Direct Launch & View-Only Access" would significantly enhance 1Password's value proposition for businesses and teams dealing with third-party access and internal credential sharing. We urge the 1Password team to consider this proposal for future development.Random but Memorable 16.6: Are you oversharing with AI?
We've long been fans of Jamie Bartlett, a technology writer best known for books like The Dark Net: Inside the Digital Underworld. He's just written a new book called How to talk to AI (and how not to), which felt like the perfect moment to bring him onto the Random but Memorable podcast. Listen now Watch now Episode summary Author Jamie Bartlett joins the show to unpack an important skill: using AI without giving away more than you intend. Whether you’re experimenting on your own or managing AI usage across an entire organization, this conversation will help you stay in control. Jamie’s advice covers everything from misplaced trust and oversharing to the subtle ways prompts shape responses. Plus, in Watchtower Weekly and Crash Course, we connect the dots between AI and security, unpacking our recent 1Password Unified Access announcement and the concept of credential brokering. Got questions, or comments about this episode? Let us know in the thread below!Random but Memorable 16.5: What it takes to protect and break into data centers
Offices, data centers, and factories—physical security still matters, especially when they house critical equipment and data. In the latest episode of Random but Memorable, Deviant Ollam, a physical penetration expert, joins us to share how he’s spent years legally breaking into facilities—and revealing where companies are most at risk. Listen now Watch now Episode summary Our latest episode is a reminder that cybersecurity doesn’t stop at the screen. 🏢🔐 Deviant Ollam, physical security expert and pentester, lifts the lid on the physical “IRL” side of security. From door locks to badge systems, Deviant shares what attackers are looking for, and why the physical layer can be the weakest link. 🚪🔑 But that’s not all! In Watchtower Weekly, we unpack how supply chain attacks are evolving into a self-reinforcing cybercrime economy — where one breach fuels the next, creating an endless loop of access, data, and profit for attackers. ⭕️💻 Got questions, or comments about this episode? Let us know in the thread below!Random but Memorable 16.4: How to spot AI-generated phishing emails
It’s harder than ever to tell scams from legitimate emails. In the latest episode of Random but Memorable, we explore how AI is reshaping phishing attacks—and what to watch for now that obvious spelling and grammar mistakes are disappearing. Listen now Watch on YouTube Episode summary Are cybersecurity professionals more burned out than ever? 😩🧠 From alert fatigue to constant vigilance, we unpack what’s driving increased stress — and what organizations can do to build sustainable security teams. Plus, we take a deep dive into spear phishing. In Crash Course, you’ll learn why it’s so effective and how AI is making targeted attacks more convincing than ever. Bron Gondwana, CEO of Fastmail joins the show later on to explore what AI-powered phishing looks like from inside your inbox. We even make time to debunk password manager myths in #Ask1Password! 🔤 Got questions, or comments about this episode? Let us know in the thread below!Random but Memorable 16.3: Everything you need to know about OSINT
What happens when you take all the publicly-available online information about a topic and stitch it together? In this week's episode, we welcome Kolina Koltai from Bellingcat to learn more about open-source intelligence (OSINT) and how public data can be turned into actionable insights. Listen now Watch on YouTube Episode summary Ever fancied becoming a digital detective? 🕵️♀️ This week, we unpack everything you need to know about open-source intelligence (OSINT). In Crash Course, you'll learn what OSINT is, and the power of publicly-available information. Kolina Koltai, an investigator at Bellingcat, joins us later in the show to explain how she uses OSINT to track down scammers.🔎 Before all of that, we dive into OpenClaw, the experimental, self-hosted AI agent that can browse the web and take actions on your behalf. It’s powerful, it’s exciting… and it raises big questions about permissions and security. You can chat about anything discussed in the episode in the thread below!Random but Memorable 16.2: AI security tips for modern families
Did you know Safer Internet Day was last week? This year’s theme focused on the safe and responsible use of AI — a timely and urgent conversation. To mark the occasion, we welcomed Will Gardner, CEO of Childnet, to Random but Memorable to discuss how we can help young people stay secure while embracing AI tools. Listen now Watch on YouTube Episode summary How can you help your loved ones navigate and securely adopt AI tools ? Will Gardner, CEO of Childnet, joins the show for a vital conversation about helping families use AI safely. We talk about Childnet’s latest research and the practical ways you can become a digital role model and start better AI conversations at home. 🧑🧑🧒🧒💬 In Watchtower Weekly, we unpack some new trends in crypto crime including real-world attacks on everyday crypto holders.💰Then, in Crash Course, we break down Model Context Protocol (MCP) — the standard that lets AI tools securely connect to apps and services. You can chat about anything discussed in the episode in the thread below!Random but Memorable 16.1: How security professionals actually protect their own families
Hey everyone! 👋 A brand new season of Random but Memorable is here — and we’re kicking things off with practical security for the people you care about most. 🧑🧑🧒🧒🔐 Listen now Watch on YouTube Episode summary In Watchtower Weekly we unpack AI assistants moving into healthcare — from ChatGPT Health to Claude for Healthcare — and what that means for privacy, accuracy, and trust. Later, you’ll hear how members of the 1Password security team protect their own families — sharing real-world advice on home devices and networks, kids, parents, and the small habits that matter most. 🏠🛜 Plus, we debut a brand-new cybersecurity game for this season – Identity Theft – complete with a fresh jingle and a reminder that multi-factor authentication always wins. 🕵️♂️🎶 No time to watch or listen? Read the transcript on 1Password Community! You can chat about anything discussed in the episode in the thread below!Share tips, win swag!
Hi 1Password Community, One of the great things about bringing everyone together here is the collective knowledge of having thousands of 1Password users in one place. We want to tap into that expertise by asking everyone to share their best tips and tricks for any 1Password product. Something that’s old news to you might help a new user save time and energy! To make it more fun, we’ve made it into a game! Reply to this thread with your favorite tip and you’ll be entered into a drawing to win an assortment of 1Password swag. For every tip you submit, you get one entry into the drawing (maximum of five entries into the drawing). When submitting your tips, please use the following format: Tool: Passage/Device Trust/SaaS Manager/Enterprise Password Manager/Personal Password Manager Platform: Web, iOS, Android, Mac, Windows, Linux Tip: Reply to this thread before March 11th, 2025 to be entered into the drawing.
