Chris M. (mrkapowski)My employer has started blocking 1Password.com recently, breaking my ability to access my passwords and Two-Factor Authentication (2FA) details using the browser extension. I can still get these details on my phone, but typing a completely random 22-character password by hand is far from ideal, and a bit of a pain in the rump, to be honest. This isn’t their most egregious “security theatre” policy, but it is one of the most impactful (to me).
If the blocking of the 1Password browser extension is technical enforcement of a written corporate policy, then the “problem” is the written corporate policy. Even if the 1Password browser extension were allowed you would violate that policy the minute you used it in a way that was not approved.
I think Ton Zijlstra stated is correct, “..the actual silo you’re trying to escape is the company”.
I agree. The real silo is that absurd policy.
We don’t know that the policy is absurd as we don’t know the why of the policy. Perhaps the company is concerned that employees will use the password manager to store company passwords and the company policy says “don’t do that”.
In certain environments there are regulatory requirements that preclude the use of such technology. In the environments I often work in, any avenue by which data could be exfiltrated - email, online storage, social media, etc. - is blocked. That includes password managers.
https://support.1password.com/files/
The last thing the corporate lawyers wants to admit to anyone is “we could have prevented this but we didn’t”. The job of these policies is to protect the company from whatever risks have been identified. The risk may be you.
It’s offensive to me when someone with no background, experience or training in cyber-security second guesses the decision made by their security staff. It would be better to ask them why the policy is in place and ask them to explain it.
https://www.wired.com/2008/03/securitymatters-0320/