If your Instagram profile, bank account, and UberEats app passwords are all variations of your favorite band name, 1Password CEO Jeff Shiner wants to talk to you.
We all have far too many passwords – between 50 and 100 each, according to some estimates – floating around in the ether. Most are probably variations of each other – a dangerous but unsurprising workaround for those of us who are unable to remember dozens of unique passwords.
That said, password managers are one way to keep everything tidy – and Toronto-based 1Password is one of the best known. Today, 1Password has more than 100,000 business customers, a $798 million round last January, and a CEO equally comfortable talking about Lego and his company’s robust security measures.
At the recent Collision Technology Conference in Toronto, 1Password launched Insights, a way for business subscribers to monitor security risks and improve security practices. “We are here to protect human beings,” Shiner said. “That, for me, is our number one goal.”
He spoke to the Star at Collision about the choppy waters of technology, whether 1Password would go public, and how he would react if someone managed to breach his company’s security:
Many public tech companies have lost a lot of market valuation right now. 1Password is privately held — how did you overcome the current market situation?
Until 2019, we had never taken out financing. We were 13 at the time – never taken out financing, never had debt. We were completely primed. It was not a case that we needed the money by any means. We have over 100,000 paying businesses. We do not need funding to continue. When we look at the current situation, where there are certainly choppy waters from a macro perspective, we see it the same way. We will never need to fundraise.
If the market isn’t in a place where it makes sense to raise money, we don’t really have to worry about it. It’s just, from my point of view, being very careful about how we spend our money. We continue to grow. We are still hiring.
Have you ever seen yourself making 1Password public?
It is certainly on the table. Not this year (laughs). Like everything we’ve done, it will be because it makes sense for us to do it, not because there’s a compelling need to go public or raise more money. There are some benefits, obviously to going public in terms of raising additional capital if it makes sense for us to place larger bets. From my perspective, I want to get to a place where we can be ready to do that, so we can make the decision. But it’s by no means something we have to do hard and fast.
1Password is one of the largest password managers in the world. I’m sure that makes you a target for hackers. How do you balance the security you need to keep businesses safe while making it easy for users to use?
We are always looking at that limit of security and convenience. We decided early on, when we built the system side as a service, that we didn’t have keys. We have no technical ability to decrypt this data. There are two reasons for this. When you put your information into 1Password, you now know that no matter what, we can’t access it. We cannot see this information. It helps you stay comfortable in your privacy.
It also makes us a lesser target because we make it very public. We have a white paper that details all of our security. It makes us less of a target. Of course, we try to protect all our data and we have very good security in place, but at the same time, if this data has been taken, hackers cannot decrypt it either. And so, the very fact that we have no ability to decipher it means that anyone who would try to obtain this data would also not have the ability to decipher it.
What if law enforcement asks you to unlock it?
Again, we have no technical ability to decrypt the data. If law enforcement came in and said “we think you did something and we need your data” – even if they were to give them that data, there’s nothing they can do about it. And they can’t force us to do anything about it. We have no technical ability to decipher this data. None. We don’t have the keys. The only person it feels good to is you, because you are the only person who has the keys to decipher it.
Does it frustrate you that it’s so hard to fix man-made security issues?
Yeah, I mean, what do they say? Eighty-five percent of all violations have a human element? It’s not that people try to do things the wrong way. It’s that people don’t know that there are easy solutions. That’s our number one goal: can we make it easier for humans to be safe? I like to say sometimes, “Be good by being lazy.” If we can make it easy the right way, we’re in good shape.
The number of people running the old “I’m federal taxman and all you have to do is pay with Apple gift cards” scheme — and people are falling for it. It’s sad and frustrating because the victims are not people who can afford to fall into the trap.
Are there any emerging threats keeping you up at night that aren’t a problem yet, but could be in the next five to ten years?
Shadow IT is here now, but I think it will continue to be more and more important. It’s nothing but software that your company doesn’t know you’re using. If you went to Collision, talked to Company X, and downloaded their app – all of a sudden, as an employee, you’re sitting there putting company data into that app. And your IT has no idea. So if you are moving to another role or leaving the company now that the data is there. No one ever knew he was there in the first place to defend against.
Software-as-a-service applications have been around for years, but due to the hybrid work and work-from-home environment, everyone is moving to SaaS applications everywhere. We think of Zoom as an example. You’re just as likely to zoom in on a group of family members as you are on your work colleagues. Twenty years ago, companies did everything on site. Now, no one has a clue who’s running what.
What’s your biggest password peeve? Are these people who leave their passwords on sticky notes?
OK, my biggest password peeve is people who have what’s called a root password, and then put some sort of variation on it. These are the people who believe that enough is enough. People who use “fluffycat” for all their passwords, or put it on a sticky note – they know what they’re doing is wrong. They just do, right? I don’t need to educate them, at least on the problem.
Password reuse itself is one of the biggest problems. You can sit there and think your bank is secure and, you know what? You are probably right. But if you use a variation of the same password on your cat photo sharing site that gets hacked, hackers will take that same password and try it on banks, eBay, PayPal and Amazon – and try all kinds of variants. This is where it starts to get dangerous.
I read that you had 1,000 books. of Lego.
I am a huge Lego fan. I started in e-commerce many years ago helping IBM build their WebSphere Commerce product. A long time ago, I started selling Legos online. It was bricks – I would take a kit and break it down and sell it. I did this on what is now Bricklink. I also did it on eBay and other platforms. I thought it was great because at the time I was doing e-commerce. It was like learning for me.
I stopped selling when my son was born. It must be too much work. When my son was five or six years old, he wanted Star Wars Lego. So I told him we’d sell a bunch of our stuff that I had in the basement, put that money on PayPal, and he could buy whatever Star Wars Lego he wanted with that. We have done this for years. We had a wonderful stay. And then we started buying more and more Lego, like we do. My wife unfortunately counted. She found Legos in every room in our house except one. I don’t remember which one. I think it was one of the bathrooms.
Lego, to me, is something that combines technology – or engineering, at least – with art. I think there is nothing more powerful than this combination.
How often do you step on a lost brick?
Walking on it doesn’t bother me anymore. My feet are too hard.
History is littered with supposedly unbreakable products that were eventually hacked – the Enigma machine during World War II is a classic example. If, or maybe when, this happens to 1Password, what will your response be as CEO?
The most important thing is to be very transparent and public with this. If we are transparent, we can make sure everyone knows our protections are in place. They will also know that we will be honest with them about what happened and the risks. For any business, no matter who you are, if you experience a breach, honesty and following up on your customers is really the most important thing.
We also want this to be true for any mistakes made by our team. I don’t care if it’s as simple as someone introducing code that broke our build: transparency, what our CMO Raj Sarkar calls “radical candor,” is important. This must come with responsibility, not blame. What have we learned from this – and not just who we will be pointing our fingers at.
This interview has been edited for length and clarity