If the passwords to your Instagram profile, bank account, and UberEats app are all variations on the name of your favorite band, 1Password CEO Jeff Shiner wants a word with you.
We all have way too many passwords — between 50 and 100 each, according to some estimates — floating around the ether. Most are probably variations on one another — a dangerous yet unsurprising workaround for those of us unable to remember dozens of unique passwords.
That said, password managers are one way to keep everything straight — and Toronto-based 1Password is among the best-known. Today, 1Password boasts over 100,000 business customers, a $798-million round last January, and a CEO equally comfortable talking about Lego and his company’s robust security measures.
At Toronto’s recent Collision tech conference in Toronto, 1Password debuted Insights, a way for business subscribers to monitor security risks — and improve security practices. “We’re here to protect the human being,” Shiner said. “That is, to me, our number one goal.”
He spoke to the Star at Collision about tech’s choppy waters, whether 1Password will ever go public, and how he’d respond if someone successfully breached his company’s security:
A lot of public tech companies have lost a lot of valuation on the markets right now. 1Password is privately held — how have you folks been weathering the current market situation?
Up until 2019, we had never taken any funding. We were 13 years old at the time — never taken any funding, never taken any debt. We were fully bootstrapped. It wasn’t a case that we needed the money by any means. We’ve got over 100,000 paying businesses. We don’t need the funding to continue. When we look at the situation now, where there are certainly some rough waters from a macroeconomics point of view, we look at it the same. We’re never going to need to raise money.
If the market is not in a place where it makes sense to raise money, we don’t really have to worry about it. It’s just a matter of, from my perspective, being very thoughtful about how we spend our money. We’re still growing. We’re still hiring.
Do you ever see yourself taking 1Password public?
It’s certainly on the table. Not this year (laughs). Like everything we’ve ever done, it will be because it makes sense for us to do so, not because there’s any overriding need to go public or need to raise more money. There are some benefits, obviously of going public in terms of raising additional capital if it makes sense for us to place some bigger bets. From my perspective, I want to get in a place where we can be ready to do so, so we can make the decision. But by no means is it something that we have to do hard and fast.
1Password is one of the biggest password managers in the world. I’m sure that makes you a target for hackers. How do you balance the security you need to keep businesses safe, while also making it easy for people to use?
We’re always looking at that boundary of security and convenience. We made a decision right at the beginning, when we built the system-as-a-service side of it, that we have no keys. We have no technical ability to decrypt any of that data. There’s two reasons for that. When you put your information into 1Password you now know, no matter what happens, we can’t get at it. We can’t see that information. That helps keep you comfortable in your privacy.
It also makes us less of a target because we make that very public. We have a white paper that details all of our security. It makes us less of a target. Of course, we try and protect all our data and we’ve got very good security in place, but at the same time, if that data was taken, the hackers can’t decrypt it either. And so, the very fact that we don’t have any ability to decrypt it means that anybody who would want to try and get that data would also have no ability to decrypt it.
What happens if law enforcement asks you to unlock it?
Again, we have no technical ability to decrypt the data. If law enforcement came along and said “we believe you’ve done something and we need your data” — even if were to give them that data, there’s nothing they can do about it. And there’s nothing they can force us to do about it. We have no technical ability to decrypt that data. None. We don’t have the keys. The only person it does good is you — because you’re the only person who has the keys to decrypt it.
Does it frustrate you that addressing human-caused security issues is so difficult?
Yeah, I mean, what do they say? Eighty-five per cent of all breaches have a human element? It’s not that people are trying to do things the wrong way. It’s that people aren’t aware there are easy solutions. That’s our number one goal — can we make it easy for humans to be secure? I like to sometimes say: “Be good by being lazy.” If we can make the easy way the good way, we’re in good shape.
The number of people who are running the old “I’m from the federal tax authorities and all you have to do is pay with Apple gift cards” gambit — and people fall for it. It’s sad, and it’s frustrating, because the victims are not people that can afford to fall for these.
Are there any emerging threats that keep you up at night that aren’t an issue yet, but might be in the next five to 10 years?
Shadow IT is here now, but I think it will continue to be more and more significant. It’s nothing other than software that your business doesn’t know you’re running. If you went to Collision, talked to Company X, and downloaded their app — all of a sudden you, as an employee, are sitting there putting in company data to this app. And your IT has no idea. So if you move on to a different role or you move out of the company now that data is sitting there. Nobody ever knew it was there in the first place to defend against.
Software-as-a-service apps have been around for years, but because of the hybrid work and work-from-home environment, everybody is moving to SaaS apps all over the place. We think of Zoom as an example. You’re just as likely to Zoom a bunch of family members as you are colleagues at work. Companies 20 years ago did everything on premises. Now, nobody has a clue who is running what.
What’s your biggest password pet peeve? Is it people who leave their passwords on sticky notes?
OK, my biggest password pet peeve are the people that have what’s called a root password, and then put some sort of variation on it. Those are the folks who believe that’s sufficient. The people that are using “fluffycat” for all their passwords, or are putting it on a sticky note — they know what they’re doing is bad. They just do, right? I don’t need to educate them, at least on the problem.
The reuse of passwords itself is one of the biggest issues. You may sit there and think your bank is secure and, you know what? You’re probably right. But if you’re using a variation of the same password on your cat-picture-sharing site that gets breached, the hackers will take that same password and try it on banks and eBay and PayPal and Amazon — and try all sorts of variations. That’s where it starts to get dangerous.
I read you have 1,000 lbs. of Lego.
I’m a huge Lego fan. I started off in e-commerce many years ago helping IBM build their WebSphere Commerce product. Way back when, I started selling Lego online. It was bricks — I’d take a kit and I’d break it down and sell it off. I did that on what is now Bricklink. I also did it on eBay and other platforms. I thought it was awesome because at the time I was doing e-commerce. It was like learning for me.
I stopped selling when my son was born. It just got to be too much work. When my son was five or six years old, he’d want Star Wars Lego. So I told him we’d sell a bunch of our stuff I had in the basement, we’d put that money on PayPal, and he’d be able to buy any Star Wars Lego he wanted with that. We did that for years. We had a wonderful time. And then we started buying more and more Lego, as we do. My wife unfortunately counted. She found Lego in every room in our house, except for one. I can’t remember which one. I think it was one of the bathrooms.
Lego, to me, is something that combines technology — or engineering, at least — with art. I think there’s nothing more powerful than that combination.
How often do you step on a stray brick?
Stepping on it doesn’t bother me anymore. My feet are too hard.
History is littered with supposedly unbreakable products that were eventually hacked — the Enigma machine during the Second World War is a classic example. If, or perhaps when, that happens to 1Password, what will your response be as CEO?
The most important thing is to be very transparent and public with it. If we’re transparent, we can make sure everybody is aware that our protections are in place. They’ll also be aware that we’ll be honest with them about both what happened and the risks. For any company, regardless of who you are — if you suffer a breach, honesty and following up with your customers is really the most important thing.
We also want that to be true of any mistake our team makes. I don’t care if it’s as simple as someone chucking in some code that broke our build: the transparency side, what our chief marketing officer Raj Sarkar calls “radical candor,” is important. It has to come with accountability, not blame. What did we learn from this — and not just who we’re going to point our fingers at.
This interview has been edited for length and clarity