Hacker News new | ask | show | jobs
by throwpoaster 532 days ago
I had my password manager compromised by a business partner. I added him to my 1Password account and then, in a play for control of the company, he attempted to remove me. Lesson learned: don't try to save money on password managers.

If all of my 2FA code generators had been in 1Password I would have been truly screwed, but in a stroke of luck I had been paranoid enough to use a separate app for 2FA codes.
4 comments
ww520 532 days ago
While it’s regrettable you had someone you trusted betrayed you, the lesson is more of never share your password manager with others.
link
swat535 532 days ago
Exactly, it’s like people complaining about locks when they hand over their keys to another person and suffer theft.

The lesson here is using granular permissions and sharing things selectively, more importantly never giving master access to anyone.

link
dahart 532 days ago
Wild! Would that actually work in the long run? It could cause you a lot of trouble, I’m sure, but it seems like if you have any legal documentation, a lawyer would easily fix it. And it seems like it’s probably illegal to try to remove someone without consent or authorization, so it could potentially backfire pretty hard for him?

I know this happens sometimes, and I’m thankful my partnerships have never gone this bad. Did you know it was headed this direction before he tried it? Was that the end of the company?

link
throwpoaster 531 days ago
The law is amazingly difficult to actually enforce against someone who simply will not comply. If everything goes to a potential finding of contempt it takes ages to win by inches. This is what I ended up doing. Literally took 2+ years.

I “won” in the end — the board fired him and appointed me CEO - but it destroyed the company.

And yes, I saw it coming, but was hoping I could control him until we found revenue and the pressure came off. This was illogical because people like that cannot find revenue.

link
kubo6472 532 days ago
I'm sorry this happened to you, but it highlights another very important factor. Don't keep all keys to the kingdom on one person. Always divide and conquer. Keep power distributed between multiple people. I worked at a company of 500+ people, and I'm sure the CEO didn't have access to all the IT people's stuff. They only cared that everything works and meet their quarterly goals. Shall the IT person feel like sabotaging stuff, there are distributed backups and mainly the fine print in the work contract preventing that.

I know this doesn't necessarily apply to smaller companies and startups, but have lawyers write you strong contracts that aren't one-sided, but are full of protections for both sides, if they aren't sabotaging stuff.

link
throwpoaster 531 days ago
This, yes, but there’s a really interesting corollary:

If you’re on a small team (~5 people) the person obsessed with access controls cannot be trusted.

link
Eric_WVGG 532 days ago
That’s harrowing.

If any journalists are lurking in this discussion, this would make a decent article.

link
throwpoaster 531 days ago
Reply here with info and I’ll reach out. Have to be careful with NDAs and such.
link