Paranoid Questions of the Day (PQsD)
Okay, every so often I review my 1P setup and, although I'm a long time user, my mind starts racing.
So, I have a very long master password (more than 16 characters and very random) and have it secured should I ever forget it. In 1P, you can conceal a password when saved as a login and I can also conceal a password if saved under Categories/Password ... but is this a good idea to store the master password within 1P? I've been very careful about even writing/storing the master password anywhere (I use Knox) ... and I'm the only person who uses my computer ... I guess I'm wondering the likelihood of someone getting remote access to my computer and creeping into 1P and finding stuff.
This leads me to my second question. I've read that 1P now works better with Yubikey, but if one is paranoid/concerned about the potential for remote access does a Yubikey provide better protection for 1P? For me, Yubikey seems more useful for mobile/laptop protection but I confess to having some trouble trying to figure out all that it can do and whether it adds complexity that doesn't serve security (at least for my usage).
Thanks :-)
1Password Version: 7.1.2
Extension Version: Not Provided
OS Version: OSX 10.13.6
Sync Type: 1P
Comments
-
every so often I review my 1P setup and, although I'm a long time user, my mind starts racing.
Deep breaths. We're here for you. ;)
I have a very long master password (more than 16 characters and very random)
Mine's over 50. I feel your pain. :)
I guess I'm wondering the likelihood of someone getting remote access to my computer and creeping into 1P and finding stuff.
So, overall computer security is a HUGE can-o'-worms, and one I won't be able to properly address in a single forum reply. Much of it is also outside the scope of what we do on this forum, and frankly, outside my own expertise. Having said that, there's an old saying: if someone gains the ability to run arbitrary code on your computer with root privileges, it can no longer be considered your computer. Most people who think even a little about their own security understand this idea -- if an attacker can set a rootkit or a keylogger whereby they can capture everything you type, or install their own code with root-level privileges, it's basically game over.
Still, you have to ask: if someone can install a rootkit or keylogger that can capture you typing your Master Password...then it really doesn't matter if you have that same Master Password stored within 1Password, as they will have already acquired it. By the same token, if YOU can't remember your own Master Password, it hardly does any good to have that Master Password stored safely inside 1Password -- that would be a bit like locking the keys to a safe _inside the safe_: not very helpful. With 1Password accounts, we recommend people print out their Emergency Kit, write their Master Password down on it, and keep it either in a locked safety-deposit box at their bank, or give it to a trusted attorney with whom they've established attorney-client privilege. In a pinch (like if you forget your Master Password), either could be used to regain access to your data.
In terms of the security of 1Password itself, your Master Password is likely to be plenty strong against all but the most well-resourced attackers. If you've followed best practices to choose a good Master Password and you have no reason to believe it's been breached or disclosed to anyone else, then it's unlikely to be crackable except by brute force (i.e. - attempting to guess every possible combination until one succeeds). That's a very lengthy process, and one which 1Password helps deter.
Yubikey is indeed a recent addition to 1Password accounts. But it only works with a 1Password account because Yubikey's strength is to provide a second factor of authentication. In a 1password.com account, your data are secured with encryption, as always, but you do use authentication for administrative access to the 1Password web app. Yubikey can definitely strengthen your security there. But if you're using 1Password in standalone mode, Yubikey isn't relevant because you aren't authenticating to a remote server; your data already exists on your own device. There's also the potential of loss/theft of your Yubikey to consider. If you have an individual 1Password account, that means you won't have anyone else that can help recover your account, so if you turn on 2FA for your 1password.com account and then lose your Yubikey, your account will not be accessible. I'm not mentioning that to suggest that you should not use a Yubikey, only that you understand the risks. All of us have become accustomed to being able to get in touch with a website's owner have our password reset. That won't be the case with Yubikeys, just as it is not with 1Password itself. If you forget your Master Password, you can't decrypt your 1Password data. And if you use 2FA for your 1password.com account and lose your second factor (Yubikey), you won't be able to access the account. This adds to your security, but it's not without risks. Good for you for considering those risks and asking questions up front, so you're aware of how to best protect yourself, not only from outside threats, but from yourself and potential inadvertent mishaps also. Feel free to ask any questions you might have. :)
0 -
Thank you very much, Lars, for the detailed reply. Your rootkit/keylogger perspective is what I suspected and you've clarified Yubikey for me (I do use 1P in standalone mode).
Knowing that you use a 50 character password is something to aspire to (haha).
Appreciate the prompt response and helpfulness that is the 1P trademark. I'm always telling people to check out 1P, but sometimes I think I'm surrounded by luddites ... which probably explains why I sometimes feel that I have to have enough paranoia for both myself and my friends :-)
0 -
@mobius32x - thanks for the kind words! I'm grateful to hear you mention 1Password to friends and colleagues; it's truly the best possible advertising we could have -- if it can even be called that. Drop by any time if you have questions or run into trouble with 1Password. :)
0