Keeping Google/Apple Account password stored in 1Password
I'm storing all my logins in 1Password except one: The one for my Google account which I have memorized.
The reason for my reluctance to include the Google account password in 1Password is the boot-strap scenario where I lose my phone and have to set up a new one from scratch. In that scenario I would want to download the 1Password app and set that up using the Emergency Kit, but if I don't know the password to my Google account I'm not sure I can even download anything from Google Play?
Also, since the new phone probably wouldn't have a SIM card installed just yet, I'd need the home WiFi password, too, which is also stored in 1Password (though I could probably get that from a sticker on the back of the router).
What is the general recommendation for handling this scenario? Write down the Google account password next to the Master Password on the Emergency Kit?
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
@MerryBit - excellent question, and thanks for bringing up this evergreen topic! The short answer to your question is: yes. It may indeed be helpful for you to think clearly in a step-by-step, "what if" kind of way to determine whether you feel as if you need to remember more than just your Master Password for 1Password. And if you're already thinking along these lines, you're way ahead of many people. So, breathe a little easier just for that alone.
This very subject is something our Chief Defender Against the Dark Arts, Jeff Goldberg, wrote an entire blog post on, back in 2012 when then-Wired reporter Mat Honan was the victim of a brutal hack. Although when you consider the speed at which technology advances, 2012 seems like the dark ages, but in truth it wasn't really all that long ago. Yes, some of the technical details of that post are outdated now (the then-current concept of potentially different Master Passwords on your iOS devices and your desktop seems almost quaint in 2019), but most of what Goldberg wrote in that seven year old post remains relevant today because it concerns not the technology itself, but how you - the user - prepare yourself for disaster or attack.
Depending on your circumstances, devices and chosen sync methods (and other factors), each user's choice of what passwords to remember beyond just your Master Password will vary from user to user, so we can't offer a one-size-fits-all set of instructions for what else to commit to memory. But it's definitely a good idea for all users to try to imagine themselves in a catastrophic situation and even role-play "what step I do next" all the way through to the end, so in the event that the worst does happen one day, an already-horrible situation won't be made much worse by not having a password that's vital to bootstrapping your way back into your own data/devices.
In terms of actual procedures, the most-secure method is always of course your own brain: assuming you can remember the small group of passwords you need without having to write them down, and you never share them with others, you'll be most secure. But most of us - especially if we're using 1Password to fill longer, more-complicated passwords regularly and thus are at risk of potentially forgetting over time - might want to consider keeping a written record of these passwords. Some ideas would be: in a floor safe or a safety-deposit box. Better still might be with a trusted attorney, along with a letter clearly and explicitly defining under what circumstances (if any) these passwords (including your Emergency Kit) are to be shared with people who are not you.
Feel free to let us know if you have other ideas or questions, and thanks again for reminding users of an important topic.
0 -
Thank you for a very thorough reply.
I took your advice and played through a lost/new phone scenario yesterday. As I suspected, I did need the WiFi password and the password (and U2F key) for my Google account, but other than that everything went swimmingly.
One thing surprised me though, and I didn't think about it until after I had finished setting everything up:
I didn't need to enter my Security Key in order to set up 1Password on my Android phone, only my Master Password.
Once I was logged into my Google account, the phone automatically installed the same apps I had installed previously, though I did need to log into and set up every app that was connected to an account other than my Google account, including 1Password. Since I wasn't asked to enter my Secret Key, only my Master Password, I'm thinking Google must have stored the Secret Key (and possibly other account data related to the 1Password app) along with my device backup in my Google account.
Is that as expected, or would you expect 1Password to ask for the Secret Key as well in case of a factory reset phone?
0 -
@MerryBit: Indeed, that's expected. The mobile apps can backup the 1Password account credentials except for the Master Password in your iCloud or Google account, if you have those features enabled. I believe that's iCloud Keychain in the former case, and Google's backup service in the latter. That way people aren't completely hosed if they lose their Secret Key but still have access to it that way, and still not accessible to us. Cheers! :)
0