Security Advise
I'm new to 1password and looking to the community for their advise on best security practices in using the product. [I'm purchased the Family Plan and will set up others members soon.]
- I safely stored my Emergency Kit.
- I'll be looking into the YubiKey.
- I removed my master password from the "1Password Account" entry within the vault.
- I've updated all my accounts with new 20 character random passwords.
- For my most secure accounts (e.g. finances), I append extra chars (not stored in 1password) before logging in.
- I use 2FA on all possible accounts.
- On the email account I use for password recover, I have a very secure password (committed to memory), plus 2FA.
- I plan to update all my security questions on my accounts with "memorable passwords" (adding them as a "Security Question" field in 1password).
- I use a short timeout for locking my 1password app.
- I am not interested in discussions regarding other family organizers.
What else should I consider?
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Comments
-
Especially as you are the only family organiser, consider what happens if you suffer a major injury, stroke, or whatever. Having a password committed ONLY to memory runs a major risk.
I'm not going to suggest what action you should take, but do plan for disaster.
0 -
Plan for recovery if you lose your Yubikey device, if you lose your 2fa authenticator device, if you lose your smartphone, if your PC/Laptop is destroyed. Make sure you will not get locked out from 1Password.
For example, consider what happens if you lose a device that runs your 2fa authenticator. Are you still able to log in, for example to install a replacement device? For example, if you store the 2fa secrets in 1Password, you're good as long as you have at least one device left that is logged in to 1Password, so it can provide you with the 6 digit tokens for new logins. However, if you use a 3rd party authenticator, make sure you have a disaster recovery plan for that authenticator app as well.
A bullet proof solution is to store your 2fa codes within 1Password and print your emergency kit on paper, along with the master password, along with the QR code required to create the 2fa code for logging into 1Password.
This way, even if everything is lost you can get the paper, install a standalone authenticator app on a pristine smartphone, import the 2fa qr code and have 2fa for 1Password up and running. Then you log in by entering the secret key and master password you also printed and are back again in your password database.
Not storing full passwords for "important" accounts but leaving out a few characters is unnecessary and not supported by the automatic workflow to login. It's a sign you don't actually trust 1Password as password manager. If this is the case, don't use 1Password at all but something else. And if you really trust 1Password as password manager but don't trust yourself to keep the account safe, educate yourself and enable yourself to keeping your account safe. Be vigilant and safety-aware, but don't be paranoid.
And plan for yourself forgetting a "memorable password". Things like this will happen. Trust me, this will happen. In a year, in 5 years, in 10 years, who knows. But it will happen. Trust no one, even yourself. Trust the password manager.
0 -
@robert1p That's a really good list.
If you haven't saved your master password with your Emergency Kit and, especially as you haven't saved it in 1Password, I would think about how you can recover access to it if required. I find it useful to keep my master password in 1Password, for example, when logging in to the web vault using the browser extension. And people have found it useful after forgetting their master password due to using fingerprint, Touch ID, etc.
Similarly, if you have enabled 2FA on your 1Password account then set-up an authenticator app and save/print the 2FA manual entry secret locally. If you're worried about the authenticator app providing a back door then you can delete the app from your device and just keep the 2FA secret as a kind of 2FA recovery key.
I don't think password salting is worthwhile. Given the security of 1Password's account access with the secret key, master password, secure remote password protocol and, optionally, 2FA, a breach of your vault is unlikely to come from a direct attack on their servers. Its much more likely to come from a breach of your devices or a malicious software update. And someone with access to your device will be able to capture the salt.
So focus on your device security, set-up individual user accounts, enable device storage encryption, use anti-virus software, avoid clicking on links, etc. Use the 1Password apps whenever you can as these are better protected from malicious software updates. If you need to use the web vault then use a blank browser profile without any browser extensions, other than 1Password's.
0 -
All sound advice; record & lock up emergency kit, master password, 2fa codes & alternatives, and salts. Then verify you can setup a new device with your recorded information.
I've read and understand all the rationale of why a salt shouldn't be necessary; but even so, I simply like the idea of the full password not being viewable. For me it's just the shock of seeing my most secure passwords displayed in plaintext. ;-D
Thanks for input.
0