Is one password really enough?

aplnub

I rely on 1Password for all my account/password needs.

I have a Mac in my home and an iPhone. A tornado comes through and sucks up everything but me. At some point I have to get access to my 1Password data file to get my life back on track after complete devastation.

I go purchase a new Mac and iPhone. I realize I need to get Dropbox to get my 1Password vault. I realize I don’t know my Dropbox password. No problem, I will reset the password to the account. But wait, I don’t know the password to access my email because it is inside 1Password. The cycle continues...

Anyone else thought through the worse case scenario? Thoughts on this?

Offsite storage is a solution but there are several scenarios that come to mind that could leave me finding myself up the proverbial creek.

Ben

Yes, if you are syncing your data, you may want to remember more than just "one" password.

I personally memorize about 4:

• My 1Password Master Password
• My Apple ID password
• My Dropbox password
• And my primary email account password

Remembering 4 strong unique passwords is still a lot better and easier for me than either trying to remember 150+ strong unique passwords, or having only 1 password for everything.

Thanks! :)

Ben

aplnub

I am with you. I memorize three. Then there is the if I get amnesia thing. ;-)

prime

I had the same memorized as @bwoodruff‌, but..... Ummm... Not sure what happened lol
I need a better solution also as a back up. I have an idea, but not to sure about it yet.

Penelope Pitstop

Anyone else thought through the worse case scenario? Thoughts on this?

There are plenty of other less threatening scenarios than a tornado that might take out all your home electronics in one go so it is prudent to think hard about this topic. Many don't until they experience a disaster. I hope your post prompts others to consider disaster recovery if they haven't already. Maybe some of my thoughts on the subject will help you and I'd be really interested to read what others have to say.

I'm like @bwoodruff‌ in that I remember a handful of passwords with recovery in mind. I choose to memorise them simply for convenience and speed. I also have hardcopy of the small group of passwords needed for recovery stored in sealed envelopes with a few people I trust just in case I ever forget them.

Offsite storage is a solution but there are several scenarios that come to mind that could leave me finding myself up the proverbial creek.

Yes offsite storage is a solution but, unless it is automatic, you might find you aren't diligent enough to keep the offsite copies as up to date as you might imagine. Personally I try to maintain an offsite, bootable clone of my primary computer startup volume that has 1Password on it. This is in addition to a local Time Machine backup and CrashPlan. I think using a variety of backup techniques in parallel is good strategy in case one of them doesn't work for some unforeseen reason.

The reason for the clone is that it enables me to almost instantly get working again on a new computer and gives me time to calmly decide how to fully recover my digital world whilst I sort out the other likely more pressing issues caused by any disaster. I used to rely on Time Machine but found that it takes too long to fully restore a computer from a Time Machine backup.

The operative word here is "try". Having the discipline to maintain anything manually is fraught with potential for failure in my experience. That's why I like Time Machine, Crashplan and using cloud sync for my 1Password keychain. However I try my best to update the clone once a fortnight. Sometimes I'm a bit lazy and don't update the clone, sometimes I don't immediately store it offsite after updating it. (Shock horror!) At one point I did maintain a copy of my .agilekeychain on a USB stick that I left with a friend. I thought that I might use 1Password Anywhere in an emergency. However this fell by the wayside due to my lack of discipline. Life just gets in the way and thwarts manual processes.

The thing that many people neglect with any kind of disaster recovery plan is to practice following it. In my experience, clever people develop what seem like wonderful disaster recovery plans on paper only to discover that they don't actually work in practice because of one or two small details.

No matter how simple your plan, test it regularly to make sure it really works. Test it for real too. For example, use different hardware in a different location without any of your existing equipment. Will that two week old clone or USB stick really work on another computer? Can you then fully recover from it? What's Plan B when this doesn't work for any reason? Does Plan B work? Will Time Machine, Crashplan or whatever else you have in mind really work?

Testing is particularly important when anything changes that might affect the plan. For example, you just enabled two-step verification thinking it will make you more secure, now how does that affect your recovery plan?

Anyway, hopefully some of that is more food for thought @aplnub‌. Thanks for the post because it is high time my recovery plan were reviewed and tested once again.

Ben

Some excellent points! I personally have not done a very good job considering the local disaster possibility -- which is perhaps ironic as I'm a firefighter. I deal with local disasters frequently. In the event of a fire, I'd have the potential to lose a lot of data.

Penelope Pitstop

That is ironic! I know plenty of people that don't back up like they know they should though, including supposed computer "experts". It's hard to get some people motivated to back up at all despite having lost irreplaceable digital images etc. For many it is all just too complicated.

Ben

I think part of the problem is that offsite replication is either A) expensive and slow or B ) very complex to setup and manage. With option A you have online backup providers such as Mozy, CrashPlan, etc. With option B as far as I know you pretty much have to roll your own unless you buy into an expensive enterprise NAS solution.

I'd like to do an off site replication of my Drobo but I'd want to control the storage, and not pay a fortune. ;)

aplnub

I use CCC for bootable and network backups along with a TM thrown in for good measure. Both at home and work. For me to get totally screwed over, both work and home would have to get scratched at the same time. I say totally because I would at least have my 1Password Data if one location was dealt a massive blow and that would be about it. But I accept that and realize it could be much worse. Besides, most of my important documents are on a Transporter (three locations) or in Dropbox.

The part I can't take part in at home is an automatic offsite back up of my computer through Backblaze, etc. I would really like to do this but my SLOW AT&T DSL prevents this. Really hoping something comes along in the future to replace my only option besides dial-up as a realistic option here.

RichardPayne

For many it is all just too complicated.

It used to be, but that's really not the case any more. In my experience it is more an irrational fear of breaking something that stops people using software properly, combined with an unwillingness to learn new things. It's little surprise to me that this often correlates with age.

jpgoldberg

Hi @aplnub!

As a matter of fact, we have an article that recommends exactly what you do, both about having more than just one memorable password and also about making decent backups: Agile Blog: More than just one password

baker

I think you need to backup your 1Password vault EVERY time you make a change. Also, probably would be best to get your logins with a good strong password and not change too often. That way if for whatever reason you had to go to an old backup or old vault copy, it would mostly still be relevant.

You could do your normal backups with external hard drives or where ever. In conjunction with that. Something easier, depending on your setup, you could have two SD cards to copy your vault to every time you make a change. And could keep one SD card outside of your computer. That's assuming using SD card would be easier than trying to connect your external hard drives up every time you make a change in your vault.

That would help protect losing your up to date vault from a sudden hard drive crash and burn, and from like the article mentioned from a remote wipe.

RichardPayne

I think you need to backup your 1Password vault EVERY time you make a change. Also, probably would be best to get your logins with a good strong password and not change too often. That way if for whatever reason you had to go to an old backup or old vault copy, it would mostly still be relevant.

While what you're advocating certainly wouldn't hurt, it's not really necessary. So long as the backup includes the current primary email login then you can always password reset accounts that changed after the last backup.

Nurinai

It's definitely not enough.I usually use two.

Megan

Hi @Nurinai ,

Thanks for sharing your thoughts here! It's a pretty fascinating discussion ... that reminds me I need to get much more diligent with my own backups and disaster-recovery plan. :)

aplnub

I should mention that I have a Mac at work and it has 1Password on it. So for me, I have minimized the threat of being locked totally out of my accounts a little bit more by having that Mac offsite. Still, one day I may not have that luxury. I also find this discussion fascinating.

RichardPayne

Still, one day I may not have that luxury. I also find this discussion fascinating.

How many people don't have a smartphone these days?

AGAlumB

@RichardPayne: Billions! ;)

But in all seriousness, even in 'developed' (industrially/technologically) countries such as the U.S. millions of people have personal computers but not smartphones. Interestingly, the reverse is true in China, where the mobile revolution has taken hold where the computer revolution was less widespread. I imagine it's due to China being less closed than it used to be, relatively speaking. It's all about timing! Big phones are, well...big here, but they are even more popular in the East (at least as a percentage of sales).

As cool as the last 30 years were, the next 10 are going to be crazy! :pirate:

One password certainly is enough for a database of information like 1Password, but (as many have pointed out) we all need to have a backup/contingency plan. :)

jpgoldberg

By the way, this is something that we've got an old (2012) blog post about:

More than just one password: Lessons from an epic hack

Edit

Now I see that I've already posted a link to that a few week ago. It's not that good of a blog post that it merits two mentions here, but none the less, it has managed it.

AGAlumB

:+1: ;) :+1: