Is one password really enough?

aplnub
aplnub
Community Member

I rely on 1Password for all my account/password needs.

I have a Mac in my home and an iPhone. A tornado comes through and sucks up everything but me. At some point I have to get access to my 1Password data file to get my life back on track after complete devastation.

I go purchase a new Mac and iPhone. I realize I need to get Dropbox to get my 1Password vault. I realize I don’t know my Dropbox password. No problem, I will reset the password to the account. But wait, I don’t know the password to access my email because it is inside 1Password. The cycle continues...

Anyone else thought through the worse case scenario? Thoughts on this?

Offsite storage is a solution but there are several scenarios that come to mind that could leave me finding myself up the proverbial creek.

Comments

  • Yes, if you are syncing your data, you may want to remember more than just "one" password.

    I personally memorize about 4:

    • My 1Password Master Password
    • My Apple ID password
    • My Dropbox password
    • And my primary email account password

    Remembering 4 strong unique passwords is still a lot better and easier for me than either trying to remember 150+ strong unique passwords, or having only 1 password for everything.

    Thanks! :)

    Ben

  • aplnub
    aplnub
    Community Member

    I am with you. I memorize three. Then there is the if I get amnesia thing. ;-)

  • prime
    prime
    Community Member

    I had the same memorized as @bwoodruff‌, but..... Ummm... Not sure what happened lol
    I need a better solution also as a back up. I have an idea, but not to sure about it yet.

  • Penelope Pitstop
    Penelope Pitstop
    Community Member

    Anyone else thought through the worse case scenario? Thoughts on this?

    There are plenty of other less threatening scenarios than a tornado that might take out all your home electronics in one go so it is prudent to think hard about this topic. Many don't until they experience a disaster. I hope your post prompts others to consider disaster recovery if they haven't already. Maybe some of my thoughts on the subject will help you and I'd be really interested to read what others have to say.

    I'm like @bwoodruff‌ in that I remember a handful of passwords with recovery in mind. I choose to memorise them simply for convenience and speed. I also have hardcopy of the small group of passwords needed for recovery stored in sealed envelopes with a few people I trust just in case I ever forget them.

    Offsite storage is a solution but there are several scenarios that come to mind that could leave me finding myself up the proverbial creek.

    Yes offsite storage is a solution but, unless it is automatic, you might find you aren't diligent enough to keep the offsite copies as up to date as you might imagine. Personally I try to maintain an offsite, bootable clone of my primary computer startup volume that has 1Password on it. This is in addition to a local Time Machine backup and CrashPlan. I think using a variety of backup techniques in parallel is good strategy in case one of them doesn't work for some unforeseen reason.

    The reason for the clone is that it enables me to almost instantly get working again on a new computer and gives me time to calmly decide how to fully recover my digital world whilst I sort out the other likely more pressing issues caused by any disaster. I used to rely on Time Machine but found that it takes too long to fully restore a computer from a Time Machine backup.

    The operative word here is "try". Having the discipline to maintain anything manually is fraught with potential for failure in my experience. That's why I like Time Machine, Crashplan and using cloud sync for my 1Password keychain. However I try my best to update the clone once a fortnight. Sometimes I'm a bit lazy and don't update the clone, sometimes I don't immediately store it offsite after updating it. (Shock horror!) At one point I did maintain a copy of my .agilekeychain on a USB stick that I left with a friend. I thought that I might use 1Password Anywhere in an emergency. However this fell by the wayside due to my lack of discipline. Life just gets in the way and thwarts manual processes.

    The thing that many people neglect with any kind of disaster recovery plan is to practice following it. In my experience, clever people develop what seem like wonderful disaster recovery plans on paper only to discover that they don't actually work in practice because of one or two small details.

    No matter how simple your plan, test it regularly to make sure it really works. Test it for real too. For example, use different hardware in a different location without any of your existing equipment. Will that two week old clone or USB stick really work on another computer? Can you then fully recover from it? What's Plan B when this doesn't work for any reason? Does Plan B work? Will Time Machine, Crashplan or whatever else you have in mind really work?

    Testing is particularly important when anything changes that might affect the plan. For example, you just enabled two-step verification thinking it will make you more secure, now how does that affect your recovery plan?

    Anyway, hopefully some of that is more food for thought @aplnub‌. Thanks for the post because it is high time my recovery plan were reviewed and tested once again.

  • Some excellent points! I personally have not done a very good job considering the local disaster possibility -- which is perhaps ironic as I'm a firefighter. I deal with local disasters frequently. In the event of a fire, I'd have the potential to lose a lot of data.

  • Penelope Pitstop
    Penelope Pitstop
    Community Member

    That is ironic! I know plenty of people that don't back up like they know they should though, including supposed computer "experts". It's hard to get some people motivated to back up at all despite having lost irreplaceable digital images etc. For many it is all just too complicated.

  • Ben
    Ben
    edited January 2015

    I think part of the problem is that offsite replication is either A) expensive and slow or B ) very complex to setup and manage. With option A you have online backup providers such as Mozy, CrashPlan, etc. With option B as far as I know you pretty much have to roll your own unless you buy into an expensive enterprise NAS solution.

    I'd like to do an off site replication of my Drobo but I'd want to control the storage, and not pay a fortune. ;)

  • aplnub
    aplnub
    Community Member

    I use CCC for bootable and network backups along with a TM thrown in for good measure. Both at home and work. For me to get totally screwed over, both work and home would have to get scratched at the same time. I say totally because I would at least have my 1Password Data if one location was dealt a massive blow and that would be about it. But I accept that and realize it could be much worse. Besides, most of my important documents are on a Transporter (three locations) or in Dropbox.

    The part I can't take part in at home is an automatic offsite back up of my computer through Backblaze, etc. I would really like to do this but my SLOW AT&T DSL prevents this. Really hoping something comes along in the future to replace my only option besides dial-up as a realistic option here.

  • RichardPayne
    RichardPayne
    Community Member

    For many it is all just too complicated.

    It used to be, but that's really not the case any more. In my experience it is more an irrational fear of breaking something that stops people using software properly, combined with an unwillingness to learn new things. It's little surprise to me that this often correlates with age.

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    Hi @aplnub!

    As a matter of fact, we have an article that recommends exactly what you do, both about having more than just one memorable password and also about making decent backups: Agile Blog: More than just one password

  • baker
    baker
    Community Member

    I think you need to backup your 1Password vault EVERY time you make a change. Also, probably would be best to get your logins with a good strong password and not change too often. That way if for whatever reason you had to go to an old backup or old vault copy, it would mostly still be relevant.

    You could do your normal backups with external hard drives or where ever. In conjunction with that. Something easier, depending on your setup, you could have two SD cards to copy your vault to every time you make a change. And could keep one SD card outside of your computer. That's assuming using SD card would be easier than trying to connect your external hard drives up every time you make a change in your vault.

    That would help protect losing your up to date vault from a sudden hard drive crash and burn, and from like the article mentioned from a remote wipe.

  • RichardPayne
    RichardPayne
    Community Member

    I think you need to backup your 1Password vault EVERY time you make a change. Also, probably would be best to get your logins with a good strong password and not change too often. That way if for whatever reason you had to go to an old backup or old vault copy, it would mostly still be relevant.

    While what you're advocating certainly wouldn't hurt, it's not really necessary. So long as the backup includes the current primary email login then you can always password reset accounts that changed after the last backup.

  • Nurinai
    Nurinai
    Community Member

    It's definitely not enough.I usually use two.

  • Megan
    Megan
    1Password Alumni

    Hi @Nurinai ,

    Thanks for sharing your thoughts here! It's a pretty fascinating discussion ... that reminds me I need to get much more diligent with my own backups and disaster-recovery plan. :)

  • aplnub
    aplnub
    Community Member

    I should mention that I have a Mac at work and it has 1Password on it. So for me, I have minimized the threat of being locked totally out of my accounts a little bit more by having that Mac offsite. Still, one day I may not have that luxury. I also find this discussion fascinating.

  • RichardPayne
    RichardPayne
    Community Member

    Still, one day I may not have that luxury. I also find this discussion fascinating.

    How many people don't have a smartphone these days?

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited March 2015

    @RichardPayne: Billions! ;)

    But in all seriousness, even in 'developed' (industrially/technologically) countries such as the U.S. millions of people have personal computers but not smartphones. Interestingly, the reverse is true in China, where the mobile revolution has taken hold where the computer revolution was less widespread. I imagine it's due to China being less closed than it used to be, relatively speaking. It's all about timing! Big phones are, well...big here, but they are even more popular in the East (at least as a percentage of sales).

    As cool as the last 30 years were, the next 10 are going to be crazy! :pirate:

    One password certainly is enough for a database of information like 1Password, but (as many have pointed out) we all need to have a backup/contingency plan. :)

  • jpgoldberg
    jpgoldberg
    1Password Alumni
    edited April 2015

    By the way, this is something that we've got an old (2012) blog post about:

    More than just one password: Lessons from an epic hack

    Edit

    Now I see that I've already posted a link to that a few week ago. It's not that good of a blog post that it merits two mentions here, but none the less, it has managed it.

  • AGAlumB
    AGAlumB
    1Password Alumni

    :+1: ;) :+1:

This discussion has been closed.