2-Part Password
I've been thinking about the possibility of implementing a **2-part password strategy ** using 1Password to store only part of all of my passwords, and appending these with a common, private, memorised password as the other part.
I wondered whether this could be implemented already somehow, e.g. for automated login?
Say I store a paticular login in 1Password as:
[common]32uysbe3497xwqwer
The [common] part is a memorable passphrase variable that I set as a secondary login when I unlock 1Password, and is only ever held in RAM, not written to disk. It's a short, memorable phrase.
In this way, if my vault is ever compromised, the passwords contained within it are not immediately usable, as they would not know my memorable passphrase.
Can something like this be done already?
If not, could I suggest it as a feature?
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
Hi @SLRist,
Thanks for sharing your idea with us. It is an interesting idea but it may not protect you much because you're sharing a key piece of your method in public. You're assuming the sites are storing your passwords in an encrypted fashion but many do not and it only takes one or two site breaches to figure out the first half to all of your passwords. Not to mention, many sites have restrictions to the length of your passwords, which means you can weaken your passwords by sharing a common key. Heck, some sites even sends you the password in clear view for password reminders and since emails are not encrypted, it is actually weakening your security already without even worrying about your 1Password database.
If someone breached a simple site that has your password with the common key in it and then they have the power to breach your 1Password vault, they can also figure out the common key by comparing the site's password to 1Password's database.
Anytime you add a memorable static code to any password schemes, it will be eventually figured out by studying the patterns, humans and machines are great at picking out the patterns. That's why it is important to keep the passwords randomized as much as possible. If someone breached two sites and see that you have the same 5 characters, they'll just tune their password generators to add the first 5 characters to breach other sites with and that can be done even without breaching your 1Password data.
The [common] part is a memorable passphrase variable that I set as a secondary login when I unlock 1Password, and is only ever held in RAM, not written to disk.
Neither is your master password, it is not stored anywhere nor written to disk anywhere. We don't actually use your master password, we derive a key built from your master password that is then used to encrypt the encryption key.
In 1Password for Families and Teams, we actually did something like this but for your master password instead, we call it Account Keys. You can see more info here: https://support.1password.com/understanding-account-key/
0 -
Interesting, thanks for the response. How about this then - get 1Password auto-login to create a hash of the account-specific password held in 1Password combined with the memorable common passphrase, and use the result as the actual login.
Any better?
0 -
Yes, I see what you mean. It's kind of just doubling up on the 1Password encryption. Encrypting the passwords within the encrypted vault.
Not really much point in doing that, I guess.
0 -
Indeed, we want to be careful. If it doesn't increase security, it's just adding additional complexity. Cheers! :)
0
