password for windows chicken and the egg
Help me out here. I have a long complex pw ....in order to log into the windows app I have to keep this pw in a text file. Anyone see a problem here? There needs to be a finger print integration or pin functionality.
Am I missing something here? Things were great on mac and IOS but this windows app...oh my.
and can i not create folders to keep this organized like on mac version?
1Password Version: latest
Extension Version: latest
OS Version: winders 10
Sync Type: cloud
Referrer: forum-search:password
Comments
-
Just my 2 cents: I have a long master password also - 64 characters. I have no trouble remembering it because it's a sentence. There's no need, in my opinion, to have a crazy inscrutable master password, just a very long string that you can easily remember. Even so, I don't like to have to re-enter it, so I keep it stored in Clipmate (a long-running clipboard manager), which lets me encrypt the entry with a smaller easier to type password. Alternatively, you could store the text file in an encrypted zip file, again with a smaller easier to type pwd. Both are not ideal, and inferior to having a finger print or retinal scan, but better than just keeping it plain text. Just name the file or clipboard entry to suggest it's something else entirely.
As for folders, sounds like your are using 1Password 6 which when I saw it on a friend's machine, didn't seem to have the folder capability, but I could be wrong. 1Password 4 has the folders though.
0 -
@BWA: While I wouldn't go so far to suggest storing your Master Password anywhere on your computer (a safe deposit box is a safe place — har har), using a long, strong, unique Master Password doesn't have to hurt. In fact, while I wouldn't want to discourage you from pushing your limits, you should know that 1Password uses PBKDF2 to strengthen your Master Password against cracking attempts by slowing things down considerably. And since 1Password doesn't store your Master Password, if you don't either, there's literally no way for anyone to use it to decrypt your data.
That said, certainly it's nice to have quicker ways to access our 1Password vaults, but it's even more important, even in that case, to have a great Master Password you can remember, since it will always be necessary to decrypt your data — even if you use something like Touch ID. We're interested in adding support for Windows Hello, so hopefully that will help too in the future.
Regarding folders, if you're using the 1Password.com subscription service, those are not used; rather, you can use tags to organize data. I hope this helps. Be sure to let me know if you have any other questions! :)
0 -
Robust passwords are very important, but I bet few if any hackers are employing botnets to brute-force crack them, because of things like PBKDF2 (which is a great feature of 1Password), and sites/devices blocking access after x number of failed attempts. Rather, it's phishing via email and fake web sites, social engineering, etc. that have been the most effective strategies; why bother with a single login, when you can potentially gain inside access to many, even to an entire database? That's why it's equally important to change your passwords, even robust ones, on some periodic basis.
0 -
Hi @Jassword,
Rather, it's phishing via email and fake web sites, social engineering, etc. that have been the most effective strategies; why bother with a single login, when you can potentially gain inside access to many, even to an entire database? That's why it's equally important to change your passwords, even robust ones, on some periodic basis.
Well, that depends on how they can get to the database itself. If you're using a local vault on your local drive, just figuring out your 1Password master password isn't enough, they also have to figure out how to breach your local system, find your vault file and upload it without looking suspicious to any other security system you might have in place. In this case, Clipmate could be your weakest link.
If you're using a cloud sync like Dropbox, we'd suggest 2FA in addition to Dropbox credentials, so they'd have to breach Dropbox and figure out 2FA code as well. If you're using 1Password.com service, they must not only phish for the master password, but the account key as well because you can't authenticate without having both and if they enter a few times too many time, we'd block you automatically.
The same strategy applies to changing the passwords. If I want to socially-engineer you into giving up your 1Password.com database, I can send you a phishing email saying it's been a while since you've last changed the password and take you to the 1Password website that looks exactly the same as ours and ask you to enter both the current password and new passwords along with your unique account key. Now I have enough to also update it on the real site, so that you never knew you were compromised.
You are correct that social engineering and the related phishing methods are effective but changing the passwords has its own issues. In fact, there was research done that said changing your passwords too often can weaken it because people tends to reuse the same password, just changing a few characters.
You probably know well enough that we wouldn't do this and you'd be on high alert if you see this, but it doesn't mean it is true for everyone.
Just to be absolutely clear, once your system is compromised, 1Password can be compromised as well, there's not much we can do to protect you because they could just install a key logger to capture everything you type in Clipmate, text file or 1Password.
That said, we still cannot recommend that you store any form of your 1Password master password anywhere on disks.
0 -
Hi Mike,
I'm certainly not condoning my mildly encrypted Clipmate or zip file shortcut to manually entering the master password. It's definitely a vulnerability, and I only do it on my notebook (my only computer), never on any other device. But I'm less worried about my notebook itself being compromised (with all the layers of protection I employ), than a commercial or financial site with my account data being compromised. The latter are clearly more of a target for hackers because of the potential payoff and the many more points of vulnerability, especially human vulnerability.It would be nice if I could just put my eye up to my webcam and login to the 1Password vault with my retina. I don't otherwise have a fingerprint sensor.
0 -
Right, it's just that this is a public support forum and we have to make these things clear for other folks.
Windows Hello is something we'd like to add to 1Password 6 in a future update. The UWP version of 1Password 6 already supports this in a limited fashion but we want to do more in the near future, not to mention of our recent announcement about supporting Intel's SGX feature soon.
0