Mitigate worst case - house fire destroys all devices - when using 1Password? Ideas?

mac_chrome_user
mac_chrome_user
Community Member

This is a question that literally kept me up at night yesterday.

I've been using 1Password for Mac as well as 1Password for iOS (iPhone & iPad). I keep my 1Password file on each device and sync to Dropbox. I have 2FA with Google Authenticator ONLY on Dropbox as well as my email accounts (NO backup phone number) for security purposes. ALL passwords, including my Dropbox password, are generated & stored using 1Password (I believe dropbox is thus 64 character password, computer-generated).

Also, before any suggests it, I would NOT use the 1Password cloud service for 2 reasons: 1 - repeating (but small) monthly cost and 2 - I don't want to put "all my eggs in one basket" (feel safer that both (a) my Dropbox account must be hacked and (b) the 1Password encryption must be hacked to recover my data).

I just thought last night - what is there is a house fire and my MacBook, iPhone, and iPad all burn down.

Would I be able to recover my 1Password file somehow or would I be locked out of ALL my accounts (banks, email, insurance, etc. etc.).

Any thoughts on how people mitigate this besides just using a less secure Dropbox password?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:Mitigate worst case - house fire destroys all devices - when using 1Password? Ideas?

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni

    @mac_chrome_user: First and foremost, if you lose access to your data and/or the keys to it (for example, your Master Password), you're out of luck, just as an attacker would be. So I think it's helpful to approach this the same way as any other backup: keep important "data" offsite.

    Now, with 1Password, most of us already have our data offsite. But it's important to keep in mind that Dropbox sync is not meant to serve as a backup, and even with 1Password.com automatic backup you'll need your credentials to be able to get to your data.

    So, for example, just as backing up important files from your computer and storing a copy in a secure location separate from your residence (like a safe deposit box) is important, you can similarly keep a 1Password Emergency Kit with whatever you'd need to get your data in case of disaster. Depending on your needs, this could be your Master Password, Secret Key, Dropbox credentials, and perhaps even a copy of your vault on a removable drive. Ultimately the exact details are up to you.

    Also keep in mind that your Dropbox account wouldn't need to be hacked for someone to get your data. There are any number of ways that someone might get it off of one of your devices or in transit. But the good thing about 1Password is that your 1Password data is end-to-end encrypted, so 1Password simply doesn't depend on the sync service to protect your data. And with a 1Password.com account, you have the additional protection of the Secret Key. But either way, 1Password is built with the assumption that someone can get your data, so that it's still secure even then due to encryption.

    I hope this helps. Be sure to let me know if you have any other questions! :)

  • mac_chrome_user
    mac_chrome_user
    Community Member
    edited May 2017

    Thanks so much for your helpful information. A 1Password Emergency Kit does, in fact, sounds like a good idea! :)

    EDIT: Thinking about it more, the minimum I need in my 1Password Emergency Kit is my Dropbox password and a backup code to get in without my Google Authenticator device(s)

  • AGAlumB
    AGAlumB
    1Password Alumni

    You're welcome! Yeah, it really depends on your setup, but it sounds like that will work for you. The most important thing is to ask yourself, "If I lose everything else, what do I need in order to get back into my 1Password data?" and then put that in your Emergency Kit in a secure location. Cheers! :)

  • pervel
    pervel
    Community Member

    feel safer that both (a) my Dropbox account must be hacked and (b) the 1Password encryption must be hacked to recover my data

    I would argue that the same two steps are necessary for an attacker if you're using 1password.com: both (a) your 1Password account must be hacked and (b) the 1Password encryption must be hacked.

    So in this sense the Dropbox solution is only safer if you believe that Dropbox servers have better security than 1Password servers. I don't think they do.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @pervel: That's a really good point, but I still think it's sort of moot in either case since the data is encrypted. The Secret Key strengthens that for 1Password.com accounts, but even local vaults are already infeasible to brute force with a strong Master Password. But the Secret Key prevents an attacker from performing a brute force attack against the Master Password in the first place. An interesting distinction though!

  • danco
    danco
    Volunteer Moderator

    I would add that if you use the Words option of 1PW's Password Generator, you can get a reasonably secure password that is also easy to remember. That's what I do for Dropbox and my AppleID.

  • mac_chrome_user
    mac_chrome_user
    Community Member

    Thanks, @danco, for your helpful suggestion!

  • :+1:

    Ben

This discussion has been closed.