Disaster Recovery

nasht00

So I’ve been using 1Password for many years now. I have it on my iPhone and on my Mac, using Dropbox sync.
Almost all of my passwords are random generated. I don’t remember them. I’m dependent on 1P.

It’s been fine so far. But lately I’ve been thinking. What if tomorrow someone steals both my phone and computer? Or a fire burns them? I’m stranded somewhere with no access to them.

Let’s say all I have is a public computer, and my master password safely in my head.

Would you like to share tips to prepare for such disaster scenarios?

So far I was thinking of generating a secret short url that I will remember, to download the OPVault. Then I’d need to somehow install 1P on this public computer etc..

danco

It's really best not to use a public computer in this case, they are fundamentally unsafe. You would probably do better to buy a cheap cell phone and use that if you were stranded.

One of the benefits of the subscription model that AgileBits are pushing hard (there are a good many other benefits) is that it allows you to reach your passwords using a web browser if you wish, and the data is stored on AgileBits own server (with a local copy).

To use 1PW with the subscription you need both a Secret Key (generated for you the first time you use 1PW) and a Master Password (chosen by you).

The Secret Key is needed once on each device you use 1PW on, and can be recovered on any such device.. For disaster recovery you will need to be able to access it somehow, perhaps written down in a safe deposit box or kept with a friend or even a note in your wallet (which is fairly safe, as a thief would probably not recognise what it was for, and even if they knew it was a 1PW Secret Key they could get nothing without your email address and Master Password).

The Master Password is needed from time to time even if you normally use TouchID.

Forget your Master Password and sooner or later you will lose all access to your passwords. AgileBits CANNOT reset anything for you (that would be a security risk - other password managers choose to allow that risk because people forget their master password).

nasht00

Fair enough about public computers. Let’s assume a friends computer or a new one.
I know about 1Password push for subscription model but I don’t like it. (Also you need to remember the secret key).

I’m sticking with the Dropbox scenario. I’m not worried about forgetting my master password.
But I may forget my email password, Dropbox password etc.

So I reiterate my question, assuming:

• 1Password OPVault
• Dropbox Sync (not subscription)
• I remember my master password
• I forget all other passwords

What are the best tips to recover from such a scenario?

Ben

The best I could suggest would be building an Emergency Kit, similar to what comes with a 1Password membership:

Get to know your Emergency Kit | 1Password

One of our customers did just that, and shared his work:

https://productivityist.com/1password-emergency-kit-3/

This particular example contains more information than I’d suggest including, but it may help in getting started.

Ben

nasht00

Hm so the suggestion is to carry around a piece of paper with my Dropbox password?
I’m not convinced about this type of solution. It seems both dangerous and inconvenient at the same time.

Also, my Dropbox account has 2-factor, which is configured within my 1password...

rlh

I had put some thought into that scenario before I converted (recently) to a Family plan.

Let’s say all I have is a public computer, and my master password safely in my head.
:
So far I was thinking of generating a secret short url that I will remember, to download the OPVault

Your secret URL method implies that URL is publicly accessible. You are hoping for security through obscurity. BAD.

You would be better off to have one other thing in your head--your Dropbox account ID and password. Let 1Password generate a 5 or 6 random word passphrase and memorize it. Or generate a shorter, seemingly random password based on the first letter of every word of some long memorable sentence.

I have also included "I get hit by a bus" in my disaster recovery plan.

Which means there are three critical things that need to be preserved:

1. Existence and location of 1Password data
2. Master password
3. Dropbox login info or Secret Key

In the "house burns down" scenario, you certainly know #1 and #2. And probably/maybe #3. But for me I need to figure out where I can keep potentially multiple copies of the Secret Key (I'll never memorize that) in locations that are not in the burned down house.

In the "hit by bus" scenario then you need to make sure enough appropriate people even know #1 and that you have given them access to some record of both #2 and #3 (although #3 might not be needed if they can access your computer with Dropbox already logged in or the Secret Key installed). This also implies that the "bus" scenario could add:

4. Alternate to #3, login information for my personal computer

Anyway, that's my recovery plan. I have that all written down in an Emergency Kit. I'm still struggling with the correct number and identity of trustworthy and geographically diverse people to make this robust.

AGAlumB

@nasht00: You can use whatever solution best suits you then. No one is going to force you to do things their way. You asked for tips. :tongue:

Personally, I like to keep it simple: I've got a lot of authorized devices which I can use to sign into others typically, and a copy of my Emergency Kit in a secure location (which my loved ones will also be able to access if something happens to me) in case I ever need it.

For me, anything else would be overkill, but I think it's important that we each do what works best for our needs. Cheers! :)

rlh

@nasht00

I think I was composing when your follow-up was posted. I had forgotten about this variable:

Also, my Dropbox account has 2-factor, which is configured within my 1password...

(Good thing I moved to a Family plan, my former Dropbox recovery plan would have failed on TOTP! :blush: )

Your obscure URL approach is about all you have left (which I still think has its own security risks).

SpaethCo

For DR with all Apple devices, I think you're better off using iCloud sync than Dropbox. You need to know your Apple ID to be able to use "Find my iPhone" in the event your phone is lost/stolen anyway, so that's a password that's best to commit to memory.

If you lose all your devices, you buy a new Apple device and get it signed into iCloud, and now you have all your passwords back again once you install the app.

Of course, this also works with the membership because they add the secret key into the iCloud sync'd keychain. The membership opens up even more DR options with something like a family plan, because you can share your secret key with other family members securely (you can still keep the master password secret). In that scenario of losing all your devices, you call or visit your family member, get the secret key, and now you can get at your passwords from any web browser, or using something like the 1Password X extension on a $100 Chromebook. This gets you around the cost of new Apple devices and/or delays in reauthorizing iCloud access when all your trusted devices are gone.

Ben

Some great points, @SpaethCo. :)

Ben

nasht00

@SpaethCo good points.
It is true that I remember my iCloud password since I am often asked to provide it (app store for example).

I've been reluctant to move to iCloud mostly because it means that I locked into Apple devices in case of troubles.

Is there a way to sync with both?
Or, is there a way to access the backup from a non-Apple device if needed?

SpaethCo

@nasht00 I believe you could take the backups stored in ~/Library/Group Containers/2BUA8C4S2C.com.agilebits/Library/Application Support/1Password/Backups and place them somewhere you could get at them, and then re-import them into another 1Password client.

Of course, that's either going to be a manual copy or you're going to have to build the sync process yourself.

I know you're against the subscription, but honestly the hosted service solves this problem quite nicely. All you have to do is create a vault with a single item (your account's secret key) and share that with someone you trust. If you lose access to all your devices, you get your secret key from them and using the master password in your head you can access your credentials from any web browser (preferably on a trusted device).

It's really the easiest way to do this, unless you want to go all-in on Apple devices and trust recovery through iCloud.

AGAlumB

I love this discussion. :)

@nasht00: While I think iCloud is a great service, I'm also not all in on it since I need to use non-Apple devices regularly. The biggest "problem" with iCloud (depending on the person, this might not even matter) is that it's pretty opaque. There isn't an easy way to get data out of it, or to manage what's there.

1Password doesn't have a notion of syncing the same data with multiple services, as they all work very differently and that could get pretty messy. Folks can end up with sync conflicts when using a single service, so I can only imagine with more than one...

SpaethCo had a good suggestion about backups, but while that would help you recover on a similar device, they are for the local database and aren't really interoperable for many reasons. So if you're looking for something more portable, I'd go with a vault using Folder Sync. That will create an OPVault that any of the apps can read, and is also what is used for syncing with Dropbox anyway (iCloud has its own database structures, rather than doing file-based syncing). Of course, backups are good too, but they'll be most useful if you'll be able to restore them in the same environment.

While there's a lot of flexibility there, it can also get pretty complicated, and you'll have to manage all of this. So if there's a desire to simplify, I'd have to concur that 1Password.com is a better option, since backup and recovery are built right into the design. Just something to consider.