password for windows chicken and the egg

@BWA: While I wouldn't go so far to suggest storing your Master Password anywhere on your computer (a safe deposit box is a safe place — har har), using a long, strong, unique Master Password doesn't have to hurt. In fact, while I wouldn't want to discourage you from pushing your limits, you should know that 1Password uses PBKDF2 to strengthen your Master Password against cracking attempts by slowing things down considerably. And since 1Password doesn't store your Master Password, if you don't either, there's literally no way for anyone to use it to decrypt your data.

That said, certainly it's nice to have quicker ways to access our 1Password vaults, but it's even more important, even in that case, to have a great Master Password you can remember, since it will always be necessary to decrypt your data — even if you use something like Touch ID. We're interested in adding support for Windows Hello, so hopefully that will help too in the future.

Regarding folders, if you're using the 1Password.com subscription service, those are not used; rather, you can use tags to organize data. I hope this helps. Be sure to let me know if you have any other questions! :)

Hi @Jassword,

Rather, it's phishing via email and fake web sites, social engineering, etc. that have been the most effective strategies; why bother with a single login, when you can potentially gain inside access to many, even to an entire database? That's why it's equally important to change your passwords, even robust ones, on some periodic basis.

Well, that depends on how they can get to the database itself. If you're using a local vault on your local drive, just figuring out your 1Password master password isn't enough, they also have to figure out how to breach your local system, find your vault file and upload it without looking suspicious to any other security system you might have in place. In this case, Clipmate could be your weakest link.

If you're using a cloud sync like Dropbox, we'd suggest 2FA in addition to Dropbox credentials, so they'd have to breach Dropbox and figure out 2FA code as well. If you're using 1Password.com service, they must not only phish for the master password, but the account key as well because you can't authenticate without having both and if they enter a few times too many time, we'd block you automatically.

The same strategy applies to changing the passwords. If I want to socially-engineer you into giving up your 1Password.com database, I can send you a phishing email saying it's been a while since you've last changed the password and take you to the 1Password website that looks exactly the same as ours and ask you to enter both the current password and new passwords along with your unique account key. Now I have enough to also update it on the real site, so that you never knew you were compromised.

You are correct that social engineering and the related phishing methods are effective but changing the passwords has its own issues. In fact, there was research done that said changing your passwords too often can weaken it because people tends to reuse the same password, just changing a few characters.

You probably know well enough that we wouldn't do this and you'd be on high alert if you see this, but it doesn't mean it is true for everyone.

Just to be absolutely clear, once your system is compromised, 1Password can be compromised as well, there's not much we can do to protect you because they could just install a key logger to capture everything you type in Clipmate, text file or 1Password.

That said, we still cannot recommend that you store any form of your 1Password master password anywhere on disks.

Right, it's just that this is a public support forum and we have to make these things clear for other folks.

Windows Hello is something we'd like to add to 1Password 6 in a future update. The UWP version of 1Password 6 already supports this in a limited fashion but we want to do more in the near future, not to mention of our recent announcement about supporting Intel's SGX feature soon.