Best practice re: master password?

Hello, I'm looking for recommendations/best practices to be more secure.
1. Is it a security risk to store my long, auto-generated 1Password master password in 1Password itself (as a login)? What's the best practice regarding that?
2. Similar for my Authy password (also long, auto-generated) - is it bad practice to store it in 1Password?

Thanks!
Frank


1Password Version: 7.6.783
Extension Version: 1Password X (Chrome)
OS Version: Win 10
Sync Type: Account/Membership
Referrer: forum-search:best practice master password

Comments

  • Greg
    Greg
    1Password Alumni

    Hi @fmarotto,

    Everything you store in your 1Password vault is encrypted, so you can store your Master Password in your vault (I mean, you have to know your Master Password to access your vault and get to your Master Password stored there).

    Moreover, I would recommend you to have a Login item for your 1Password account in your vault. It might be helpful in several situations. One common scenario is that the person has forgotten their Master Password, but still has access to their vault via Touch ID or Face ID. By having the Master Password in a Login item this person is able to recover, whereas without that Login item, they likely would’ve been faced with starting a new account.

    As for the Authy, am I right to understand that you use Authy to store the authentication codes for your 1Password account? Authy is a recommended app for it, so it is fine. Moreover, I do not see why it might be a bad practice to store your Authy item (username and password) in 1Password – in order to get access to your Authy account (and your second factor for 1Password account), a person will need to know your Master Password and it is known only to you.

    Let me know if my understanding of your concerns is not correct. Thanks! :+1:

    ++
    Greg

  • Andrew42
    Andrew42
    Community Member

    Greg. I have a follow-up question: I have had the standalone windows version for several years now and have never changed my Master Password. It has always seemed to me that that is not the right thing to do. What do you guys recommend/ do yourselves?

  • Hey @Andrew42 👋

    Our very own @DanielP covers this specific question quite well over on this thread and I really think he does a lot better job explaining than I could.

    Give it a look!

  • fmarotto
    fmarotto
    Community Member

    Thanks for the quick answer, Greg - I think that all makes sense, but just to confirm... My concern that initiated the question is that sometimes when I access 1Password on Windows, rather than forcing me to enter my master password manually, it allows me to auto-fill it (via 1Password) and get in. Will it only do this if I've already logged in manually previously and 1Password hasn't timed out (auto locked) or exited? In other words, the first time in (for a session), is it always required to manually enter the master password rather than auto-filling it?

    I use Authy to generate 2F codes for 1Password and other sites/apps, but I don't actually store them there. Regardless, I think it's the same scenario I'm asking about. I have Authy on my Windows laptop as well as my phone, and on Windows, if 1Password allowed me (or someone) to autofill 1Password and then Authy, the login and 2F security would be bypassed.

    As I think through this question, and in light of your previous answer, this would be a very obvious hole for 1Password to not have addressed, but I do want to make sure I'm not making a naive user move that will get me in trouble!

    Thanks again for helping ensure my setup is secure. I'm pretty jazzed about getting on 1Password!
    Frank

  • Andrew42
    Andrew42
    Community Member

    @Blake: perfect. Thank you.

  • Greg
    Greg
    1Password Alumni

    Hi @fmarotto,

    My concern that initiated the question is that sometimes when I access 1Password on Windows, rather than forcing me to enter my master password manually, it allows me to auto-fill it (via 1Password) and get in. Will it only do this if I've already logged in manually previously and 1Password hasn't timed out (auto locked) or exited? In other words, the first time in (for a session), is it always required to manually enter the master password rather than auto-filling it?

    Do you sign in to your account on 1Password.com in the browser? If you has already unlocked 1Password 7 for Windows and 1Password extension in your browser, there is no need for you to do that. If you tell me how do you use 1Password on your computer now, it will be helpful.

    And yes, 1Password extension (or 1Password X) is able to fill your credentials in the browser only if you unlock it with your Master Password first. It won't be able to fill your credentials without unlocking. Let me know if I am misunderstanding the question here.

    I use Authy to generate 2F codes for 1Password and other sites/apps, but I don't actually store them there.

    I am not sure I follow. Authy is a 2FA app, so it stores your 2FA codes. Could you please clarify?

    Regardless, I think it's the same scenario I'm asking about. I have Authy on my Windows laptop as well as my phone, and on Windows, if 1Password allowed me (or someone) to autofill 1Password and then Authy, the login and 2F security would be bypassed.

    Again, 1Password will decrypt your data and allow you to fill your credentials only if you unlock it first. In order to unlock 1Password on a device, you will need your Master Password and your Master Password is known only to you.

    If you have any concerns about it, you can change Auto-lock settings for 1Password 7 for Windows in Settings > Security > Auto-lock:

    Please note that 1Password X (if you use it in your browser) works entirely in your browser and it has its own Auto-lock settings:

    In addition to that, 1Password X will lock every time you close your browser.

    Let me know if it helps. Thanks!

    ++
    Greg

  • Greg
    Greg
    1Password Alumni

    @Andrew42: On behalf of Blake you are very welcome! :+1:

  • fmarotto
    fmarotto
    Community Member

    Greg, that helps a lot - again, thank you! I think I'm getting the hang of it now - knowing that when it's locked I always have to enter credentials is the key. Comments on Authy also make sense. Next question: on Windows, when is it best to use v7 app vs. 1Password 10 vs. 1Password.com? Even vs. 1Password Mini? So many options! Thanks
    Frank

  • Greg
    Greg
    1Password Alumni

    Hi @fmarotto, you are very welcome! I am happy to help. :)

    on Windows, when is it best to use v7 app vs. 1Password 10 vs. 1Password.com? Even vs. 1Password Mini?

    Sorry for the confusion with multiple options! We are in the process of simplifying it and making it more consistent on all platforms. There is no best way, to be honest. For example, it is really convenient to work with your data (and organise it) in 1Password 7 for Windows. You can then use 1Password companion extension and 1Password mini to fill your credentials in the browser and other apps on your PC. Here is how:

    Use the 1Password extension to save and fill passwords on your Windows PC

    Fill details in apps using 1Password mini on Windows

    1Password X (pronounced like eks), on the other hand, is out new type of extension that works entirely in your browser. It doesn't need to connect to a standalone 1Password app, so it works independently (it allows 1Password X to work on Linux, Chromebooks, or work computers, where you can't install any software). Learn more about 1Password X:

    Get to know 1Password X

    You can give all options a try and decide which one works best for you. Feel free to raise any other questions, we are always ready to help.

    Cheers,
    Greg

  • fmarotto
    fmarotto
    Community Member

    Perfect, thank you!

  • Greg
    Greg
    1Password Alumni

    Hi @fmarotto,

    You are very welcome! :+1: :)

    ++
    Greg

This discussion has been closed.