Best practices for memorized versus generated passwords

sdg
sdg
Community Member
edited December 2013 in Mac

Hey agile bits team, I'm wondering what your best practice recommendation is for something. It seems like some passwords we just should memorize rather than using generated passwords. I'm thinking about bad to worst case scenarios, like having a phone and laptop stolen at the same time. I'd still want to be able to get into certain sites until I got a new device onto which I could reinstall and sync 1Password. And I'd need to have the password for that sync service memorized. What logins do you recommend keeping memorizable, and are should those passwords be master password strong? Here are the ones I'm thinking of:

  • computer login - (especially if using file vault)
  • email
  • bank
  • sync service for 1Password file (e.g. dropbox, iCloud)
  • bank account login
  • anything else that needs to be entered a lot by hand, like an Apple password
  • cloud back up service to be able to recover files if hardware lost or stolen and no access to 1Pass

Does this sound right to you, should they all be different, and should they all be master password strong? This quickly becomes a large number of long passwords to remember. Would love your thoughts.

Thanks.

Comments

  • DavidB
    DavidB
    Community Member
    edited November 2013

    sag wrote:

    It seems like some passwords we just should memorize rather than using generated passwords. I'm thinking about bad to worst case scenarios, like having a phone and laptop stolen at the same time . . . . Does this sound right to you, should they all be different, and should they all be master password strong? This quickly becomes a large number of long passwords to remember.

    I am not on the AgileBits team, so please feel free to ignore any observations I may make. I think you are very right to consider in advance how you would recover from a disastrous loss of data, but in my opinion, memorizing passwords beyond unrecoverable ones, defeats the purpose of 1Password.

    I have only three memorized passwords, each of which is strong and different (à la Diceware): (1) my OS X account login, (2) my Login keychain and (3) my 1P master password. All the rest are managed by 1P (or my Login keychain).

    In case of the physical loss of my computer, I have onsite and offsite clones, plus incremental cloud backups of my Users folder, one of which I would use to access my 1P data from a replacement computer.

    David

    Update:
    Edited to add "(or my Login keychain)" to the end of the third paragraph.

  • sdg
    sdg
    Community Member

    Looks like the carriage returns didn't come through in my post so apologies for the sloppy list.

    David thanks for the advice. Getting the most out of 1Password, maintaining convenience and recovering quickly are definitely the things I'm trying to balance. For example, there are some passwords I find I have to use often on iOS, and use outside of the browser, and so it seems a bit of a pain to go to 1password for them on iOS. I'm thinking specially right now of my apple password. But I want it to be strong, so I put it on that list.

    As for recovery, I've got on site and offsite backups too. For our disaster scenario lets assume for the sake of my question it's all our devices where we're running 1Pass being stolen or destroyed at once. For people with a laptop, iPhone and even iPad, I don't think that's out of the question. For your offsite backups are these ones you have physical access to or are they cloud based? If they're physical, then to have access to your passworded services again after a disaster you'd need to physically get the backups and then restore them to some computer you don't have yet. If it's cloud based you can restore your 1Pass file to a friend or family member's machine, install a new copy of 1Pass, and be up again quick. But then you have to have the cloud based service password memorized. Which adds another password to the list if strong passwords to memorize.....

  • [Deleted User]
    [Deleted User]
    Community Member
    edited December 2013

    I only need to remember my 1Password master password, but I do know my Dropbox password for convenience.

    Here is my system:

    1Password on my two Macs, synced via Dropbox.

    I use Time Machine and Superduper for local backups, however they are encrypted and I do not know the encryption passwords. I backup my data (including my 1Password data) to Amazon S3, using Arq. I do not know my Amazon login password, my Amazon access credentials or my Arq encryption password.

    That is why I need a specific backup of my 1Password data. I burn a CD maybe once a year of my 1Password data. It's not a big deal if not all of the 1Password items are up to date. The only items that needs that are those that unlocks my backup options (local and online). As soon as I get access to those, I can get access to an up-to-date copy of my 1Password data.

    In most cases I could get my data from Dropbox, if all of my devices are destroyed. However I wouldn't rely on Dropbox, because it is a sync service and not a backup service. My data on Dropbox could get wiped at any time.

    EDIT: I also recommend using Diceware to generate passwords you want to remember. I don't think the Dropbox password needs to be as strong as the master password. You could lower the password strenght and compensate with two-step verification (of course, this means that you need a separate backup for the two-step system, like a separate phone or a printed recovery key).

  • DavidB
    DavidB
    Community Member
    edited December 2013

    sdj wrote:

    For your offsite backups are these ones you have physical access to or are they cloud based? If they're physical, then to have access to your passworded services again after a disaster you'd need to physically get the backups and then restore them to some computer you don't have yet. If it's cloud based you can restore your 1Pass file to a friend or family member's machine, install a new copy of 1Pass, and be up again quick. But then you have to have the cloud based service password memorized. Which adds another password to the list if strong passwords to memorize…..

    My primary offsite backups are physical ones, stored in an office building to which I have 24-hour access.

    You are right that in the event of loss of all my onsite computers I would have to have physical access to the backups, and would also have to obtain a new computer to use them with. But that would be the result of a disaster, not a common occurrence.

    I use my computer for business and am in the fast lane, but not so much that in the event of fire, flood, burglary, etc., I wouldn't have time to visit the Apple Store (or another local computer store) to make an emergency replacement purchase.

    If for some reason I was unable to gain access to my offsite backups, my last resort would be the cloud. My cloud password is the same one as for my computer account login. (It's the only password I use twice.)

    David

  • Megan
    Megan
    1Password Alumni

    Hi @sdg,

    Thanks for the great question! (and thanks to @DavidB and @Xe997 for the great responses) I apologize for the delay in response, but I was hoping to get a word from our security guru in here (who knows so much more detail about this than me.) He hasn't been in for a few days, but luckily I've finally remembered this blog post by him that addresses exactly the issue.

    Please take a peek at More than just one password: Lessons from an epic hack, and let me know if this helps :)

  • sdg
    sdg
    Community Member

    Thanks guys for the tips, and thanks Megan for the link to the article - that's exactly what I was looking for.

  • Hey @sdg,

    On behalf of @Megan, you're welcome.

    Please let us know if we can ever help again.

    Have a fantastic day!

This discussion has been closed.