Workflows for Secure Passwords with 1Password

Today marked the launch of AgileBits’ new 1Password 4 for iOS. As I happily forked over $7.99 for the new version, I realized what a crucial app this has become in my workflow. The problem is, even when I started using 1Password, it took me nearly 2 years to figure out how to use it properly.

For something that everyone should be doing, I realized there’s no way I’d recommend this to any of my non-geek friends. This isn’t a reflection on the quality of the app, it’s the fact that managing passwords isn’t an easy concept to understand.

Why Your Passwords Matter

Earlier this year, Mat Honan had a black swan hacking where someone got access to his Google account which led to his MacBook, iPhone, and iPad all being erased and losing access to everything. Passwords are a necessary evil on the web to identify ourselves, but unfortunately, the majority of people use obvious passwords that get reused across many sites.

Until last year, I was completely guilty of this. For nearly 15 years I had used a password that Yahoo had auto-generated for me when I first signed up for an email account back in the mid-90s. It wouldn’t make the list of “most popular passwords,” but it would be awfully easy to brute force break it.

Ironically enough, I had already bought 1Password, but didn’t bother to use it properly. I had the same password stored for every site, and just used it as an easy way to log in.

It wasn’t until I realized the power of the password generator that I fully bought in.

The 1Password Set Up

If you’re going to set up 1Password for secure passwords, you’ll need to go all in. That means shelling out for both the desktop and mobile versions of the app. The mobile apps are the linchpin – they give you access to your passwords where ever you are.

Once everything is installed, you’ll want to sync your database to Dropbox. This will allow your mobile devices to grab the passwords. 1Password 4 allows you to sync through iCloud, but the desktop app doesn’t support that yet. The good news is, you can sync to both.

If you’re concerned about the security of putting all your passwords in a single file in the cloud, AgileBits has written extensively about storing your database on Dropbox. Short version: the database is encrypted, so you should be ok. These guys spend a long time working out the security.

Generating secure passwords

Once you’re set up, you’ll be like me a year ago. You have the same password saved in 500 different site credentials. That doesn’t help much. That’s where the password generator comes in handy. Any time you’ve got a password form, open up your browser extension, click to the generate tab, and make sure you meet the site’s requirements for passwords1. If there’s no length limit, I try to make them large – pick a number that sounds good to you. 1Password goes up to 50 characters.

1Password Generator

When you click “fill”, 1Password will enter the passwords in your registration box, but it will also save your previously generated passwords under the “View Password History” button. This is crucial to know, because there are some sites that 1Password won’t display the “Save Credentials” bar, and you need access to the password to manually save the account later.

When you’re getting started with secure passwords, you’ll want to set aside an hour to go through all your credentials and flag the most important (your email accounts, Dropbox, etc.). Take the time to generate a new password for each site.

If you’re a real security nut, you can add a tag to the most important credentials, create a smart folder, and have a reminder to periodically go through and change them.

Unfortunately, this workflow makes it a pain to log in to any site on my mobile devices. When I’m logging in, I have to switch to the iOS app and copy and paste my password. It’s a few more steps, but the relief of knowing that if one site’s password database gets hacked no other site can be compromised is worth the annoyance. If passwords will continue to be the primary form of identification on the web, this annoyance is crucial to protecting yourself.

The Catastrophic Event

The linchpin to this setup is access to Dropbox. If you can’t get to your database, you’re in trouble. Knowing that, I took 5 minutes one weekend and printed a document with passwords for Dropbox and my email accounts. That way if all my devices get wiped and I have no access to Dropbox, I still have a way to get my password and/or recover passwords in my email.

Beyond passwords

There are two uses for 1Password, beyond storing my site credentials, that make it indispensable for me.

First, I keep all my credit cards in here. I’m spoiled to never have to pull out my wallet to check out on a site. I do not recommend this for people who spend too much money online!

Second, I have to do a lot of testing of sites. I keep a bogus profile to easily register for sites when necessary.

Bogus Profile

If you haven’t taken the time to integrate 1Password into your workflow and are still using the same password or three for every site, this should be at the top of your list of weekend projects. Once you get in a groove using 1Password, you’ll never look back. And every time you hear about a new database getting leaked, you’ll rest assured knowing if you’re affected, you can change one password and stay secure.

Update: With the 4.1 update to 1Password and the app’s new support for URL Schemes, Federico Viticci over at MacStories made a bookmarklet that will open your current Safari page in 1Password. After testing it, it now functions very closely to how the desktop browser extension runs, and takes a lot of the pain out of logging in to websites.

  1. It’s still beyond me why sites limit your passwords to a certain number and type of characters. []
December 13, 2012