Workflows for Secure Passwords with 1Password

December 13, 2012

Today marked the launch of AgileBits’ new 1Password 4 for iOS. As I happily forked over $7.99 for the new version, I realized what a crucial app this has become in my workflow. The problem is, even when I started using 1Password, it took me nearly 2 years to figure out how to use it properly.

For something that everyone should be doing, I realized there’s no way I’d recommend this to any of my non-geek friends. This isn’t a reflection on the quality of the app, it’s the fact that managing passwords isn’t an easy concept to understand.

Why Your Passwords Matter

Earlier this year, Mat Honan had a black swan hacking where someone got access to his Google account which led to his MacBook, iPhone, and iPad all being erased and losing access to everything. Passwords are a necessary evil on the web to identify ourselves, but unfortunately, the majority of people use obvious passwords that get reused across many sites.

Until last year, I was completely guilty of this. For nearly 15 years I had used a password that Yahoo had auto-generated for me when I first signed up for an email account back in the mid-90s. It wouldn’t make the list of “most popular passwords,” but it would be awfully easy to brute force break it.

Ironically enough, I had already bought 1Password, but didn’t bother to use it properly. I had the same password stored for every site, and just used it as an easy way to log in.

It wasn’t until I realized the power of the password generator that I fully bought in.

The 1Password Set Up

If you’re going to set up 1Password for secure passwords, you’ll need to go all in. That means shelling out for both the desktop and mobile versions of the app. The mobile apps are the linchpin – they give you access to your passwords where ever you are.

Once everything is installed, you’ll want to sync your database to Dropbox. This will allow your mobile devices to grab the passwords. 1Password 4 allows you to sync through iCloud, but the desktop app doesn’t support that yet. The good news is, you can sync to both.

If you’re concerned about the security of putting all your passwords in a single file in the cloud, AgileBits has written extensively about storing your database on Dropbox. Short version: the database is encrypted, so you should be ok. These guys spend a long time working out the security.

Generating secure passwords

Once you’re set up, you’ll be like me a year ago. You have the same password saved in 500 different site credentials. That doesn’t help much. That’s where the password generator comes in handy. Any time you’ve got a password form, open up your browser extension, click to the generate tab, and make sure you meet the site’s requirements for passwords¹. If there’s no length limit, I try to make them large – pick a number that sounds good to you. 1Password goes up to 50 characters.

1Password Generator

When you click “fill”, 1Password will enter the passwords in your registration box, but it will also save your previously generated passwords under the “View Password History” button. This is crucial to know, because there are some sites that 1Password won’t display the “Save Credentials” bar, and you need access to the password to manually save the account later.

When you’re getting started with secure passwords, you’ll want to set aside an hour to go through all your credentials and flag the most important (your email accounts, Dropbox, etc.). Take the time to generate a new password for each site.

If you’re a real security nut, you can add a tag to the most important credentials, create a smart folder, and have a reminder to periodically go through and change them.

Unfortunately, this workflow makes it a pain to log in to any site on my mobile devices. When I’m logging in, I have to switch to the iOS app and copy and paste my password. It’s a few more steps, but the relief of knowing that if one site’s password database gets hacked no other site can be compromised is worth the annoyance. If passwords will continue to be the primary form of identification on the web, this annoyance is crucial to protecting yourself.

The Catastrophic Event

The linchpin to this setup is access to Dropbox. If you can’t get to your database, you’re in trouble. Knowing that, I took 5 minutes one weekend and printed a document with passwords for Dropbox and my email accounts. That way if all my devices get wiped and I have no access to Dropbox, I still have a way to get my password and/or recover passwords in my email.

Beyond passwords

There are two uses for 1Password, beyond storing my site credentials, that make it indispensable for me.

First, I keep all my credit cards in here. I’m spoiled to never have to pull out my wallet to check out on a site. I do not recommend this for people who spend too much money online!

Second, I have to do a lot of testing of sites. I keep a bogus profile to easily register for sites when necessary.

Bogus Profile

If you haven’t taken the time to integrate 1Password into your workflow and are still using the same password or three for every site, this should be at the top of your list of weekend projects. Once you get in a groove using 1Password, you’ll never look back. And every time you hear about a new database getting leaked, you’ll rest assured knowing if you’re affected, you can change one password and stay secure.

Update: With the 4.1 update to 1Password and the app’s new support for URL Schemes, Federico Viticci over at MacStories made a bookmarklet that will open your current Safari page in 1Password. After testing it, it now functions very closely to how the desktop browser extension runs, and takes a lot of the pain out of logging in to websites.

It’s still beyond me why sites limit your passwords to a certain number and type of characters. [↩]

Enjoy this post? You should follow me on Twitter here, or subscribe to the RSS feed.

http://hassankhan.me/ Hassan Khan

Does it automatically log you in to webpages? What about autofilling passwords in other apps?
- http://behindcompanies.com/ Marcelo Somers
  
  You can use the keyboard shortcut Command- to auto fill the login.
http://hassankhan.me/ Hassan Khan

Does it automatically log you in to webpages? What about autofilling passwords in other apps?
- http://behindcompanies.com/ Marcelo Somers
  
  You can use the keyboard shortcut Command- to auto fill the login.
http://twitter.com/Tbolt Tyler Bolchoz

So, if I buy this app. Have it random generate a pw for my google account. Then go to a public PC and try to login to my google account, I would have to pull up the app and type in the long random password?

I am just not really seeing how this is effective for anything but storing user_names/passwords (because I have a lot)
- http://behindcompanies.com/ Marcelo Somers
  
  Tyler – I tend to stay away from logging in to important websites on any public computer, especially since I almost always have my phone with me.
  
  But yes, if I did come down to it, I’d pull out the app and manually type in the password. Should the app be effective for anything else?
  - http://twitter.com/Tbolt Tyler Bolchoz
    
    So the workflow is supposed to be like this: You have 1Password on all of your personal devices. You let 1Password manage ALL of your logins and passwords. Any time you want to login to something you use 1Password no matter what.
    
    Just seems extremely inconvenient for not that much of a gain.
    - http://behindcompanies.com/ Marcelo Somers
      
      The gain is huge when you consider two things:
      
      1) If one account is compromised, not a single other one will be 2) Longer passwords that are random strings are much harder to brute force break. More on that here: http://arstechnica.com/security/2012/08/passwords-under-assault/
      - http://twitter.com/Tbolt Tyler Bolchoz
        
        1) That is assuming I am using the same password accross the board. Which im not. Granted I do have some room for improvement here so I think thats a pretty good point.
        
        As well, if you’re 1Password account is compromised…EVERY SINGLE other one WILL BE. Am I the only one that sees a glaring issue with having a single point of failure? It’s not that I don’t trust 1Password, I am just skeptical. It’s like you are trying to solve a problem by introducing a far more severe one.
        
        2.) While that’s true, its a bit extreme. I think its more of a balancing game. I simply don’t want to load up my bank app and have to type R@#*&YR2368D12DIA4UHD(#H_$! or ever load up an app, type a long passphrase, find the bank app info, copy the password to clipboard (seems a bit unsecure there) and switch back to the app to paste it. That’s just absurd to me and ill take my chances with remembering/creating a unique strong password that I can remember.
        
        The whole internet authentication issue isn’t an easy one to solve and it’s not going to happen over night. 1Password looks good but I don’t think I would use it how you are recommending.
      - Kevin
        
        There is no “1Password account” to be compromised. Passwords are encrypted using the password of your choice and saved to the application. That encrypted password database can optionally be synchronized via Drop Box or iCloud. If your iCloud or Dropbox account is compromised the password database will still be encrypted, so as long as you have a strong password it will not be compromised.
      - http://twitter.com/Tbolt Tyler Bolchoz
        
        Right, your 1Password master password is what im referring to.
      - http://twitter.com/jemaleddin Jemaleddin Cole
        
        But having your 1Password master password doesn’t give anyone access to your keychain file – they have to have one of your devices AND your password. And the workflow is MAGICAL with the browser plugin installed.
      - http://twitter.com/Tbolt Tyler Bolchoz
        
        Good point. Purchased the app
- http://twitter.com/camerons Cameron Saemann
  
  Yes. I still use 1password for situations like this. I let it create a strong password, but easier to type in without a ton of random characters. The best way to do ths is to check the “pronounceable” box.
- kibbles
  
  actually, no — you can access all of your passwords from a public PC by visiting your 1P keychain (on say, dropbox), which opens a special HTML page… this page has a movie demo of how its done:
  
  https://agilebits.com/onepassword/mac/features
http://twitter.com/Tbolt Tyler Bolchoz

So, if I buy this app. Have it random generate a pw for my google account. Then go to a public PC and try to login to my google account, I would have to pull up the app and type in the long random password?

I am just not really seeing how this is effective for anything but storing user_names/passwords (because I have a lot)
- http://behindcompanies.com/ Marcelo Somers
  
  Tyler – I tend to stay away from logging in to important websites on any public computer, especially since I almost always have my phone with me.
  
  But yes, if I did come down to it, I’d pull out the app and manually type in the password. Should the app be effective for anything else?
  - http://twitter.com/Tbolt Tyler Bolchoz
    
    So the workflow is supposed to be like this: You have 1Password on all of your personal devices. You let 1Password manage ALL of your logins and passwords. Any time you want to login to something you use 1Password no matter what.
    
    Just seems extremely inconvenient for not that much of a gain.
    - http://behindcompanies.com/ Marcelo Somers
      
      The gain is huge when you consider two things:
      
      1) If one account is compromised, not a single other one will be 2) Longer passwords that are random strings are much harder to brute force break. More on that here: http://arstechnica.com/security/2012/08/passwords-under-assault/
      - http://twitter.com/Tbolt Tyler Bolchoz
        
        1) That is assuming I am using the same password accross the board. Which im not. Granted I do have some room for improvement here so I think thats a pretty good point.
        
        As well, if you’re 1Password account is compromised…EVERY SINGLE other one WILL BE. Am I the only one that sees a glaring issue with having a single point of failure? It’s not that I don’t trust 1Password, I am just skeptical. It’s like you are trying to solve a problem by introducing a far more severe one.
        
        2.) While that’s true, its a bit extreme. I think its more of a balancing game. I simply don’t want to load up my bank app and have to type R@#*&YR2368D12DIA4UHD(#H_$! or ever load up an app, type a long passphrase, find the bank app info, copy the password to clipboard (seems a bit unsecure there) and switch back to the app to paste it. That’s just absurd to me and ill take my chances with remembering/creating a unique strong password that I can remember.
        
        The whole internet authentication issue isn’t an easy one to solve and it’s not going to happen over night. 1Password looks good but I don’t think I would use it how you are recommending.
      - Kevin
        
        There is no “1Password account” to be compromised. Passwords are encrypted using the password of your choice and saved to the application. That encrypted password database can optionally be synchronized via Drop Box or iCloud. If your iCloud or Dropbox account is compromised the password database will still be encrypted, so as long as you have a strong password it will not be compromised.
      - http://twitter.com/Tbolt Tyler Bolchoz
        
        Right, your 1Password master password is what im referring to.
      - http://twitter.com/jemaleddin Jemaleddin Cole
        
        But having your 1Password master password doesn’t give anyone access to your keychain file – they have to have one of your devices AND your password. And the workflow is MAGICAL with the browser plugin installed.
      - http://twitter.com/Tbolt Tyler Bolchoz
        
        Good point. Purchased the app
- http://twitter.com/camerons Cameron Saemann
  
  Yes. I still use 1password for situations like this. I let it create a strong password, but easier to type in without a ton of random characters. The best way to do ths is to check the “pronounceable” box.
- kibbles
  
  actually, no — you can access all of your passwords from a public PC by visiting your 1P keychain (on say, dropbox), which opens a special HTML page… this page has a movie demo of how its done:
  
  https://agilebits.com/onepassword/mac/features
Juz

Spent many years loving 1Password, and version 4 is a nice upgrade, which looks fantastic on a retina iPad. I have birth certificates in there (when travelling with a <2 year old), SSNs as well as credit cards and logins.

Where I have not fully committed is using all random passwords. One trend that is killing me there is iOS custom apps for accounts. For example, my bank has a great iOS app, it requires you to enter username and password, but being a standalone app, 1Pass requires a copy and paste here (if they let you paste).

Most iOS apps have a shortcut way around this (save username/pass in app, enter just a 4 digit code), but that seems like a security compromise larger than I would like for a financial account. So instead, I am stuck with a few key accounts having less secure passwords cause I like to remember them (although seems more and more than password hacking is a minority way to gain access— more social engineering or keylogger)
- http://behindcompanies.com/ Marcelo Somers
  
  I agree that it’s inconvenient for apps, especially something like banking. 1Password 4 does have a nice new feature that you can enable, which is the “quick unlock” – if you’re switching between apps, you can have a shorter 4 digit passcode to get in if you had the app open within the last few minutes.
  
  However, I put up with the inconvenience of having to copy and paste my password into banking apps, since my banks are the most sensitive online accounts I have.
- http://twitter.com/Tbolt Tyler Bolchoz
  
  Yeah, I think you nailed it here. It’s a great app for being a password locker.
Juz

Spent many years loving 1Password, and version 4 is a nice upgrade, which looks fantastic on a retina iPad. I have birth certificates in there (when travelling with a <2 year old), SSNs as well as credit cards and logins.

Where I have not fully committed is using all random passwords. One trend that is killing me there is iOS custom apps for accounts. For example, my bank has a great iOS app, it requires you to enter username and password, but being a standalone app, 1Pass requires a copy and paste here (if they let you paste).

Most iOS apps have a shortcut way around this (save username/pass in app, enter just a 4 digit code), but that seems like a security compromise larger than I would like for a financial account. So instead, I am stuck with a few key accounts having less secure passwords cause I like to remember them (although seems more and more than password hacking is a minority way to gain access— more social engineering or keylogger)
- http://behindcompanies.com/ Marcelo Somers
  
  I agree that it’s inconvenient for apps, especially something like banking. 1Password 4 does have a nice new feature that you can enable, which is the “quick unlock” – if you’re switching between apps, you can have a shorter 4 digit passcode to get in if you had the app open within the last few minutes.
  
  However, I put up with the inconvenience of having to copy and paste my password into banking apps, since my banks are the most sensitive online accounts I have.
- http://twitter.com/Tbolt Tyler Bolchoz
  
  Yeah, I think you nailed it here. It’s a great app for being a password locker.
Jonesay

The iOS version of 1password has a built in browser, so you don’t have to use the copy/paste to Safari for every site. Instead, go to 1password, find the entry for the site you want to login to, then tap the arrow next to the web address. The browser will slide open to the right and your username and password will be filled in.
Jonesay

The iOS version of 1password has a built in browser, so you don’t have to use the copy/paste to Safari for every site. Instead, go to 1password, find the entry for the site you want to login to, then tap the arrow next to the web address. The browser will slide open to the right and your username and password will be filled in.
http://Twitter.com/AbbiV AbbiV

I see the value of using 1Password on a Mac, but on iOS, it’s not practical. Most of us aren’t public personalities w/ large bank accounts worth hacking. Better to use a different (long) password on a select few accounts & not worry so much if you’re Flickr gets hacked because, let’s face it, no wants to :-/
- Canucker
  
  You don’t need a big bank account for a hacker to erase a lot of value. Mat Honan’s biggest loss were years of pictures of his family. Moreover, identity theft doesn’t target the rich so much as the inconspicuous. You won’t get too far trying to pass yourself off as Matt Damon. As for mobile devices, these are much more frequently stolen than even laptops.
http://Twitter.com/AbbiV AbbiV

I see the value of using 1Password on a Mac, but on iOS, it’s not practical. Most of us aren’t public personalities w/ large bank accounts worth hacking. Better to use a different (long) password on a select few accounts & not worry so much if you’re Flickr gets hacked because, let’s face it, no wants to :-/
- Canucker
  
  You don’t need a big bank account for a hacker to erase a lot of value. Mat Honan’s biggest loss were years of pictures of his family. Moreover, identity theft doesn’t target the rich so much as the inconspicuous. You won’t get too far trying to pass yourself off as Matt Damon. As for mobile devices, these are much more frequently stolen than even laptops.
Stephen

Excellent point re: the catastrophic event! I hadn’t even considered what I would do if I didn’t have access to 1Password. I use 1Password to login to Dropbox — I’d be screwed! Thanks for the article.
Stephen

Excellent point re: the catastrophic event! I hadn’t even considered what I would do if I didn’t have access to 1Password. I use 1Password to login to Dropbox — I’d be screwed! Thanks for the article.
Deandre_012

In terms of workflow and company-level performance, I like SplashData’s SplashID Enterprise Safe Edition because it specializes in team coordination. It allows sharing and multiple user access permission settings which is highly useful or critical for password management in the busy working environment.
Deandre_012

In terms of workflow and company-level performance, I like SplashData’s SplashID Enterprise Safe Edition because it specializes in team coordination. It allows sharing and multiple user access permission settings which is highly useful or critical for password management in the busy working environment.
http://twitter.com/ehed Emil H

I have been using 1Password for many years now, and would like to add a few comments to a great endorsement for a product I, too, love and couldn’t live without.

1) Don’t go crazy setting all your passwords to 50 character gobbledygook, because there will come a time (many times, actually) when copy-paste will not be an option and you will have to type your password, possibly even on a horrible input like an Apple TV remote or a Kindle without a keyboard. In my opinion, the majority of the security gains come from not having the same password for every site, not having an un-brute-forceable password. So going with 8-10 characters of numbers/digits/punctuation is going to be the best balance of convenience and security for most sites.

2) Pick a strong master password, as your password keys are more likely than anything else to be brute-force attacked if they fall into the wrong hands, and the consequences are unthinkable. This is obvious but it is not mentioned here.

3) An easy way to bolster up security is to sort your list of passwords by “Password strength”, ascending. Then go from the weakest to strongest and make sure they are all at least yellow (preferably green).

4) Along the lines of #3, periodically sort your passwords by “Last updated” and update the oldest ones once a year (spring cleaning?)
http://twitter.com/ehed Emil H

I have been using 1Password for many years now, and would like to add a few comments to a great endorsement for a product I, too, love and couldn’t live without.

1) Don’t go crazy setting all your passwords to 50 character gobbledygook, because there will come a time (many times, actually) when copy-paste will not be an option and you will have to type your password, possibly even on a horrible input like an Apple TV remote or a Kindle without a keyboard. In my opinion, the majority of the security gains come from not having the same password for every site, not having an un-brute-forceable password. So going with 8-10 characters of numbers/digits/punctuation is going to be the best balance of convenience and security for most sites.

2) Pick a strong master password, as your password keys are more likely than anything else to be brute-force attacked if they fall into the wrong hands, and the consequences are unthinkable. This is obvious but it is not mentioned here.

3) An easy way to bolster up security is to sort your list of passwords by “Password strength”, ascending. Then go from the weakest to strongest and make sure they are all at least yellow (preferably green).

4) Along the lines of #3, periodically sort your passwords by “Last updated” and update the oldest ones once a year (spring cleaning?)