Request dual Master Passwords

Options
pearsonjc
pearsonjc
Community Member
in Lounge

I would like to use a long passphrase when using a device with a keyboard, and a shorter password when on a smartphone or similar device. I think this would greatly increase my overall security.

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • Stephen_C
    Stephen_C
    Community Member
    Options

    I have to say that I don't consider user a "shorter password" on a smartphone "greatly increase(s) overall security". It may increase convenience of use—but that isn't really the same thing at all. How do think it increases security? (I'm not doubting that you have a genuine view—it's just that at present I'm not understanding it. :) )

    Stephen

  • hawkmoth
    hawkmoth
    Community Member
    edited June 2015
    Options

    @pearsonjc - Nevertheless, in the iOS application you can choose to use TouchID in lieu of the master password, or, if there is no TouchID available, a PIN. Either of these options reverts immediately to requiring the master password if an incorrect entry is made. If that weren't the case, I'd also argue, as does @Stephen_C, that using a short password decreases your security, not increases it.

    In any case, it seems to me that what you want is already available on devices like smartphones and tablets. Or do I misunderstand your request?

  • pearsonjc
    pearsonjc
    Community Member
    Options

    The pin code is exactly what I was looking for -- didn't know about it -- thanks! Now I can set a much longer master password without having to type it on the tiny iPhone keyboard. This should increase my overall security.

  • hawkmoth
    hawkmoth
    Community Member
    Options

    Great, @pearsonjc. Glad to help. If you have trouble finding where to set the PIN (or if someone else with the same question is seeking this information), it's under 1Password's (not iOS) Settings > Security.

  • AGAlumB
    AGAlumB
    1Password Alumni
    Options

    @pearsonjc: While it is certainly more convenient, it is much less secure to use a PIN (which is really just a very short, numeric password).

    If you're going to use a PIN for 1Password, be sure to turn off Simple Passcode and turn on Erase Data for iOS (in Settings > Touch ID & Passcode), as 1000 'guesses' don't take nearly as long as you'd think.

  • pearsonjc
    pearsonjc
    Community Member
    Options

    My prior post was in error and I would like to again engage the community for advice or make a recommendation. The PIN code feature in the iOS app does not fully meet my need, because I still have to enter the Master password once on the iPhone. As a result, I must maintain a shorter, less secure master password on both Mac and iPhone, because my iPhone typing is slow and error prone. If I could have two passwords, I would use a long one on the Mac, increasing its security, and a shorter one on the iPhone. In this way I think my overall security goes up because the Mac is more secure.

  • hawkmoth
    hawkmoth
    Community Member
    edited June 2015
    Options

    The requirement to enter you master password after you restart your phone is to protect you from a bad actor who might try resetting your phone and then try to guess your short PIN. A four digit PIN isn't that much of a challenge to guess. The same is true for entering an erroneous PIN. One wrong guess and you are required to enter your master password. Otherwise, the guesser can keep trying with the less secure PIN code.

    Have you looked at the post How do I choose a good master password? It has some suggestions for how to create a strong master password that you can remember. My Diceware generated passphrase only has lower case letters, which are easier to type on an iOS keyboard that something with a mix of symbols, letters, and numbers. And it's secure and I can remember it.

    But the shorter answer to your query is that 1Password doesn't provide for more than one master password.

  • RichardPayne
    RichardPayne
    Community Member
    Options

    If anything you'd want the higher security on the mobile device since that is by far more likely to fall into the wrong hands.

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited June 2015
    Options

    Nobody needs help being less secure, since we all have the same weakness: a tendency toward making things easier for ourselves, often at the expense of our own best interests.

    I think hawkmoth and RichardPayne both made excellent points, which was more understandable than I might have put it myself.

    hawkmoth, with the real life scenario:

    The requirement to enter you master password after you restart your phone is to protect you from a bad actor who might try resetting your phone and then trying to guess your short PIN.

    RichardPayne, with the purpose behind it:

    If anything you'd want the higher security on the mobile device since that is by far more likely to fall into the wrong hands.

    If someone steals your phone, especially now with iOS activation lock, it is of much more use to them as a source of information which might prove valuable. The purpose of 1Password is to keep information in your vault to keep it secure even if it falls into the wrong hands.

    We're all entitled to choose for ourselves just how securely we want to protect our data though, but it isn't the place of 1Password or AgileBits to make it easier to be less secure — quite the opposite. We can even use a 4 digit PIN as a Master Password if we like! (Don't)

    But it's important to keep in mind that the Master Password can be either a strong link in the chain of security or the weakest. At the end of the day, we do our best to make 1Password both secure and convenient, and give our awesome customers the information they need to make good decisions, and then leave it up to the individual to make that determination. :)

  • hawkmoth
    hawkmoth
    Community Member
    Options

    If anything you'd want the higher security on the mobile device since that is by far more likely to fall into the wrong hands.

    Exactly! @RichardPayne said what I meant, only much more clearly. If you want convenience over security, it's a choice. But not a secure one.

  • AGAlumB
    AGAlumB
    1Password Alumni
    Options

    @hawkmoth: Agreed. And I think we can have each without having to give up the other too. :)

  • wkleem
    wkleem
    Community Member
    Options

    It might be worth considering that iOS 9 will have 6 digit pins and 2FA. I am unsure how it will benefit 3rd party developers like Agilebits.

  • AGAlumB
    AGAlumB
    1Password Alumni
    Options

    Though it isn't clear how we might leverage that 2FA, we'll definitely be keeping an eye on that space. :)

    As for 6 digit PINs...I'll always advocate for much longer passcodes than that. If we, as users, use an even stronger device passcode than we do iCloud passwords, iCloud becomes the weak link. And this is good, because device lock means that you have to authenticate with iCloud to reactivate the device, and if we all use 2FA with our iCloud accounts (Yes!) that effectively cuts off both avenues from someone trying to either steal data or sell it on the street. :pirate:

This discussion has been closed.