Using Master Password as Mac login?
Although 1Password drastically reduces the number of passwords you have to remember, it doesn't quite get that number down to just one. For example, you still have to remember and manually type your Mac user password. I suspect this means that many people use a fairly weak password to login to their Mac.
So I am wondering about reusing the Master Password from the 1Password account. Can you think of any reason why this would be a bad idea? In general reusing passwords is bad. But it seems to me that this is one of those situations where it would be okay. But I'd like to hear opinions.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
Hi @pervel,
You’re right. It is our goal to help people keep the list of passwords that they have to remember to an absolute minimum, but it’s not always possible to whittle that number right down to 1.
Can you think of any reason why this would be a bad idea? In general reusing passwords is bad. But it seems to me that this is one of those situations where it would be okay.
I’m not a security expert, but one of the important pieces of advice we give to people when choosing a Master Password is that it should be unique: that is, not used anywhere else. Obviously using it to unlock your computer is a slightly different situation than using it on one or more websites, but I think the advice applies here as well. Do you ever lend your computer to others? If so, do they use a guest account or sign in to your user account?
I’ll share your question with our security team and ask one of them to chime in here to give you a bit more of a detailed response.
Thanks for the great question!
0 -
Hi @pervel
Megan requested that one of us security folks take a look and try to give some input here.
I have several of my passwords memorized, notably: My mac user account passwords (I have 3 Macs, each with separate user account master passwords), 1Password, and my iOS device passwords, of which there are 2 categories... those with just PIN codes because they are only used for web browsing and reading, and those which are used for more secure things and those get alphanumeric passwords.
She's definitely correct in that your master password should be unique and not used elsewhere.
Any incredibly important bit is that if you've linked your AppleID to your OS X account your account password can be reset with access to your iCloud account. Likewise, you can sync some information required to recover from File Vault to Apple in case you've lost that access code and your account password.
Neither of these weaken your master password for 1Password so that you couldn't make both your user account password and your master password the same. If someone were to acquire your computer, or a copy of its data, they'd have another angle of attack on both your user account data and your 1Password account data.
I'd still probably caution you against doing so strictly for the unique aspect. It's great that you're asking this, it means your cognizant that you're potentially weakening things, but if you do it once you risk falling into that trap when it may actually weaken your security.
This all depends entirely on your level of security though. Are you really serious about security? I wouldn't re-use it. Are you somewhere between "I don't need a master password!" and really serious about it? You might find reason to re-use it. You have to choose your risk tolerance.
I like to think of it like an onion. Security is several layers (where's my SysAdmin Shrek emoji?) and while it would be wonderful to have literally 1 Password, it's just not feasible if you really want to be secure. 1Password's name is every so slightly misleading in this aspect but we've gotten better thanks to 1Password Accounts making some important leaps to using a single Master Password for multiple vaults.
0 -
Thanks for you replies. Having thought more about it, I think you're right that one should not reuse the Master Password even in seemingly(!) safe places like the OS X system password. It was this revelation about Dropbox that made me think twice about it. It appears that Dropbox more or less steals your system password in quite a deceitful way. In general, I suppose you can say that the more places you use a password, the higher the risk of it being mishandled either purposely or by mistake.
0 -
You might consider buying an Apple Watch to use macOS Sierra's Auto Unlock feature: logging in on your Mac without typing a password.
https://www.apple.com/macos/sierra/
I have no experience with this I feature, but I'm looking forward to try it when Sierra is released (Sept. 20).
I did try MacID from a 3rd party developer (which -like Dropbox- needs to store your root password to work, but is open about this) though. Pretty convenient when it works, but it can only work when you have already unlocked your FileVault, so you still had to type a password when turning on your Mac. I hope Apple's solution is better than that.
0
