How do you remember your Master Password?

Jacob

Hi everyone!

The AgileBits support team helps out a lot of people every day, and one of the top issues we've seen lately is people forgetting their Master Password. That always makes us sad, because there isn't anything we can do about it after it happens. :( So I wanted to reach out to all of you wonderful folks and see what you are doing to remember your Master Password right now.

With subscription accounts, we give you an Emergency Kit to download right after you create the account and it includes a space to write your Master Password. It doesn't seem that many people do it, so I'd love to discuss things and hear some suggestions you have for keeping your Master Password somewhere safe aside from memory.

All right, let's start this discussion. :pirate: See you in the comments!

AGAlumB

@Bernfrin: I love it! And if your Master Password is obscure enough (I'm betting it is!) then it won't scream out "I am a password to something!" and probably just looks like some sort of note. I'm thinking bonus points for using a crumpled diner receipt with food stains on it. :lol: :+1:

I suspect that the "best" Master Password "backup" solution will vary from person to person, but I bet that we could all get some cool ideas from other users.

Personally, I don't have a "backup" of my Master Password. My Emergency Kit is also pretty hard to get to, so my contingency plan revolves around having other Organizers in my 1Password Family who can perform recovery if needed. Can't wait to hear other methods! :chuffed:

pervel

I have mine tattooed on my left arm.... jk 8-)

Personally, I don't like the idea of writing my Master Password on the Emergency Kit. It makes that single piece of paper much too valuable for a malicious person who gets hold of it. It then contains everything that person needs to cause serious trouble for me: URL, Account Key, Master Password. It seems safer to write the Master Password on an inconspicuous looking piece of paper and "hide" it in plain view somewhere.

AGAlumB

@pervel: Agreed. Keeping the Emergency Kit around with both the Master Password and Account Key written/printed on it in the open is sort of a big "kick me" sign for anyone malicious or merely mischievous. That's why re recommend doing this and keeping it somewhere secure. After all, you'll probably never need it since you've (hopefully) memorized you Master Password and can get the Account Key from an authorized device...but it's good to have just in case. Cheers! :)

Jacob

I mean, we could start a tattoo service... no. No, we can't do that. What am I thinking? :tongue:

sjk

You guys. :lol:

Lamplighter

Maybe this is not the best place for this comment... but,

In reading and especially in watching the various videos about starting out with 1P, the focus is on a specific sequence of steps the (new) User is to follow ... it's usually only a brief remark along the lines of "decide on a password." Each time I came such a this situation, I remembered my experience setting up 1P... I had picked a relatively simple and easy-to-remember password as my "master". Weeks of work later, I realized that this had bee a mistake that could not be fixed.

I taking a long time getting to my point, which is this: All (introductory) advice on setting up 1P should include big bold messages that the master password can not be changed, plus advice on how / why to select a "good" one before going on with the set up.
I was too naive to understand this at the time.

pervel

@Lamplighter, that's not true. The Master Password can indeed be changed as often as you like to. So hurry up and make yours stronger. :)

AGAlumB

@Lamplighter: Indeed, pervel is correct: you should be able to change your Master Password:

Change your Master Password

The only caveat is that this can be more difficult if you're using 1Password across many devices, since you probably don't want to keep track of which is which. SO if you need any assistance in that regard, just let us know. We're here for you! :)

fourwheelcycle

My Master Password is written on a piece of paper that is locked in our home safe. Until recently I thought I would never have to use my written back-up, but now I am not so sure.

My Master Password is composed of six letters and four numbers. Recently, my father got a new phone number with four last digits that are the same as my Master Password numbers, but in a different arrangement, like a word anagram. Now when I go to call my father, or type in my Master Password, I have to clear my brain for a moment to remember which number sequence is for my father and which is for my Master Password.

I know I could change my Master Password, but I have been remembering it for a long time now and a new group of numbers could just add to my confusion!

This has happened to me once before. You know how you are often asked to verify the "last four" of you Social Security number? Let's say mine are 1043. A few years ago there was a stretch where I was not asked this question for several months. The next time I was asked my brain came up with 1034. When the person on the phone said that's not right I had to think for a moment to come up with the right number. For several months after that I had to remember "It's not 1034, it's 1043". Finally, I got back to just remembering 1043, but it took awhile.

Did I mention my brain is a lot older now that it used to be?

AGAlumB

@fourwheelcycle: Very interesting! And you're right: we aren't getting any younger. :ohnoes:

Your comments reminded me of something. I used to memorize the phone numbers of all my friends and family. No longer! That's my phone's job! Similarly, I don't actually remember my social security number either these days. That's 1Password's job. So the one thing I really am tasked with remembering is my Master Password. And, like you, I have a backup plan for that. ;)

Given that you're already on the fence about changing your Master Password, I'd like to encourage you to do so. Go for it! And consider that you may have an easier time memorizing a 5-7 word Wordlist or Diceware password rather than a bunch of numbers. And then you've always got the option of falling back on your safe plan if needed. But I've found that using a randomly generated word-based password is more agreeable. Cheers! :)

danco

@fourwheelcycle

You say

My Master Password is composed of six letters and four numbers.

That's really short and could be cracked by brute force if anyone cared enough.

By contrast, I decided my nineteen character master password was not safe enough and changed it to around thirty characters. Of course, usage of the computer is a factor, I am the only person with access to my machine so I can afford to keep 1PW unlocked all the time. And on my iPad, I use Touch ID rather than the actual password, so again I rarely have top type it.

I'm not sure what the best way to deal with the numbers is for you would be. But I would suggest changing the master password. You can do as I did, take the old password and lengthen it by adding something easy to remember, for instance changing myself1234 to myself1234mydog..

fourwheelcycle

@danco

I have never thought about anyone actually trying to crack my master password. I store my OP Vault on a network drive attached my Time Capsule. The Time Capsule is not set up to be accessible from the web and my network is password protected. My Macs are all encrypted with FileVault and they also have firmware passwords. I don't use iCloud, Dropbox, or any other cloud sties, at all. No one except me has access to my Macs.

I have always assumed my biggest risks are someone hacking into my bank's or investment firm's servers and accessing my accounts along with thousands of others, or someone social hacking into my personal accounts at these companies by targeting me individually. I do use two factor authentication for both accounts.

I have not thought of 1P as my weakest link, but perhaps it would be a good move to use a longer password.

pervel

@fourwheelcycle

Although you're probably fairly safe with that setup, I would personally still use a strong Master Password for the simple reason that the data stored in 1Password are the most value data I have. I would be in a lot of trouble if it got into the wrong hands.

In your situation the primary risk is probably a virus or malware that gets on to your computer somehow and steals your data. Not terribly likely - but definitely not impossible.

AGAlumB

Indeed. Each of us is always going to be the weakest link in our security. We're only human, and so we're limited in our imaginations (inability to generate random passwords, or assess risks) and of course we make mistakes. Using a stronger Master Password than we think we need helps guard against future attacks we may not anticipate now, both technological and social. You're right that we're each generally probably low risk, but that doesn't mean no risk, so I'll say "better safe than sorry". Cheers! :)

danco

I have had my computers stolen in a break-in. If that happens it is most likely that the criminals (or purchasers of the stolen machine) would simply erase the hard drive, but there is always the risk of their deciding to look at the data before erasing.

AGAlumB

Indeed. Unfortunately that's all too common in many places. While it is unlikely that any of us in particular will be the target of a cyber attack or the victim of real-life intrusion, these are still very real possibilities that we can take reasonable measures to protect ourselves against.

nhDOBsfc

A substitution cypher performed on X might be a good way to generate a password that you can recreate. Where X is a passage from a classic text, or a chess end game, or a poker hand, or the periodic table, or a chord of music, or .... If your X is a ancient text, be sure to remember which translation you worked from. https://en.wikipedia.org/wiki/Substitution_cipher

AGAlumB

I think that any crazy ideas we can come up with (the crazier, the better, since we don't want to be predictable) are great, so long as we can still remember the Master Password — and have a backup plan just in case! :lol: :+1:

nhDOBsfc

An example based on Lewis Carrol's Jabberwocky http://www.jabberwocky.com/carroll/jabber/jabberwocky.html

JABBERWOCKY by Lewis Carroll (from Through the Looking-Glass and What Alice Found There, 1872)

`Twas brillig, and the slithy toves
Did gyre and gimble in the wabe:

Choose the second line and replace spaces with special characters and numbers in the order they occur on your keyboard in your opinion (depending on your opinion on how to use the shift key), for example: 1, !, 2, @, 3, #, 4, $, 5, % .

Did1gyre!and2gimble@in3the#wabe:

I've seen worse passwords. :)
That's a 32 character password that you could probably remember, and could recreate if you forgot it.

You could improve by choosing a less famous poem or less famous line of text, but one especially meaningful to you, or using a different substitution algorithm for the spaces.

You could flip the capitalization of letters that count-off matching the prime number sequence: 2, 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, ... https://en.wikipedia.org/wiki/Prime_number .

You could do lots of things and still have a long password that had special meaning to you, but little meaning to anyone else.

AGAlumB

You could improve by choosing a less famous poem or less famous line of text, but one especially meaningful to you, or using a different substitution algorithm for the spaces.

You could do lots of things and still have a long password that had special meaning to you, but little meaning to anyone else.

Exactly! Very creative! Thank you for the fantastic examples! :chuffed: :+1:

fdavis99

The Generate button should be available for Change Master Password!

I'm convinced that the best master password is a phrase that is chosen with real random selections from a word list like the Diceware list. 1Password's built-in feature is even better, with an improved list.

But there's no convenient way to generate one for the Master Password. My workaround is to edit some login, generate a password, and write it down (until I'm sure I won't forget it -- then I will lock that paper somewhere physically secure. I plan to replace all my actual passwords with random strings.)

Please add Generate to Master Password. In fact, that's the only place it's really important.

I also encourage you to add "(recommended)" to the button, particularly for the Master Password, and also next to the Generate Diceware Passphrase checkbox, perhaps with a link to a good explanation of why it's much better than any other memorable password. It would be wise to document the importance of using the first suggestion (if you keep generating until you find a passphrase you like, you've just destroyed some of the randomness, since there's probably some reason you like those words).

Finally, I suggest the Diceware box be checked by default, especially for generating the Master Password.

fdavis99

@brenty, @nhDOBsfc The best passphrase is truly random. Humans are terrible at randomness -- we're influenced by zillions of associations, preferences, patterns, habits. There's no way you can create a memorable passphrase without it having some patterns, and patterns are the opposite of security!

Professional analyses (see below) about picking strong passphrases show that you have to use a real random method. The strength of a passphrase is much, much less if a human does anything to influence it (such as using a random generator, but you keep regenerating until you get a passphrase you "like"). Any human attempt at randomness isn't random. Even worse, anything that has special meaning to you is especially non-random.

To understand that, you might assume it's because if an attacker knows a lot about you that might help them guess more easily. But the real reason is that computerized cracking programs are designed around all the discovered patterns in massive numbers of actual passwords they've collected. They are algorithmically able to search the space of possible passwords in an order that prioritizes anything humans have done, and that means they will crack a human-influenced passphrase a lot quicker than if it was truly random.

The bottom line is that if you are involved in any way in selecting a phrase, it will definitely be a more common grouping than a truly random selection. Give up the idea of using anything familiar, or of making up something random, or of picking something randomly. Use a physically random method (rolling dice), or it's reasonable to trust that a computer-generated "pseudo-random" sequence is good enough, since an attacker won't know anything about the pseudo-random environment.

http://security.stackexchange.com/a/62911
https://www.explainxkcd.com/wiki/index.php/936:_Password_Strength
https://www.eff.org/deeplinks/2016/07/new-wordlists-random-passphrases

Cheers,

--Franklin

AGAlumB

@fdavis99: You're right in principle, of course, but the context is important and not to be overlooked. The implicit assumption of what you're saying is that an attack against the Master Password is as simple as guessing over and over again with solid knowledge of what the owner was likely to choose. In practice, it is much more complex than that.

For example, if you're using 1Password "offline", no one is performing a remote attack on it. Here, the research regarding passwords for websites, which anyone can access 24/7 to try to guess login credentials, does not apply in the way which you imply. For the purposes of most 1Password users' Master Passwords, this is irrelevant, because access to the data is needed, and even then there are constraints on guessing due to computing power and electricity. And in the case of 1Password.com, the Account Key is used in conjunction with the Master Password, making it impossible to perform a brute force attack on the Master Password alone.

Something to keep in mind is that humans are not only notoriously bad at generating randomness, but also memorizing it...which, as you can imagine, poses a problem for generating random Master Passwords that the humans need to both memorize and type. So people need to use Master Passwords that they can actually remember. For this reason, 1Password doesn't merely use your Master Password as the encryption key to your data. Your Master Password runs through thousands of PBKDF2 iterations to slow down attempts at guessing it, and this is used to encrypt the encryption keys, which in turn encrypt your data.

However, you're correct that word-based password are much more memorizable. But they will always have less entropy than a character-based password of the same length. So you're making a trade-off there anyway. I guess what I'm saying is that it's important to take all of these things into consideration. If the only goal is to have a truly uncrackable password, you just need to randomly generate one that's 18746123559901531563548761949871239661-characters long. But for practical reasons, we really need to weigh the actual risks and feasible attacks when having this discussion. It's deceiving, because 1Password does a lot of the work for you, so you don't need a password as complex as you think. We just need to use the strongest password that we can remember and 1Password takes care of the rest. Perhaps we'll add the password generator to the 1Password vault setup...but so far this has caused a lot of problems with 1Password.com users forgetting their Master Passwords quickly. :(

if you keep generating until you find a passphrase you like, you've just destroyed some of the randomness, since there's probably some reason you like those words

That's actually not true, because even the one you "like" is equally as random and likely as any of the others, and has just as much entropy: the number of possible combinations is the same, given the criteria hasn't been changed (number of words, delimiters, etc.) You may prove to be right about this down the road though if and when we're able to model the human brain in software and export/import our consciousness into a system which can use the data to predict what passwords we might choose...but that's probably 5 years out (joke: in technology, it's always "in the next 5 years"). ;)

Denzil

What I do is have a system in place. A system that makes sense to me and only me, of course if I haven't explained it to anybody :)
So once you have a system in place, and use it everywhere.. then it's easier to create passwords, easier to remember them + they are secure. Depending on your system ofc.
I won't explain MY system, but I will give an example of what I mean. Combination of letters and numbers is mandatory, right? So say you love number 369 for some reason, you can make the basline of your password: three6nine. Then you can add stuff to make it actually secure. Like Three#6ninE. Easy to remember you capitalized first and last letter. Added hashtag in front of the actual number also makes sense. If you think Three#6ninE is too short to be secure, well just add name of the website you are using it for. That would give us for example Three#6ninEyoutube. Still not secure enoguh? Let's go again: Three#6ninE#YoutubE.
So now you have the Three#6ninE part fixed for all your passwords, and just add website names or abbrevations for various websites. Or if you are using 1password, generate random strings for websites, and just have one of these Three#6ninE variations for the master password.
And given this system, you can expand this huge password (Three#6ninE#YoutubE) even more, but IMO it's really not necessary. You already have 19 characters, small letter, capital letters, numbers, symbols. And it makes sense, TO YOU, because it's based on your favorite number and words, but is character based so it's secure enough for most of us.

BTW what I learned from my experience.... security level is ALWAYS disproportional with practical level. The more secure you wanna be, more complicated things you will do for yourself. So since I gotta use this master password on 2 computers and my iPhone and my iPad, I really DO NOT EVER want to have it 30 characters long and complicated like that example Did1gyre!and2gimble@in3the#wabe. For me this is complete overkill, and not just for practical reasons, but for pure logic. It's not like we are witholding national security information that could, if compriomised cause tens of millions of deaths worldwide.. we are 99% of time just storing website login information :)
So I suggest you find some balance and think about what is really adequate, and what isn't for your needs.

AGAlumB

@Denzil: Thanks for chiming in! This is why the Wordlist password generator is so great. While it sounds like you've come up with an interesting system that works for you, it still has a couple significant weaknesses: as you pointed out, you can end up with a password that's a bit of a pain to type on a mobile device, but more importantly it isn't random. That's not an insult. We're only human, and terrible at creating (or remembering) randomness. But we're pretty good at memorizing words, even those chosen at random, with a little bit of practice. So a Wordlist password solves both of these problems. Now, it's up to you whether you want to take advantage of that, but I thought it was relevant given your comments. Cheers! :)

XIII

@Denzil Maybe I misunderstood, but what if your YouTube (or any other) password was leaked?

If I was that hacker and saw Three#6ninE#YoutubE I would immediately try Three#6ninE#GmaiL or Three#6ninE#GooglE etc.

(the story is probably different though if the leaked password was hashed instead of stored in plain text on the hacked site)

Denzil

@XIII yes, you would try that. But then again you wouldn't be trying that, some software would. And that software is not intelligent like you to recognize the system in place. That software would instead have a millsion user/password combinations to try out and not bother trying to figure one of them out :)
Not to mention the fact that if you had a master password like this - you wouldn't have to write it down anywhere. You could memorize it easily. So why would it leak :) ?

And it's like I said.. the more security you got, the more complicated your life is. So it's up to you to find a balance that suits you. And don't forget, I just used this as an example of a "system in place" - I never said this was a great system or that anyone should do exactly this :)

AGAlumB

Indeed, it's important to talk in general terms rather than truly divulge our secrets on a public forum. So long as you're not using that type of password system anywhere but locally — not for websites, which may be breached — and storing it only in your brain, that at least eliminates those kinds of attacks. But password crackers, both man and machine, have gotten more sophisticated and will continue to do so, so we shouldn't assume that they won't recognize patterns — if not now, than at least eventually — should our passwords fall into their clutches. Unfortunately many sites are still not hashing. Great discussion! :)