Recommended Procedure for Changing Many Passwords with 1P on Multiple Devices (Heartbleed)

Options
Tom Harrison
Tom Harrison
Community Member
edited April 2014 in Mac

I have changed many of my passwords so far, but have a couple of questions, and thought others might too.

How to easily change passwords using 1P?

  • I have 1P installed on my Mac, my wife's Windows PC, and iPhone/iPad, using Dropbox to sync. What's a recommended order of things to change my DropBox password so that other devices using 1P can still get all my new passwords synced and changed on other devices?
  • The process for changing passwords in 1P is confusing. When I go to a site, it prompts me for old and new password on the Change Password page. If I find the current password in the 1P application, I can copy it to the clipboard and paste it in. Then I go to 1P and click Edit, then generate a new password, but it doesn't appear to be on the clipboard, and it doesn't appear to be copy-able. When I save, I can get the new password, but if I make a mistake, then the old one is no long on the clipboard. There has to be a simpler way :-).

Other things to consider?

  • 2-Factor Authentication seems like a really good idea. I have it set up for many key accounts especially email But it's linked to my phone. If I lose the phone, I would be in trouble -- usually you can get a file with recovery codes. Is it a good idea to store these files in a secure note in 1P?
  • I have unique passwords on all but a few sites which is practical only because of 1P. But most sites have password resets linked to email accounts, so if email gets breached wouldn't I be in trouble? What do you recommend?
  • There are several passwords that my family shares and that they need to type in from time to time and to remember -- the Apple ID password is notable, but Netflix on various devices is another. Can you recommend a good strategy for having remember-able passwords for these kinds of cases?
  • Are there other best practices or approaches you can recommend for other 1P users to change their passwords?

And finally, I wanted to suggest that one of the most important things that those of us who use tools like 1P can do to reduce the impact of security threats like Heartbleed is to get others to use password managers! It's really a tough sell (and mostly not because of the money). What can we do to help spread the good word.

Tom H.

Comments

  • Jasper
    Jasper
    edited October 2014
    Options

    Hi Tom,

    What's a recommended order of things to change my DropBox password so that other devices using 1P can still get all my new passwords synced and changed on other devices?

    It shouldn't matter. 1Password should still sync like normal after a Dropbox password change. 1Password's authorization token will remain valid.

    The process for changing passwords in 1P is confusing.

    We have a new set of instructions for updating passwords:

    Changing a saved password

    Does that help at all?

    2-Factor Authentication seems like a really good idea. I have it set up for many key accounts especially email But it's linked to my phone. If I lose the phone, I would be in trouble -- usually you can get a file with recovery codes. Is it a good idea to store these files in a secure note in 1P?

    It's up to you really. Obviously 1Password is a good place to store any private information such as a recovery code — but if you are using strong, unique passwords generated with 1Password, chances are someone won't be able to figure them out without access to your 1Password data. So, in the rare event that someone was able to get into your 1Password data, they would have both your password and the recovery code to get around two-factor authentication.

    I have unique passwords on all but a few sites which is practical only because of 1P. But most sites have password resets linked to email accounts, so if email gets breached wouldn't I be in trouble? What do you recommend?

    Other than using a secure, unique password for your email account, I unfortunately can't think of anything else to recommend in this case.

    Can you recommend a good strategy for having remember-able passwords for these kinds of cases?

    The same instructions for creating a secure but memorable master password would apply:

    Toward Better Master Passwords

    Please let us know if you have any other questions. We're always here to help! :)

  • OlMike
    OlMike
    Community Member
    Options

    To JasperP,

    My compliments to you for the excellent summary of "Updating your passwords" link, above. As I am new to 1P4, these sort of step by step instruction is a great way to learn. I typically save these in Pocket and Note Suite for future reference.

  • Jasper
    Jasper
    Options

    You're welcome, @OlMike! Please let us know if you have any other questions. We're always here to help! :)

  • GeoffMather
    GeoffMather
    Community Member
    Options

    I think this is a good place to leave my comments that might help others. I have used 1Password in a rather basic fashion until the Heartbleed alert. With this scare I began generating long passwords and I discovered that many of my sites accept only a limited number of special characters, so you have to cut it back to just a few(like 1 or 2) and then re-generate until you get one that has only the accepted characters. I don't see any practical way to expect the Agilebits folks to help with that.
    And I also ran into the Apple ID problem described elsewhere. My solution was to have a "rememberable" password for Apple ID that is reasonable complicated, but not gibberish. It seems I get asked to supply that password at least once a day despite Apple's attempts to link it to my machine and save the passwords for some things. And those very things where it is saved, cause a lot of headache when the password is first changed. You can't get back to business as usual without running into a password challenge from Mail, Find Friends, FaceTime, Messages, and the like. For some reason, they don't all key off you as the user.
    Lastly, I haven't seen much discussion of what I call "categories" of web sites. So let me phrase this as a question for Agilebits. It seems to me that many places have asked for a password just to be sure it is "me" but very little is at risk. Let me use the New York Times as an example. I have not given them my credit card number. The logon is only used to put in a vacation stop or otherwise complain that "I didn't receive today's paper", for example. All the other information they have seems to be public knowledge to me like address and phone number.
    Question: can't I be comfortable with a "weak" password in this case? First, I don't have a financial risk. Second, it would seem unlikely that hackers would find it worth while to attack their site. The only risk I see is if the weak password used here was also used for some financially vulnerable site. Couldn't I use the same weak password for all such simple sites like monitoring my electric bill and any others where I have been careful not to leave either credit card information or checking account information?

  • Megan
    Megan
    1Password Alumni
    Options

    Hi @GeoffMather‌

    Thanks for taking the time to write in with your feedback! I'm all too familiar with the joys of updating an AppleID password - using something like Diceware so that it is memorable and easily type-able seems like a standard survival tip for all users! :)

    Question: can't I be comfortable with a "weak" password in this case?

    There are certainly some sites where you may not feel the need to generate a 23+ character password, and it will really come down to what you consider private information, but I would not recommend using the same password on multiple sites.

    As I'm certainly not an expert in this sort of thing, I'll ping our security guru ( @jpgoldberg‌ ) to see if he has any thoughts to add here. :)

  • jpgoldberg
    jpgoldberg
    1Password Alumni
    Options

    Hi @GeoffMather‌

    I weak(ish) password is fine(isn) on a low value site if and only if it is not used anywhere else. (This, of course, is true of strong passwords as well.)

    There are two reasons why I would still discourage using weak passwords on low value sites.

    1. Using a weak password increases the temptation for password re-use.

      So sure it looks like over-kill to have a 20 character password for the New York Times site.

      I just checked my nytimes password and it isn't very strong; it was randomly generated, but ages ago and before I started using 1Password. So when I've run security audits of my passwords in 1Password over the years, I've clearly not bothered changing that one as I've had other to change.

      Actually, I think that the last time I looked at that particular password was before setting up vault sharing with my wife; so changing that one would have meant co-ordinating the password change with her.

      Back to my concern is that deliberately choosing a weak password suggests to me a desire to leave the door open for password reuse. But as you see from my own example, leaving some of these as so far down the list of things to change that they may never get reached is fine as long as the password is unique.

    2. You never know what an attacker might value

      Your New York Times password is not just used for putting vacation holds on your home delivery, but it is also used for leaving comments on the on-line edition. There is also a long running battle between the NY Times commenting system and gangs of trolls/ideologues. I don't know if the banned users have tried using stolen passwords for commenting, but it is possible.

      Scammers could also use it as part of a process to convince people that something is from you. I'm sure you are familiar with the "I've been traveling in X and was mugged ... can you wire me some money" sorts of things. Well what if those scams including a link to a comment by "you" on the NYT site telling the story of your mugging?

    3. You never know if the site may become more valuable

      Sure, today, there may be little value to an attacker for your New York Times login credentials. But suppose tomorrow the times offers a service that gets you a steep discount on books they review when ordered through the site. And the day after that gets expanded into a more general shopping portal.

      Even if you don't make use of such a service when it comes along, it can still make what today looks like something that isn't a valuable target become a more valuable one tomorrow.

    Still, as you see, I haven't changed my password there from a 10 character one to a 20 character one. It's not a terrible password, but what was strong 10 years ago isn't so strong today. This is because we all have better things to do than updating reasonable, unique passwords on low value sites.

    So as long as the password isn't reused and as long as it isn't terrible, then if it is a low value target and changing the password might be inconvenient for other reasons (like making sure your spouse gets the new one), then move it to the bottom of the list of things that you "should" change.

    But if the password is used for more than one site or service, then those changes should be very high priority.

  • Tom Harrison
    Tom Harrison
    Community Member
    Options

    Thanks for the responses to this set of questions. @JasperP‌ -- the tutorial for updating passwords is really good -- thanks!! FYI, many of the screenshot image links are broken at the moment.

  • Jasper
    Jasper
    Options

    You're welcome, Tom! :)

    I've updated the link so it points to the updated page on our new user guide: https://guides.agilebits.com/1password-mac/5/en/topic/changing-a-saved-password

    Please let us know if you have any other questions. We're always happy to help!

This discussion has been closed.