Paranoid Questions of the Day (PQsD)

@mobius32x

every so often I review my 1P setup and, although I'm a long time user, my mind starts racing.

Deep breaths. We're here for you. ;)

I have a very long master password (more than 16 characters and very random)

Mine's over 50. I feel your pain. :)

I guess I'm wondering the likelihood of someone getting remote access to my computer and creeping into 1P and finding stuff.

So, overall computer security is a HUGE can-o'-worms, and one I won't be able to properly address in a single forum reply. Much of it is also outside the scope of what we do on this forum, and frankly, outside my own expertise. Having said that, there's an old saying: if someone gains the ability to run arbitrary code on your computer with root privileges, it can no longer be considered your computer. Most people who think even a little about their own security understand this idea -- if an attacker can set a rootkit or a keylogger whereby they can capture everything you type, or install their own code with root-level privileges, it's basically game over.

Still, you have to ask: if someone can install a rootkit or keylogger that can capture you typing your Master Password...then it really doesn't matter if you have that same Master Password stored within 1Password, as they will have already acquired it. By the same token, if YOU can't remember your own Master Password, it hardly does any good to have that Master Password stored safely inside 1Password -- that would be a bit like locking the keys to a safe _inside the safe_: not very helpful. With 1Password accounts, we recommend people print out their Emergency Kit, write their Master Password down on it, and keep it either in a locked safety-deposit box at their bank, or give it to a trusted attorney with whom they've established attorney-client privilege. In a pinch (like if you forget your Master Password), either could be used to regain access to your data.

In terms of the security of 1Password itself, your Master Password is likely to be plenty strong against all but the most well-resourced attackers. If you've followed best practices to choose a good Master Password and you have no reason to believe it's been breached or disclosed to anyone else, then it's unlikely to be crackable except by brute force (i.e. - attempting to guess every possible combination until one succeeds). That's a very lengthy process, and one which 1Password helps deter.

Yubikey is indeed a recent addition to 1Password accounts. But it only works with a 1Password account because Yubikey's strength is to provide a second factor of authentication. In a 1password.com account, your data are secured with encryption, as always, but you do use authentication for administrative access to the 1Password web app. Yubikey can definitely strengthen your security there. But if you're using 1Password in standalone mode, Yubikey isn't relevant because you aren't authenticating to a remote server; your data already exists on your own device. There's also the potential of loss/theft of your Yubikey to consider. If you have an individual 1Password account, that means you won't have anyone else that can help recover your account, so if you turn on 2FA for your 1password.com account and then lose your Yubikey, your account will not be accessible. I'm not mentioning that to suggest that you should not use a Yubikey, only that you understand the risks. All of us have become accustomed to being able to get in touch with a website's owner have our password reset. That won't be the case with Yubikeys, just as it is not with 1Password itself. If you forget your Master Password, you can't decrypt your 1Password data. And if you use 2FA for your 1password.com account and lose your second factor (Yubikey), you won't be able to access the account. This adds to your security, but it's not without risks. Good for you for considering those risks and asking questions up front, so you're aware of how to best protect yourself, not only from outside threats, but from yourself and potential inadvertent mishaps also. Feel free to ask any questions you might have. :)

@mobius32x - thanks for the kind words! I'm grateful to hear you mention 1Password to friends and colleagues; it's truly the best possible advertising we could have -- if it can even be called that. Drop by any time if you have questions or run into trouble with 1Password. :)