Master Password simplification out of password-hell

LaForce
LaForce
Community Member

Hey folks,

here's a question:

I understand, it's cool to have a pretty complicated Master Password to unlock 1PW, but:

1PW asks me every two weeks for it, e.g. on my Macbook Pro (and I can't switch that off), so if the MP is pretty complicated, I have to store it somewhere (e.g. KeyChain, yeah!), or choose another one which is better to remember (but not too long, because I have to type it every 2 weeks).

Compared to how 1PW6 worked, where the 1Password.app was local to my machine(s), and my data just synced encrypted to iCloud (or Dropbox); so my Master Password was never at the risk of getting exposed to the world. So I chose one, which I could remember fine and was fast to type.

Now, in 1PW7, the MP is also used to unlock my account at my.1Password.com, so I'd be better off to create a even more secure password, but then I need to write it down to remember - or even put it into TextExpander, because I need to type it once every two weeks.

To me this is a clear draw-back. Or do I understand things wrongly?

Although I understand the intention or a complex master-password: Wouldn't it be benefical to remove the my.1password.com portal alltogether, just to be safe again and keep things simple (again)?

Or: if the Vaults-Section in 1PW was protected by the master-password and I could launch/unlock 1PW using TouchID or any other password I like (app-specific password). Wouldn't that be much simpler and (even more) secure?

Don't get me wrong: I really appreciate security, but lately we are running into an 'enter your password' hell, even if working locally on my computers (which are already protected by strong passwords)... I dunno, how many times a day I need to enter a password here and there and this is getting on my nerves already...

Any comment appreciated - also (or especially) if I'm completely wrong! ;)

andy


1Password Version: 7.4.2
Extension Version: Not Provided
OS Version: 10.15.3 (19D76)
Sync Type: Not Provided
Referrer: forum-search:master

Comments

  • Hi @LaForce

    Compared to how 1PW6 worked, where the 1Password.app was local to my machine(s), and my data just synced encrypted to iCloud (or Dropbox); so my Master Password was never at the risk of getting exposed to the world. So I chose one, which I could remember fine and was fast to type.

    Largely the same risks existed then as do now. :) A strong Master Password was just as important then as ever.

    I understand, it's cool to have a pretty complicated Master Password to unlock 1PW, but:

    It doesn't have to necessarily be 'complicated.' It should be memorized, not stored. Here is what we recommend:

    How to choose a good Master Password

    Although I understand the intention or a complex master-password: Wouldn't it be benefical to remove the my.1password.com portal alltogether, just to be safe again and keep things simple (again)?

    There are attack vectors that exist because of the web interface, but not the ones you seem to be implying. The issue with the web interface would be if an attacker were able to break into our servers and change the code that is being delivered. There are some ways we can (and do) mitigate this. As a customer you can also avoid all of those potential issues by not using the web interface.

    To me this is a clear draw-back. Or do I understand things wrongly?

    You may be interested to read more about our security model:

    About the 1Password security model

    The security of your data does not depend on the sync service that you're using whether that be Dropbox, iCloud, or 1Password.com.

    Or: if the Vaults-Section in 1PW was protected by the master-password and I could launch/unlock 1PW using TouchID or any other password I like (app-specific password). Wouldn't that be much simpler and (even more) secure?

    I'm not sure I follow. 1Password does support unlocking via Touch ID, but that doesn't replace your Master Password. Your Master Password is still what is used to encrypt your data.

    Use Touch ID to unlock 1Password on your Mac

    Don't get me wrong: I really appreciate security, but lately we are running into an 'enter your password' hell,

    Once every two weeks doesn't sound that excessive to me. I type my Master Password probably 15x per day. I can see how 15x per day could be annoying with a particularly complex Master Password, but mine is fairly easy to type (generated by the words recipe in our password generator). But we all have our own definition of hell, I suppose. Ultimately the choice of Master Password strength is largely up to you. If you want to pick something that is super easy to remember and type then you can certainly do that. We'd recommend finding a good balance.

    :)

    Ben

  • LaForce
    LaForce
    Community Member
    edited February 2020

    hi @Ben

    thanks for taking the time to comment on my musings ;) Your comments are much appreciated.

    And I absolutely understand your point, that entering a password once in a while is not too excessive - if there was only 1Password; but there are other software(s) as well and this sums up... Especially if considering, that my working machines are already protected by a strong password and an encrypted drive.

    What I'm saying (or what it try to say) is, that once my machine is unlocked, things should be flowing without too much disturbance - which nowadays is simply not the case, e.g. because my banking-app locks itself after a while, so does 1PW, some VPNs disconnect after a while and so on...

    But maybe I just use a far too complicated pw and setting for 1PW, because I was under the impression the password is used to also log me into the portal; but after reading your answer and looking at the portal again, it seems it is used only in combination with the secret - so the strength of the 'Master Password' is not that important...

    If that's right, than thanks for the clarification - this simplifies things (for me) quite a bit.

    Cheers

    andy
    PS: btw: I'd rather keep a complicated pw, than giving up 1PW ;)

  • @LaForce

    It is true that the Secret Key in addition to the Master Password encrypt your data. They protect against different attack vectors. The intention of the Secret Key is to protect you in the event someone is able to access our servers, but not your devices. The Master Password is essentially all that protects you for someone who has access to your devices. Also - unless you're using full disk encryption, consider that access to your devices doesn't necessarily mean they need to know your device account password.

    which nowadays is simply not the case, e.g. because my banking-app locks itself after a while, so does 1PW, some VPNs disconnect after a while and so on...

    Sure... but those passwords are stored in 1Password, right? ;) In theory the only passwords you should really have to type are the passwords to unlock your device and your 1Password Master Password.

    Does that make sense?

    Ben

  • LaForce
    LaForce
    Community Member

    Hi @Ben

    thanks again for your comments - these are very informative.

    Sure... but those passwords are stored in 1Password, right? ;) In theory the only passwords you should really have to type are the passwords to unlock your device and your 1Password Master Password.

    If I were using only my browser, then yes... But the mentioned apps are 'native' (regular) apps, where 1Password can't auto-fill. And I had it a couple of times, that 1PWmini wants to fill in something, but 1PW needs to get unlocked first - so I had 2 1PW-windows on top of each other (thankfully entering the password once was sufficient in that situation). But - at least for now - I lifted auto-locking of 1PW quite a bit, so it doesn't come into my way when working.

    Anyway - I'm super-happy with 1PW and all the above is - more or less - complaining on a high comfort level (if you understand what I mean ;) )

    thanks @Ben

    andy

  • ag_ana
    ag_ana
    1Password Alumni

    @LaForce:

    If I were using only my browser, then yes... But the mentioned apps are 'native' (regular) apps, where 1Password can't auto-fill.

    Perhaps I am missing something, but can you not copy and paste from 1Password to your other native apps when this happens? You would still only have to type your Master Password, and not any other password.

    And thank you for the kind words by the way :)

  • LaForce
    LaForce
    Community Member

    hi @ag_ana

    yes I can -> at least if 1PW itself is unlocked ;)

  • ag_ana
    ag_ana
    1Password Alumni

    @LaForce:

    Understood :+1: :)

  • @SamKay

    You posted this exact same message at least 15 times in various threads. I've answered your questions here. Please do not post the same question in multiple places, or make off-topic comments in other threads. Thanks for understanding.

    Ben

This discussion has been closed.