Thank you for purchasing through links and ads on this site.
OWC / MacSales.com...
diglloyd Deal Finder...
Buy other stuff at Amazon.com...
Blazing-fast PCIe storage for Mac Pro Tower

Using 1Password for Password and Logins

Last updated 2014-10-14 - Send Feedback
Related: security, how-to, How To, System Setup

See the overview of password managers.

Agile Bits 1Password, works on both OS X and iOS.

A vault containing all passwords (and other items) is used by 1Password which is unlocked with a master password. This vault can be synced between devices* (desktop/laptop computer, iPhone, iPad). Shown below is the dialog that unlocks the 1Password “vault” using the master password.

1Password: enter master password to unlock the vault

1Password: web site logins

Master password

A long and high quality password (“long and strong”) should be used for the master password, because it unlocks the vault containing all the passwords, secure items, identities, secure notes, etc.

Use at least 18 characters using mixed case, letters, punctuation, more = better.

The vault is encrypted with the master password, but if the vault can be obtained (laptop theft, backups in the cloud, etc), then brute-force methods can be used to try to unlock it, thus gaining access to everythinghence it is critical to use a very strong master password. See Your Master Password is your defense from Dropbox breaches, real and imagined.

Also critical is to remember the master password—forget it and all the items in the vault are inaccesible. Rare events like a head injury (minor concussion, etc) could make one forget, something to bear in mind.

While writing down passwords is rarely a good idea, it is defensible to print out the master password and hide it some secret place known only to a chosen one or few. If nothing else, death could mean that one’s heirs can access the necessary accounts. In this regard, it is an excellent strategy for making online acounts accessible to one who might have a legitimate need, e.g. an executor or a will or similar (make a copy of the vault on a camera card or similar in addition to regular backups).

* MPG does not use cloud syncing or cloud storage, the cloud in general being a huge target target for hackers. Witness the security breach with Dropbox in October 2014.

Logins and more

Unlocked, 1Password shows logins and various other secured items. As shown, the password strength for Amazon.com is only medium, and should probably be replaced with a more secure password.

1Password also can store secure notes, general passwords, credit card and identities.

Tired of filling out name, address, email phone, etc? Not to mention typing errors. 1Password can fill out a web form simply by choosing the identity, e.g. DIGLOYD as show here. This doesn’t always work unfortunately, due to funky pop-up windows on some web sites. But it works for many sites.

1Password: identity information can be auto-filled by choosing the identity

 

Using 1Password

Usage is straightforward and mostly automated.

MPG suggests trying 1Password with just one or two web sites to start, just to see how easy it is.

The web browser plugin

The most useful feature is the web browser plugin, two things:

  • Offers to add a login entry for any web site not yet seen (upon logging into that site). This is really convenient, since setup thus mainly consists of just going about one’s normal usage, and clicking OK to add the web site to 1Password. Very nice.
  • Provides a handy plugin in the bookmarks bar area of the browser, where logins are listed with the current web site right at the top; choose it and 1Password fills in username and password.

The logins can actually be used as their own bookmarking facility: pick the login and 1Password takes you to that site and fills in the username/password for you (it can even click the login button too, but your author prefers to do that manually). Or use the command-key shortcut (cmd-\ by default).

However, some web sites uses oddball login pages that require the user to first make the login fields visible. In this case, go to the web site, click the login button to make those fields visible, then use the 1Password plugin menu. Choosing the login fills in the fields. If necessary (rare), copy/paste can be used.

1Password: web browser plugin to fill in username/password

Locking the vault

For travelers with laptops and/or users with desktops easily accessible by walk-by others, concealing passwords and locking on sleep or idle are strongly advised; this locks the vault and requires re-entering the master password.

The Conceal passwords option is best left checked (enabled); this draws bullets in the password field so that the password is not inadvertantly revealed (consider that it could be recorded 50 feet way with a snapshot using any innocuous superzoom compact camera).

Another risk is the clipboard: it is all too easy to paste a password into someplace and perhaps fail to notice. Probably a value around 10 seconds makes more sense.

1Password Preferences: Security

Automatic login

See Don’t Assume that a Password Manager is Safe, Auto-Fill for Password a Bad Idea; while AgileBits says that any vulnerabilities have been addressed in 1Password, hackers are infinitely creative, no software is never bug free, and thus a manual click in order to first see the fields filled in is a conservative approach with trivial inconvenience.

Automatically logging in is not something MPG prefers: as one manual sanity check MPG’s preference is to first see the correct fields filled in, and then to manually click OK. For this reason, Automatically submit logins after filling is disabled (unchecked). The Animate form filling option is helpful to see this occur. Moreover, what if (somehow) the password were entered in the wrong entry field? One can never rule out oddball circumstances or software bugs.

Lenient URL matching carries a low-level risk of entering fields on a similar but inappropriate page, and for this reason MPG also leaves it unchecked.

1Password Preferences: Browser

1PasswordMini in menu bar

1PasswordMini optionally runs out of the menu bar; MPG likes to keep it handy for miscellaneous (non web-site) passwords. The command key shortcuts are useful and worth memorizing and using, particularly Fill login on current web page.

1Password Preferences: General

Making strong passwords on next page.

1Password: creating a strong password
Rigorously lab tested and OWC certified.
B&H Deal ZoneDeals by Brand/Category/Savings
Deals expire in 157 min unless noted. Certain deals may last longer.
$2099 SAVE $700 = 25.0% Canon EOS 5D Mark III DSLR in Cameras: DSLR
$798 SAVE $200 = 20.0% Sony a7 Mirrorless in Cameras: Mirrorless
$2398 SAVE $500 = 17.0% Sony a7R II Mirrorless in Cameras: Mirrorless
$1799 SAVE $1151 = 39.0% Zeiss 15mm f/2.8 Distagon T* ZE in Lenses: DSLR

diglloyd.com | Terms of Use | PRIVACY POLICY
Contact | About Lloyd Chambers | Consulting | Photo Tours
Mailing Lists | RSS Feeds | Twitter
Copyright © 2008-2017 diglloyd Inc, all rights reserved.
Display info: __RETINA_INFO_STATUS__