↝ OWC / MacSales.com... ↜
↝ diglloyd Deal Finder... ↜
Buy other stuff at Amazon.com...
Using 1Password for Password and Logins
See the overview of password managers.
Agile Bits 1Password, works on both OS X and iOS.
A vault containing all passwords (and other items) is used by 1Password which is unlocked with a master password. This vault can be synced between devices* (desktop/laptop computer, iPhone, iPad). Shown below is the dialog that unlocks the 1Password “vault” using the master password.
A long and high quality password (“long and strong”) should be used for the master password, because it unlocks the vault containing all the passwords, secure items, identities, secure notes, etc.
Use at least 18 characters using mixed case, letters, punctuation, more = better.
The vault is encrypted with the master password, but if the vault can be obtained (laptop theft, backups in the cloud, etc), then brute-force methods can be used to try to unlock it, thus gaining access to everything—hence it is critical to use a very strong master password. See Your Master Password is your defense from Dropbox breaches, real and imagined.
Also critical is to remember the master password—forget it and all the items in the vault are inaccesible. Rare events like a head injury (minor concussion, etc) could make one forget, something to bear in mind.
While writing down passwords is rarely a good idea, it is defensible to print out the master password and hide it some secret place known only to a chosen one or few. If nothing else, death could mean that one’s heirs can access the necessary accounts. In this regard, it is an excellent strategy for making online acounts accessible to one who might have a legitimate need, e.g. an executor or a will or similar (make a copy of the vault on a camera card or similar in addition to regular backups).
* MPG does not use cloud syncing or cloud storage, the cloud in general being a huge target target for hackers. Witness the security breach with Dropbox in October 2014.
Logins and more
Unlocked, 1Password shows logins and various other secured items. As shown, the password strength for Amazon.com is only medium, and should probably be replaced with a more secure password.
1Password also can store secure notes, general passwords, credit card and identities.
Tired of filling out name, address, email phone, etc? Not to mention typing errors. 1Password can fill out a web form simply by choosing the identity, e.g. DIGLOYD as show here. This doesn’t always work unfortunately, due to funky pop-up windows on some web sites. But it works for many sites.
Usage is straightforward and mostly automated.
MPG suggests trying 1Password with just one or two web sites to start, just to see how easy it is.
The web browser plugin
The most useful feature is the web browser plugin, two things:
- Offers to add a login entry for any web site not yet seen (upon logging into that site). This is really convenient, since setup thus mainly consists of just going about one’s normal usage, and clicking OK to add the web site to 1Password. Very nice.
- Provides a handy plugin in the bookmarks bar area of the browser, where logins are listed with the current web site right at the top; choose it and 1Password fills in username and password.
The logins can actually be used as their own bookmarking facility: pick the login and 1Password takes you to that site and fills in the username/password for you (it can even click the login button too, but your author prefers to do that manually). Or use the command-key shortcut (cmd-\ by default).
However, some web sites uses oddball login pages that require the user to first make the login fields visible. In this case, go to the web site, click the login button to make those fields visible, then use the 1Password plugin menu. Choosing the login fills in the fields. If necessary (rare), copy/paste can be used.
Locking the vault
For travelers with laptops and/or users with desktops easily accessible by walk-by others, concealing passwords and locking on sleep or idle are strongly advised; this locks the vault and requires re-entering the master password.
Theoption is best left checked (enabled); this draws bullets in the password field so that the password is not inadvertantly revealed (consider that it could be recorded 50 feet way with a snapshot using any innocuous superzoom compact camera).
Another risk is the clipboard: it is all too easy to paste a password into someplace and perhaps fail to notice. Probably a value around 10 seconds makes more sense.
See Don’t Assume that a Password Manager is Safe, Auto-Fill for Password a Bad Idea; while AgileBits says that any vulnerabilities have been addressed in 1Password, hackers are infinitely creative, no software is never bug free, and thus a manual click in order to first see the fields filled in is a conservative approach with trivial inconvenience.
Automatically logging in is not something MPG prefers: as one manual sanity check MPG’s preference is to first see the correct fields filled in, and then to manually click OK. For this reason, is disabled (unchecked). The option is helpful to see this occur. Moreover, what if (somehow) the password were entered in the wrong entry field? One can never rule out oddball circumstances or software bugs.
carries a low-level risk of entering fields on a similar but inappropriate page, and for this reason MPG also leaves it unchecked.
1PasswordMini in menu bar
1PasswordMini optionally runs out of the menu bar; MPG likes to keep it handy for miscellaneous (non web-site) passwords. The command key shortcuts are useful and worth memorizing and using, particularly.