Using your password manager the right way

20. August 2016 Security 3

I have mentioned 1Password before. It is, in my book, the best password manager for Mac and iOS available. If you are not familiar with it, I highly recommend you check it out and start using it sooner rather than later.

If you have been using 1Password or are about to use it now, this post is for you.

Using a password management tool like 1Password is a great first step. “There are more steps?” Absolutely. Replacing your sticky notes or a contact in your address book called “Passwords” (I’ve seen it…) with a password manager is a good start but there is a right and wrong way to use it. In this article I’ll cover some ways to perform maintenance and improve your overall password strategy.

Actually use it.

I have seen many users install 1Password, put in the passwords they remember at the time and then they never touch it again. After a while they forget their master password or need a password that was never entered into 1Password. If you commit to using a password manager, actually use it. Just accept the fact there will be a small learning curve and change in the way you use your computer. After a few days, you wonder how you’ve gone without a password manager for so long.

Use all available features.

A good password manager is so much more than that. 1Password can hold passwords, credit cards, software licenses and more. If it can do it, use it. It will make your life easier and more secure. After all why would you store your passwords in a secure vault but leave your credit cards on your desk? I store everything that has value in 1Password so I always know where to find it and I know I’m the only one that has access to it. Using the built in sync on any one of my computers or from my iPad or iPhone, my passwords, secure notes, router login details and credit cards are available.

Speaking of knowing where to find it…

Transfer every saved password over to your password manager. Your browser saves passwords for you. Which password is saved where? Do those passwords get synced securely to your other devices? An alarming amount of people still use sticky notes or other insecure ways to save passwords. Where did you write down the password for this service? Having them all in one place will ensure you have every password whenever you need it. In your browsers (through the 1Password extension), on your other devices (through sync) and it’s as secure as can be.

Now, let’s have a look inside your password manager to see if it’s being used in the best way and if it can benefit from some maintenance.

Known vulnerabilities.

Fire up 1Password and look down the left column. Look for “Security Audit” which is closed by default. Click on the little “Show” button next to it to expand all the options.
1Password password manager Security Audit
This is where the good stuff is hidden. First up is Watchtower. Watchtower checks the URL you have saved in your password note and notifies you if there may be a past or present vulnerability.
1Password password manager Watchtower learn more
If there are any items listed in Watchtower, select them and click the red banner in the right column. A small explanation will pop up with a “Learn more” link. It is typically a good idea to follow the recommendation and change your password for that site. I have, however, seen a few sites listed that give no indication as to why 1Password feels there may be a problem. Use your best judgement if you come accross a site like that.

Note: Change passwords on the website/service it applies to first, then update 1Password or let your browser do it for you when prompted.

Weak passwords.

With the ability to generate insanely long and complex passwords in 1Password, this category should always be empty. 1Password remembers the passwords for you so there is no reason to use passwords you can remember! Have a look at the items listed, if any, and the password strength meter will show you right away if it could do with a new password.
1Password password manager weak password indicator
For these items, click the “Edit” button and fill in a new password. I recommend you use the built-in password generator and make the new password something you could not ever dream up yourself. You can do this by using the icon next to the password field.
1Password password manager new password generator1Password password manager new password recipe

These days my passwords are at least 20 characters and include plenty of symbols and digits. Allowing characters to repeat is technically less secure but in passwords that are this complex one repeated letter or number hardly makes a difference.

Use the same built-in password generator when cleaning up the Duplicate Passwords (hint; there should not be any).

The last few categories sort your saved passwords by age. Depending on how often, if at all, you change your passwords this is very convenient. I try to change my passwords once a year so the “1-3 years old” category is what I keep my eyes on.

With the Security Audit done, what else can you do?

Delete old passwords.

Go through your list of passwords and find those services you signed up for long ago but haven’t used since. Visit their website and see if you can delete your account completely. A service like justdelete.me might come in handy here.

Review all saved items you have left.

Services and websites you created an account for a long time ago may now have additional security in place. Check every service in your list and see if they now offer 2 Factor Authentication for example. Something that should be enabled for every service and website that offers it. Also, are the URL’s that are saved with your password http or https? Most sites that offer https will automatically redirect but it’s better to end up on an https enabled site directly. A lot of websites use your email address as your account ID when you sign up. Check all items in your list to ensure a current email address is used. If you signed up for a site years ago with an email address that no longer exists or is now inaccessible, you may run into problems if you ever need a password reset. Companies also email their clients if there was a security breach, without a current email address on file you miss out on those important updates.

Check the one password you do need to remember.

Securing your password vault with a password such as “Password 123” is of course useless. Make sure the master password is long, sufficiently complex yet easy to remember.

Backup your 1Password database.

By default 1Password stores local backups of your database. These backups can be found in /YourHomeFolder/Library/Application Support/1Password/Backups. It is a good idea to have an off-site backup as well though. Open up the Preferences and go to the Sync tab, here you have an option to sync your database to iCloud or Dropbox. You can select “Folder” and point it to a local file server, however this is not recommended by 1Password.
1Password folder sync warning
This is their nice way of saying “1Password will completely freak out of it can not find the file server”.

Remind yourself to do all of the above.

Set a reminder or calendar alert to perform all of the above maintenance every month or every few months. You can even include a link to this article so you don’t have to remember all the things you have to check on. After a while it will become part of your routine and you find yourself doing this maintenance without the need for reminders.
Calendar reminder

Do you use a password manager? Which one and how often do you perform maintenance like this? Let me know in the comments!


3 thoughts on “Using your password manager the right way”

  • 1
    Aliki on August 20, 2016 Reply

    I have been using 1Password for over a year. Reluctantly at first but now I’m grateful I did. Reading this I realize I still have stuff to learn about the app. Great stuff.

  • 2
    Kurt J. Meyer on September 12, 2016 Reply

    The article suggests you can change your password in the password manager application alone. I think this will cause loss of your login password, because the password manager stores your new information, but AFAIK is not able to change your account data on the website.
    You have to log in with your old password and use the site’s mechanism to choose and set a new password. You can make use of 1Password’s password generator, of course. The 1Password browser extension is a great help. Then 1Password will ask you, if you want to update the old password information with the new one.

    • 3
      Jay on September 15, 2016 Reply

      Good point Kurt, I have added a note in the article for those not familiar with a password manager.

Leave a Reply

Your email address will not be published. Required fields are marked *

*