blog に戻る

2012年06月28日 Stefan Zier

Nine 1Password Power Tips

As I mentioned in my previous blog post, many of us here are power users 1Password. Here are a few tricks we’ve assembled:

1. Sharing passwords with team members

There are those rare occasions where you cannot avoid sharing a password with somebody else on the team. For example, some older applications don’t support multiple users within a single account. For these cases, it is crucial to keep track of whom a password has been shared with. I use 1Password tags to do this. Whenever I share a password with somebody, I tag that entry “shared_with_name” — for example, “shared_with_joan”. This has two benefits:

  • When a person leaves the company, I can generate a Smart Folder to show me all the passwords I’ve shared with them, and change the passwords. Smart Folders are folders in 1Password that dynamically select entries that match a given set of criteria, for example, tags.
  • When I need to change the password, I have a list of people to send the new password to.

In order to send the passwords, a good method is to export them from 1Password and send them over a secure link (we use Skype for this). These files are plain text and contain the password in the clear, so care needs to be taken to only store them on encrypted drives and secure wipe them.

2. Eradicating Bad/Old Passwords

All of us have used passwords on the internet before the widespread availability of password managers. Let’s be honest, we probably reused a small set of passwords broadly. Now that it is the year 2012 and we know better, 1Password can help us systematically eradicate our old passwords.

Here’s one good way to do it:

  • Create a Smart Folder in 1Password that matches against all your “bad” passwords.
  • Make it a habit to let the 1Password browser plugin remember your password, even if it’s one of your widely reused ones.
  • Regularly go through the Smart Folder and empty it out by changing your passwords on those sites.

Passwords that were exposed as part of any security breaches, for example your LinkedIn password, should also be part of the Smart Folder.

3. Eradicating Weak Passwords

Similar to the previous tip, use a Smart Folder to match on password strength and length. In addition to that, use a special tag (for example, “must_be_weak”) to label passwords that cannot be strong (annoyingly, some sites limit password length and character set). Exclude these from the Smart Folder.

4. Keyboard Shortcuts

There are a few handy keyboard shortcuts in the browser plugins for 1Password and 1Password itself. Here are some I use on the Mac:

  • In Chrome: Command-L, “1p”, <tab> – this brings up a dropdown menu with all the Logins in your 1Password, start typing and select. Chrome will then take you to the site and log you in.
  • Most browsers on the Mac: Command- – this opens the 1Password browser plugin and fills in the credentials for the current site (after you select with Enter)
  • In 1Password App: Option – while Option is held, 1Password will reveal the password for the current entry.
  • In 1Password App: Command-F – takes you to the search box.

5. Frequently Used Items

I have two passwords I have to enter into a terminal (i.e. not a browser) many times a day. Rather than looking them up using the search functionality, I’ve created a “Frequently Used” folder, which I leave selected throughout the day, saving precious keystrokes.

6. Password Length and Complexity

Recent research has shown that longer passwords with a standard (A-Z, a-z, 0-9) character set are preferable to short passwords that use additional special characters. In addition, many web sites are pretty fiddly about the passwords they require/allow. When I create a new password, here’s the rough sequence of steps I take:

  1. Does the form talk about any maximum length and/or restrictions? It not, default to the 50 character maximum (slider all the way right) and letters/numbers only.
  2. If there is a maximum length or the site mandates it and it is below 12 add all the special characters.
  3. Set the password, then try it out.

This works great 99% of the time. Whenever I encounter a case where there’s a bug, I add a note into 1Password to remember the quirks on the next password change. Here are two examples:

  • A mortgage servicing company accepted my 50 character password in the password reset form, but silently trimmed the password to 12 characters. I had to discover what my password had been set to through trial and error.
  • A big national discount brokerage (talk to Chuck…) restricts your password length to 8 characters. They don’t allow special characters, either. The only mitigating factor is that they lock out your account after 3 failed logins.

7. Security Questions

Many sites commonly force you to configure a set of “security questions” that are required as additional authentication in certain circumstances, including:

  • You’re trying to reset the password, and they authenticate you using the questions.
  • You’re logging in from a computer they haven’t seen before.

Aside from being tedious, there are a few other annoyances with security questions. Many sites limit you to a predefined set of questions to select from. Those generally fall into two categories:

  • Questions about your family/history (schools, cars, etc), which are easy for third parties to know or find out.
  • Questions about preferences (favorite color, actor, etc), which are generally non-constant or don’t apply (favorite color? why discriminate…)

Long story short: 1Password can help. Simply answer the questions with “secure” (non-guessable) values, then store the questions and answers in the additional fields in 1Password. Bonus: You can simply copy/paste the answer when the site asks next time.

8. Passwords you need to type

There are a few places where a fully random-generated password isn’t practical:

  • Passwords to unlock your laptop/desktop.
  • Passwords you need to enter on a TV screen (Tivo, Roku, AppleTV, etc)
  • Passwords to web sites or applications that won’t let you paste from the clipboard (how annoying is that!)

For those cases, there are two things you can do:

  1. Make up a nice long password from random words (ideally some not from a dictionary, use camel-case spelling, add numbers that aren’t your DOB, etc).
  2. Use 1Passwords “Pronouncable” feature, which renders passwords that are easier to copy by hand.

I tend to find 1 easier. For good measure I add some expletives to the passwords for poorly designed sites… 🙂

9. 1Password and the real world

Here are some ideas for non-obvious uses for 1Password. Many of them only make sense if you have a smart phone with the 1Password app synched.

  • A secure note with the procedure to open your safe (left -> 38, right -> 4, etc.)
  • Random-generated PINs codes for your garage door opener, home alarm, car stereo, any exterior doors that use codes, etc.
  • Credit cards, passport numbers, social security numbers, bank account and routing numbers. 1Password has a Wallet section for this type of information.

People habitually re-use the number combinations (often based on dates) for these types of access controls. Do you really want your friend whom you’ve given the alarm code to also know the PIN for your ATM account?

Complete visibility for DevSecOps

Reduce downtime and move from reactive to proactive monitoring.

Sumo Logic cloud-native SaaS analytics

Build, run, and secure modern applications and cloud infrastructures.

Start free trial

Stefan Zier

Stefan was Sumo’s first engineer and Chief Architect. He enjoys working on cloud plumbing and is plotting to automate his job fully, so he can spend all his time skiing in Tahoe.

More posts by Stefan Zier.

これを読んだ人も楽しんでいます