1password master PW - how strong?

Discussion in 'iOS Apps' started by koerk, Sep 24, 2014.

  1. koerk macrumors regular

    koerk

    Joined:
    Dec 14, 2013
    #1
    Hello!

    I'm desperately advising my gifriend to clear up her password mess with 10x the same pw over her accounts and easily guessable combos.

    Since 1password is free I might be successful. She is still on the 4S and thinks about buying a 5S in the next weeks (->touchid)

    Does the master password have to be super secure? I mean, sure, it holds all your passwords together, but is it something a hacker for example could take advantage of? Or is the master password only for local use, on the devices itself?
    I mean, if it's device and app only, I think it doesn't have to be mega secure because the phone itself is locked and the chance of getting access to her 1password app is very low even when her master pw isn't that strong.

    You see my point?

    Thanks!
     
  2. AGKyle macrumors 6502

    Joined:
    Jun 10, 2012
    #2
    Hi there!

    Our blog has a really good post on this:

    http://blog.agilebits.com/2011/06/21/toward-better-master-passwords/

    If your girlfriend ever wants to sync her data I would strongly encourage her to use a nice strong master password. Mine is ~30 characters long. But, it's not too difficult to type because I use the suggestion in the post about Diceware passwords. These are very secure and can be long but still easy to type. Combine this with TouchID in the latest update and I still have easy access when I need it but a great master password that has to be typed in to gain access to the data.

    Let me know if you have any questions :)
     
  3. koerk thread starter macrumors regular

    koerk

    Joined:
    Dec 14, 2013
    #3
    Ok that's reasonable.

    But can somebody do anything with the master pw when he has no physical access to one of my or her devices? Is there a web access?

    Does the Touch ID authentication in Safari on iOS work now? I read that you still had to enter the master pw...

    Thanks for your help
     
  4. AGKyle macrumors 6502

    Joined:
    Jun 10, 2012
    #4
    If you're not syncing, then the malicious person would need physical access to your device. I should point out that syncing provides at least some form of backup. I would _not_ depend upon iCloud Backup or iTunes Backups. You certainly want to be making backups aside from those if you depend upon the data in 1Password (or any app for that matter). I cannot tell you the number of times I've seen users depend on these two backup methods and they've lost data.

    If you are syncing, they just need to gain access to your Dropbox or iCloud and then if you're using a weak password for your 1Password data then it could be trivial to get into. Particularly if it's only numbers, or uses any of the common passwords. If it's a unique password it'll take longer but depends greatly upon how strong the password is.

    This is why I more or less say if you ever plan to sync, use a strong password because it's just protecting yourself better. Also, people lose their iOS devices frequently.

    TouchID certainly works in the Safari extension, but there are a couple of small bugs that may cause it to not pop up all the time. These will be resolved in the next update and we'll be simplifying the settings/defaults for TouchID in that same update.
     
  5. koerk thread starter macrumors regular

    koerk

    Joined:
    Dec 14, 2013

Share This Page