If your Yubikey dies, your 1Password vault is toast. This is a bad idea and doesn't really add much to your level of security.<p>Just use a long and random 1Password, and store it in the OSX Keychain (1Password supports this). Then back up your user keychain with the rest of your files and don't forget your login password. Alternately, Mavericks (which comes out in a week) will sync your Keychain items to iCloud for you.<p>This is all moot though because 1Password is a pain in the dick to use on iOS, and Apple's using their lack of plugin support for MobileSafari to hinder competition. In Mavericks' Safari, you can now save passwords for forms that specifically attempt to disable password storage, and sync those encrypted passwords to iCloud. This wouldn't matter much... but that sync now works with iOS7's MobileSafari, where 1Password can't load a browser extension to compete.<p>TL;DR: Cool story, but 1Password unfortunately becomes OS-bundled obsolete in a week.
I haven't used 1Password before, but I know LastPass offers multifactor authentication via your mobile app of choice[0], which comes to essentially the same thing.<p>Once you've set it up, you require two passwords to log in: one you memorise; the other you read off your mobile app, and is regenerated every 30 seconds.<p>[0]: <a href="https://helpdesk.lastpass.com/security-options/#Multifactor+Authentication+Options" rel="nofollow">https://helpdesk.lastpass.com/security-options/#Multifactor+...</a>
You can also use other password safes (sometimes called vaults) that are multi-platform. A password safe is an encrypted database that allows you, and your team, to securely store and share passwords. Basically, it is a free piece of software that is cross platform (win, mac, linux), a common workflow would be to store it on a shared drive, and give your team access, they use a common password to access the safe, which holds the other passwords. Create multiple safes if you need segregation i.e. dev safe, sysadmin safe, network safe, etc. I have created a screencast about this @ <a href="http://sysadmincasts.com/episodes/7-why-you-should-use-a-password-safe" rel="nofollow">http://sysadmincasts.com/episodes/7-why-you-should-use-a-pas...</a><p>Personally, I would not recommend any of the cloud based solutions, for the simple fact, that any slip up in their security and you are hosed. These are your crown jewels, do not outsource this!<p>UPDATED: sentence structure.
Hm, I've been using KeyPass/Dropbox for quite a while now. Not sure what advantages this method has over mine? Yes, I have to remember my KeyPass master password... but then you'd have to be logged into one of my machines to get access to it anyway... or on my mobile, which everyone seems to be using for 2 factor anyways, so it's moot if my mobile is compromised.<p>Not sure what the advantage is.
This essentially turns "something you know" into "something you have", with no requirements that any of the remote websites change what they are doing.<p>It seems like this is an interesting counter to the recent budding trend of arguing that "something you know" (passwords) is broken and we should all throw it out and switch to "something you have". This shows that a user can unilaterally convert "something you know" into "something you have", <i>and</i> unlike the inevitable clusterfuck of trying to standardize on "something you know" with the inevitable gold rush of competing, fragmented standards, resulting in users having to have an unbounded number of "things" in their possesion [1], authentication consumers can continue to work with standardized password approaches.<p>It seems to me that rather than rewriting the Internet to not use passwords, we'd be better off making this approach even easier (although it's not all that hard right now, really).<p>[1]: Yes, I'm aware of things like RFC 4226. History's pretty clear though; if there was more value to capture in this space it would break into proprietary fragments in a heartbeat. All the proprietary fragments would probably be beaten down by RFC 4226 in the end, but there would be an unhappy few years in the middle.
I've been using PasswordMaker (<a href="http://www.passwordmaker.org/" rel="nofollow">http://www.passwordmaker.org/</a>) for years to generate most of my site-specific passwords when needed. PasswordMaker uses a master password together with a site's domain name to hash a site-specific password. It has Chrome and Firefox extensions for filling in the password fields with one button.<p>Unfortunately, by default it uses MD5 and 8-character passwords. I always set this to SHA256 and at least 12 characters when first installing the extension on some device/browser.<p>Most sites play well with this, but there are exceptions: having to change a password is a bit ugly when the passwords are generated from a given master password and the site's domain name.
A more common problem is when a site refuses to accept certain characters in the hashed password or when a site requires some number of digits and uppercase letters, for instance. I currently just store these exceptions with Keepass.<p>I see 1Password being mentioned a lot but I started using PasswordMaker and Keepass well before I'd first heard of 1Password so I don't know how it might compare.
Sounds like a bad idea to depend on your Yubikey.<p>I only know my master password for Lastpass which is a kind of random 14-16 char long and complex. I type it once each morning and it goes fast to type. With that I access my other 334 random generated passwords. But I do know my password for email just in case.
At the very least you should have a way to recall your e-mail password. Almost every account that you have is linked to an e-mail for resetting. You need to have reliable e-mail access in order to reset your digital life.<p>My e-mail password was created randomly based on 12 uppercase/lowercase letters, numbers, and symbols. I memorized via muscle memory. My master-password-database password is the same, but 18 characters. I know more passwords, but these are the only two I need to retain.<p>You can also be pragmatic about your accounts. Do I care if my PontiacSunfireCarClub.com account is hacked? Or my NewYorkDailyNewsTime.com account? No, I don't. So the password is irrelevant.
"Stronger passwords are typically hard to remember. Since you will need to enter your 1Password master multiple times a day, this can be a problem."<p>This doesn't make too much sense. While stronger passwords are harder to remember, if you use them multiple times per day, you'll have stronger memory of that password. Its hard to forget a password you have to use a few times per day...no matter how long or short it is.<p>Additionally, stronger passwords are not always harder to remember. There are some great password and memory techniques that makes long complicated passwords easy to remember.
Here's I work with free Keepass:<p>1) setup your password store up with a strong password and a key file<p>2) keep your keyfile on your local machine and a backup on usb etc, not cloud<p>3) now you can backup your db into cloud eg. spideroak, dropbox<p>4) on your other machine (work laptop, mobile, ..) copy in the key file, sync the db from the cloud<p>Now, you have a password manager that works on all of your devices - syncing automatically, safely.<p>This works for me. I know where the db is at (which cloud provider) and can be sure it's inaccessible without the key file + password. Any thoughts?
Remember:<p>1. Use a different password for every account<p>2. Always use a gigantic, mixed case alphanumeric password with special characters for maximum entropy<p>3. Never, ever write any of these passwords down! ;)
I think this is an interesting setup just because it makes it possible to have a very complicated 1Password master password without being too inconvenient. For my use of 1Password, it wouldn't work though since I use it on my phone frequently.<p>However as others have said, you need to have a way to get to the full password somehow, likely in the form of it written down and stored in a safe, at home or in a bank. Or in somebody else's password vault.<p>Actually, that's something I haven't seen much and that I have done myself manually only: the ability to secure this information by spreading the database with multiple trusted parties. Similar to what Snowden has done I understand: no-one can access the information by themselves, but <i>you</i> can piece together whatever information you need from multiple people. I know some stuff exists like this, I just haven't seen for password vaults specifically.
This thread shows that there's still some confusion around best practice with Yubikey.<p>{EDIT: Was the submission edited after being posted here? Because a bunch of people are saying that the password dies if the Yubikey dies, even though the submission says that the password is backed up independently of the Yubikey}<p>Yubikey is nearly brilliant. Not having a battery and a clock makes it a bit sub-optimal. But it's still a cool bit of tech. They don't help by having a terrible website. They need to split it into "info for developers", "why you want Yubikey" and "how to use Yubikey now you have one".<p>And it's kind of scary to see how many different password safes there are and how few of them have had any kind of auditing.
I have appended the post to include the fact that I have a copy of my password physically printed and hidden in a secure location.<p>As for mobile, I have not tried the workflow on iOS but I hear you can use the USB camera connection kit to connect your Yubikey.
I use Lastpass with Google Authenticator two-factor authentication. Like most Lastpass users the only password I know is my master password, and of course it's the weakest.<p>Lastpass has worked well, but going forward there are two major concerns. Lack of a mobile browser plugin makes it difficult to use on mobile (Android). Second, is that all major browsers appear to be dropping plugin support out of security and performance concerns.<p>What's best for password management without using browser plugins? Chrome clear text password storage is troublesome. Bitlocker and mobile encryption may help. Are more OS implementations one the way?
A lot of people are concerned about the Yubikey dying, but that is only one of 3 passwords you should have memorized.<p>You also need to know your app store password. If your computer crashes, you will want to be able to reinstall 1password.<p>Additionally, you probably want to use dropbox to sync your passwords and act as a psuedo remote backup. If that is the case, then you also want to know your dropbox password.<p>All in all, I think you should have 3 passwords memorized:
1) 1password master password
2) app store
3) dropbox<p>If you have this knowledge, you can gain access to all your credentials from a freshly installed OS.
Steve Gibson (of "Security Now!" fame) recently proposed a novel way to manage account access called SQRL. Basically, you use a SQRL app on your smart phone to read login QR codes. Some behind-the-scenes magic happens and then you're logged in.<p>It has a large number of benefits over the traditional account/password paradigm.<p><a href="https://www.grc.com/sqrl/sqrl.htm" rel="nofollow">https://www.grc.com/sqrl/sqrl.htm</a>
I have a thing called paper which i hide. On it i write stuff about events in my life that has to do with the password in question. That way i can easily memorise a shitload of passwords and if i forget one i just look at my papper. And easily figure out what the password was.<p>If the password is for a realy dumb service that i dont care about i just write it in a text file located on my server /home/user/shitty_passwords.txt
I use SuperGenPass, a JavaScript bookmarklet that hashes a master password with the website's domain name to generate a unique password for every site. The only problem is websites that have unusual password requirements that don't like SuperGenPass' passwords.<p><a href="http://supergenpass.com/" rel="nofollow">http://supergenpass.com/</a>
I've used Dashlane for over a year and like it quite a bit. I think it started off as an automated checkout app but the password part has overtaken that feature (though payment and form filling still works great).<p>Dashlane does encrypted cloud storage with local decryption - but I'm just wondering if there are good reasons to switch to 1Password or LastPass.
He misstates the 1Password premise. It is actually that even if you have a complicated single password, repeating it throughout the day makes it easy to remember.<p>The rest of his argument is based on convenience alone and rather weak. A YubiKey, nice as it is, doesn't help with mobile devices, where transactions are increasingly taking place.
Instead of memorizing all of my passwords, I memorized an algorithm that I use to generate passwords. So all of my passwords are unique with fairly good entropy, and I can recover any of them, but I don't necessarily have them memorized. The ones that I use often are saved in muscle memory.
I love www.passpack.com<p><a href="http://blog.danielfischer.com/2011/05/12/its-time-to-start-using-a-password-manager/" rel="nofollow">http://blog.danielfischer.com/2011/05/12/its-time-to-start-u...</a>
I use book quotes for passwords (include spaces and sometimes change letters for numbers (if the stupid website requires it)), I don't forget those since they're meaningful.