[JonathanB]

TKF, do you subscribe to 1Password or have you just got the standalone apps? I have the latter with sync to my Dropbox, but pondering a family sub. Getting Mrs B to use it though could be difficult!

[TheKentishFledgling]

Exactly the same situation as you, both in terms of 1Password syncing to Dropbox, and a wife who's unlikely to use it at all.

[PaulB]

I'm exactly the opposite.... My wife would be highly likely to use it. Could she sort out my passwords too with a family sub?

[JonathanB]

Yes!

[Colonel Panic]

That's just what I wanted - thanks. Shows what one can find if you actually read the manual!

Hmmm, that was on my top list of wants too. The embarrassing thing is that I had installed the extension but had forgotten about it and have never used it

[riverrock]

LastPass - a major competitor to 1Password, was hacked earlier this year (and more than once previous to that):
https://www.theguardian.com/technology/ ... nerability
https://www.hackread.com/lastpass-hacke ... -for-good/
http://lifehacker.com/lastpass-hacked-t ... 1711463571

My understanding with 1Password, is that when you have an app, it keeps an encrypted version of all of your passwords on the 1Password Server (or dropbox), transfers the encrypted version to your device, then your device decrypts it.
So if your device has already been compromised, all your passwords can be grabbed by an attacker at one time. Also an issue if you change a password, there can be issues synchronising all your devices. Also if the encrypted file is compromised, it is subject to brute force attack.

When you use the cloud version, it does that decryption on their servers - which means that if their system is compromised, an attacker could get your passwords from their server, which is essentially the same risk that lastpass has. The attack is slightly more complex than what is required for lastpass (as they use a protocol called SRP) but the effect is the same.

If you don't use the cloud version, you have to have the app installed to get your passwords - annoying if at someone else's house or in an internet cafe when on holiday.

No system is perfect and password managers, although they have their benefits, also have their flaws. They are also obvious targets for hackers.

[JonathanB]

No, 1Password always decrypts on your computer - even the web based version downloads your vault and uses Javascript locally do to the decryption. If you are logging in on a new device then you also need a Secret Key as well as your main vault's password.

[Colonel Panic]

Folks who bought the standalone 1Password app before the subscription model was launched don't have a Secret Key

[JonathanB]

Correct, I'm talking about the online subscription version - which includes all the apps etc. You can sign up to that for a 30-day trial if you want to trial it. I did that, but I think I'll probably just stick with the standalone apps on my Mac and iPhone as it's highly unlikely I'll get Mrs B to use it.

With the standalone version, the 1Password servers never see your vault. You can sync between apps using your own Dropbox or iCloud. If you lose your Master Password then it is impossible to decrypt your vault.

[OCB]

This would explain why I all of a sudden have spam with my main business domain mail address.

"Something" happened a few weeks ago, I even got a warning from Apple - promptly changed that account. I didn't change my domain mail account.

Now done.

I also got round to finally adding a spam filter to my account - one of the "pleasures" of running your own domain and having mail hosted on it!

[Colonel Panic]

Surges in spam levels has seemed to me to be a periodic & cyclical thing rather than as a result of any specific harvesting of my email addresses. Irritating for a couple of weeks, then it calms down again.

My main two domains are currently running at 93.5% and 81.2% spam, though all but a couple a day get caught in the host's filters so it isn't a real problem. Total waste of resources & bandwidth generally though.

For me, the worst "leaks" have come from Adobe (generally), Lightroom (separately), and Confused.com. Messages to those three accounts must represent ~70% of all inbound spam...

[JoeC]

No system is perfect

I defy any person to hack my computer and get hold of the password list written on the piece of paper next to it.

[JonathanB]

Presumably you type those passwords in periodically, so someone could hack your computer, put a key logger on and grab them when you type them in...

[JoeC]

Could the key logger do that to my password manager password?

[OCB]

I never got spam on my domain email until a few weeks ago, and I've been running it for 14 years I think. Alas, where it's hosted doesn't have great spam filtering options (Apache SpamAssassin via cPanel).

As a true IT pro - my password "sanitation" is awful. I re-use a subset of passwords across a number of sites, and rarely change them. I do now use iCloud "suggested passwords" for sites I don't give a monkeys about. For most sites I visit regularly (e.g, on here) I have easy to remember and "weak" passwords. For more important sites, they're strong passwords, and I use 2 factor authentication whenever possible.

My wife is better than me, she does a cleaning of all passwords once every 6 months. Annoying for the shared stuff such as Spotify, but she is more "exposed" than I am - she has gmail, on all kinds of social media etc, and has had her gmail hacked at least once.

+1 for a bit of paper with passwords. Always always always have a "hard backup" for important stuff somewhere.

I had a very small "eGold" account many years back. They got taken down as some "bad people" were using the service, and I more or less assumed the dosh was a goner.

I got a letter some years later saying I had to prove I was the owner of the account from the FBI. It meant "proving" I was the owner of the account by logging in, otherwise the (not very much) eGold would be confiscated.

In the interim I'd ditched Windows as my main OS at home, and went to Mac. I'd also moved apartments and countries a few times. The soft copies of my old Windows profiles all got corrupted in one way or another (CDRW - what a joke! 2 hard disks also failed to spin up etc).

I did have a bit of paper with all my logins. My login for eGold was there
Even better - the price of gold had more than doubled in that time