[email protected]:~$

Password Manager

What is a password manager?

A place to manage all your passwords.

Why use a password manager?

See this post

How to use a password manager

First of all, to set up your password manager, if you have a laptop or desktop use this. It is easier in my opinion.

Very first thing first is to have something you can use for 2FA with your new 1Password account.

You might already have something you use for 2FA with other accounts. Often time-based one time passwords. Usually 6 digit code that changes every 30 seconds. In which case, just use that for now. Many people have Microsoft Authenticator https://www.microsoft.com/en-gb/account/authenticator already for use with an old hotmail or Microsoft account. Or Google authenticator https://support.google.com/accounts/answer/1066447?hl=en&co=GENIE.Platform%3DAndroid&oco=0.

If you don’t have anything, I would recommend using Authy https://authy.com/. It works on your desktop as well as your phone, you can backup if you like, so if you switch phones you can transfer it easily. I need to do a separate bit on 2FA and using Authy.

Second thing you will need is a master password. This is important as it will be used to secure everything. It must not be something you have used before or even similar to anything you have used before. Picking a passphrase of 4 or 5 random words with spaces in-between is my suggestion. 4 long words, or 5 shorter ones seem to be the right balance between enough security without making it hard to remember or type. I would not worry about capitalising the letters or adding number or symbols. Write it down on a piece of paper and put it in your purse/wallet to start with. If you forget this you will be locked out. Once you are happy you have remembered it you can destroy the paper. Yes you have been told not to write it down, but forgetting it will mean you have no access. The chance of someone finding it written down will be slim and it will only be whilst you learn it.

For some ideas this website helps: https://www.useapassphrase.com/ as does the 1Password generator https://1password.com/password-generator/. Rather than pick one generated for you I would come up with one yourself.

Check out the pricing for your region by selecting it here https://support.1password.com/regions/#choose-your-region. There is an option for just you. But the families option works well (up to 5 people). A few advantages, better value, sharing between individuals is easy and you can set it up so that you can recover another account if they forget their master password.

There is a 14 day free trial and you can move from an individual account to family account.

You will need to enter your card details when you sign up as after the free trial you will be charged if you do not cancel and close your account before.

Once you have registered you will download a PDF Emergency Kit. This contains your secret key. This is something 1password generated and without it you can’t login to 1password on a new device. You can print it out and put it in a safe place (like a safe, with your passport and birth certificate etc). Keep the PDF safe as well. If you lost all your devices you were signed into 1Password on, signing in would be impossible without your secret key.

Go to your name on the top right, select your profile, then on the left under more actions pick Manage Two Factor Authentication. Add your 2FA.

Don’t stop now though, add all your devices and browser extensions. Head to your name on the top right again and pick get apps. You can. Check out the options here too https://1password.com/downloads/.

I would start with your desktop client called 1Password 7. Once installed, sign into it, the easiest way is to go to your profile and get apps and click the add your account directly to fill the details in, then enter your master password. I would set it to lock and ask you to enter your master password quite often at first. Like 5 minutes. Once you have typed it plenty of times you can start to move this out to every hour, then every day, so it is less annoying but you still remember it. You will find on most modern devices it can link to biometrics so you could almost never enter it and then forget it and you would be locked out for ever as you can not reset your master password.

The benefit of a password manager comes with it integrating with your browser. If you are on a Mac and using Safari you can switch it on, otherwise there are extensions for Chrome, Firefox, Edge and Brave. Install the extension and sign in. https://support.1password.com/getting-started-browser/

This is a good start, but keep going and set up the app on your phone, tablet and any other devices. You need your secret key for those, you can set up biometrics on your phone for instance. If your phone restarts you may have to enter your master password again. Otherwise you could go a long time without entering your master password if you only ever used your phone and then forget it.

On your desktop/laptop sign into websites and as you do save them into 1Password. Once a site is saved, you can always sign back out from it and try logging in with 1Password to check it has saved correctly and works. This will get you comfortable with using 1Password as well as saving all your sites. Don’t worry about changing any of them just yet.

If you are on the family plan, you can store some of your passwords in a shared vault with one or more of your family. Passwords for streaming sites and food delivery are common ones to share, as is wifi passwords.

Try and go through and save as many sites as you can remember having a sign on for. Check your favourites, history and emails to help jog your memory. I’m sure I read somewhere the average is around 200 sites. I have around 350 which I have accumulated over many years. Although I probably only sign into 100 a year.

Once you have saved as many as you can remember, try and change a few passwords. Start with ones you are less concerned about and if you get into a muddle you wouldn’t worry about. Maybe that online shop you just bought that one thing from.

After changing a few passwords on sites you are less worried about. Take a break if you like, leave it a day or so. Just enjoy the ease of 1Password filling in your details (including apps and sites on your phone/tablet). And keep practising your master password.

You can also save other useful information into 1Password like your National Insurance number, Passport and Driving license details. Saving your credit card details into 1Password helps you autofill them and I think better than saving them on lots of random online shop sites where they could either be leaked or misused.

You can also store important documents (up to 1GB), so a scan of your birth certificate, passport etc is a good idea.

You can mark items as favourites and add tags to help find the records you want quicker and easier.

Hopefully you are enjoying not typing passwords (apart from your master password, which you can now easily remember). And having easy access to lots of your important information, completing your passport details when booking flights and credit card details when ordering.

But whilst this is all good, the reason for using a password manger is so you could have unique strong passwords for each site. So far you might have changed a few passwords to try it out.

Now is the time to start to change a few more. I would avoid changing your email provider(s) or other accounts you could not do without for now. Your email accounts are the most important ones as usually these allow you to reset any other sites passwords. Until you are more comfortable with using 1Password and have remembered your master password at least.

One way to help you pick which ones is to look at Watchtower. On your desktop/laptop log into the 1Password website. You need to pick one vault at a time and then go to watchtower on the left. This will help to pick the sites that need the passwords changed the most. https://support.1password.com/watchtower/

Compromised sites - unlikely to have any yet as these will only appear where a site has had a data breach and you have not changed your password since. As you have only just created these entries there won’t be any yet. If you do ever see these then change these right away.

Breach report - clicking on create report will list the sites that have been compromised by checking haveibeenpwd.com - any sites listed need to make sure you have a new unique password for them. And any password you might have used on the sites need changing.

Vulnerable passwords - check now and again any passwords need changing as they are already on a list of ones people will try and use against your accounts.

Weak passwords - change any weak passwords to make them more secure

Reused passwords - this is the main reason for starting this journey, even a strong complex password could be stored in plain text and leaked by a site, so changing these are key and making sure you do not reuse them. However, this will only spot ones that are exactly the same. So if you used password123!Facebook and password123!Twitter it won’t spot this. But a taker will.

Unsecured Websites - this lists any sites saved in 1password with http instead of https. Review them and if they support https upgrade the details in 1password. If they don’t then your passwords will be sent to those sites in the clear and are not safe. Whilst you are there update the passwords for these sites if you have not already since saving in 1password. You can see created and last modified dates.

Two-Factor authentication - list sites that allow two-factor authentication but do not have a one time pass code saved. As well as changing the passwords on these sites you should also add the one time passcode to 1password. Yes this is putting all your eggs in the same basket. Some would argue adding the 2fa should be to Authy or another 2fa app. However, for most people a secure 1password is enough. However, feel free to add the 2fa to Authy or other app. I would get yubikeys and use those physical keys were you can.

After that, you could update passwords as you visit sites if they have not already been updated since created in 1password. Then to cover all of them go through them alphabetically until they all have new secure passwords.

After updating all of them you should by now be very comfortable with 1Password and remember your master password. Now is the time to update the remaining sites like your email.

There are some short videos to help show you how to sign up and get started: https://www.youtube.com/playlist?liAuthyeXQRfNcE6-AYi81Q60EBDZJIx1SiPKhM