Software

Maximizing 1Password Security (with a local vault)

Like most, I advocate a password manager. And have frequently recommended 1Password (for years). However, I have led something of a double life in utilizing 1password without a subscription to store “important” passwords within a “local” iPhone vault. Whereas, I’d place my less critical credentials (think: Netflix) in LastPass for efficient cross platform access, including computer browser extension.

While 1password has never been breached and their technical architecture is actually fortified to keep our data secure in that scenario, experience tells us never say never – nothing is foolproof. But even if their cloud and our vaults remain secure, computer operating systems and browsers provide additional vectors of attack. Any random rogue browser extension can read everything (and I suspect how my Yahoo Mail address book was harvested, years ago) – including that 1password web view of your vault. Which is why I railed against 1password’s 2017 cloud requirement (which they wisely, thankfully backed off of).

Try 1Password for Free

What I didn’t realize at that time, after they decided to support both cloud and local accounts, is that the two implementations can coexist. So, this week I finally subscribed to 1password ($36/yr) and was able to kick LastPass to the curb (with a clean, comprehensive import). Once 1password merged my existing passwords into a new cloud vault, I blew away the local vault, recreated it, and moved over financial institution and other sensitive credentials from cloud to iPhone. I just don’t want them anywhere on the web. (Then I emptied my 1password trash which, under normal circumstances, they conveniently retain for 12 months. “Local” iPhone vaults can optionally be backed up to iCloud or across the LAN, should one so choose.)

Beyond the above, as two-factor auth has taken off 1password has been a godsend in collocating those rotating 2fa codes alongside passwords and automagically pasting them to the clipboard as needed. No dedicated authenticator app required. (And many thanks to Adam for turning me onto this feature a year or so ago!)

Published by
Dave Zatz