Conversation

Notices

1. Embed this notice
   Jake Hildreth (acorn) :blacker_heart_outline: (horse@infosec.exchange)'s status on Friday, 20-Jan-2023 19:38:11 JST Jake Hildreth (acorn) :blacker_heart_outline:

   in reply to

   • Dirk Hohndel
   • Zak :1password:
   • Troy Hunt

   @dirkhh @zak @troyhunt

   > a bunch of accounts I have 2FA via a different app instead of 1Password

   Ooh, this burns my biscuits. Having your second factors in a different app is better than storing them in the same app as your passwords unless there’s a separate set of credentials required to use the additional factors.

   • Embed this notice
     Dirk Hohndel (dirkhh@hachyderm.io)'s status on Friday, 20-Jan-2023 19:38:12 JST Dirk Hohndel

     in reply to

     • Zak :1password:
     • Troy Hunt

     @zak @troyhunt
     1118 - but that’s only because on a bunch of accounts I have 2FA via a different app instead of 1Password… oh, and one weak password… I posted about this a few weeks ago, a website that doesn’t allow you to change your password, and your password is sent to you in clear text when you sign up. and it’s weak…

     NO FAIR!!!

   • Embed this notice
     Zak :1password: (zak@infosec.exchange)'s status on Friday, 20-Jan-2023 19:38:25 JST Zak :1password:

     • Troy Hunt

     Here's some more #security stuff about #1Password. This time, it's all about Watchtower.

     #Watchtower has been around for some time, but new to 1Password 8 is a metered Watchtower score. This score will improve as you adjust to the good habits of using a password manager (or more generally a secrets manager). There might be more to that than you first realize.

     Your passwords need to be unique, random, and strong. You'll need to have enabled MFA with logins that permit you to do so. 1Password will also track expiring items (like credit cards and driver's licenses) and ask you to renew them when the time comes. And it'll track any websites that you've saved as less-than-secure HTTP links instead of HTTPS links, but those are becoming less common over time.

     As a bonus, it will alert you when your credentials have been involved in a security incident of some sort. Watchtower integrates with @troyhunt's Pwned Passwords, and additionally has its own system for detecting compromised credentials. I am one of the people that helps to maintain that system.

     Watchtower will increase your score until you max out at 1200. So, I'd ask who thinks they can beat my score... but you can't. But do your best to match it.

   • Embed this notice
     Jake Hildreth (acorn) :blacker_heart_outline: (horse@infosec.exchange)'s status on Saturday, 21-Jan-2023 00:07:43 JST Jake Hildreth (acorn) :blacker_heart_outline:

     • Dirk Hohndel
     • Zak :1password:
     • Troy Hunt

     @zak @dirkhh @troyhunt As soon as I sleepily posted this, I immediately thought "my recommendation depends on your threat model and is fine for 99% of 1Password customers... ahh fuck it, I don't feel like adding context at this godforesaken hour."