Tidying up my 1Password

• Posted 22 February 2015
• Tagged with infosec

I’ve been creating online accounts for years, and saving them in 1Password, but everything was a bit scattered. I’d never stopped to organise or tidy up my database. I also had a lot of weak or duplicate passwords that I’d never changed.

Last week, I set about cleaning up my 1Password database. This was more than just changing some old passwords: it was a thorough and deep-level reorganisation.

Here are a few suggestions for how you can clean up your database:

Delete or archive old accounts

I had a lot of one-shot accounts: I’d signed up, then never looked back. I was account hoarding. There was no reason to keep them, so I tried to delete my old and unused accounts.

• Some sites make this easy: there’s a “Delete My Account” button on their Settings page.
• Some sites make it impossible: their help pages or FAQs tell you that you can never delete your account. (Usually forums.)

• Plenty don’t say: it’s not clear if (or how) you can delete your account.

  I wasn’t optimistic, but I tried emailing sites to request account deletion. I didn’t expect much of a response, but I was pleasantly surprised. It was worth the effort: lots of sites got back to me very quickly, and replies continue to trickle in.

This left accounts that I wanted to keep, and some others that I’d tried but failed to delete. I moved the latter into an archive Vault (TJ Luoma at Mac Stories has a good explanation of Vaults), away from my main 1Password database.

When I started, I had nearly 400 accounts. After this cull, I was down to about 150.

Change old passwords

1Password makes it easy to find passwords that need changing. The Security Audit section has a list of passwords which are old, weak or shared between accounts¹. The Watchtower section also highlights passwords which haven’t been changed since Heartbleed.

I cleared out this entire section. Every weak login got a new, strong password created with 1Password’s password generator.²

Turn on two-factor authentication

A recent update for 1Password on iOS added support for software-based two-factor authentication. (That update was what prompted me to do this clean.)

For any site which supported two-factor authentication (https://twofactorauth.org is a good list), I set it up in 1Password. It’s a nice extra layer of security. A handful of sites only support SMS-based two-factor, so I set that up as well, and I added a Note to the 1Password item about how I’d set it up.

Clean up personal details

Today I’m fairly cagey about giving out personal information, and asking for a phone number or address on a signup form is an instant turnoff. But in the past I wasn’t as careful, and plenty of sites have information I’d rather they didn’t.

I’ve created a series of tags in 1Password to mark which accounts have what information:

Since taking that screenshot, I’ve also added my debit and credit cards, so I know what cards need cancelling³ if a site gets hacked.

As I was creating these tags, I tried to delete information (or accounts) where it wasn’t necessary. Obviously I’d prefer they never had it at all, but removing it is better than nothing.

This doesn’t increase security, but it gives me an idea of how much of my information is “out there”. And as a bonus, it’ll make me even more hesitant the next time I’m asked for some personal info.

Conclusion

This cleanup was probably a bit overdue, but I’m glad it’s done. I’ll probably do this on an annual basis from now on. It’s also made me a bit more aware of how much personal information I was sharing, and I’ll be a bit more careful in future. A little more vigilance is no bad thing.