Tidying up my 1Password

I’ve been creating online accounts for years, and saving them in 1Password, but everything was a bit scattered. I’d never stopped to organise or tidy up my database. I also had a lot of weak or duplicate passwords that I’d never changed.

Last week, I set about cleaning up my 1Password database. This was more than just changing some old passwords: it was a thorough and deep-level reorganisation.

Here are a few suggestions for how you can clean up your database:

Delete or archive old accounts

I had a lot of one-shot accounts: I’d signed up, then never looked back. I was account hoarding. There was no reason to keep them, so I tried to delete my old and unused accounts.

This left accounts that I wanted to keep, and some others that I’d tried but failed to delete. I moved the latter into an archive Vault (TJ Luoma at Mac Stories has a good explanation of Vaults), away from my main 1Password database.

When I started, I had nearly 400 accounts. After this cull, I was down to about 150.

Change old passwords

1Password makes it easy to find passwords that need changing. The Security Audit section has a list of passwords which are old, weak or shared between accounts1. The Watchtower section also highlights passwords which haven’t been changed since Heartbleed.

I cleared out this entire section. Every weak login got a new, strong password created with 1Password’s password generator.2

Turn on two-factor authentication

A recent update for 1Password on iOS added support for software-based two-factor authentication. (That update was what prompted me to do this clean.)

For any site which supported two-factor authentication (https://twofactorauth.org is a good list), I set it up in 1Password. It’s a nice extra layer of security. A handful of sites only support SMS-based two-factor, so I set that up as well, and I added a Note to the 1Password item about how I’d set it up.

Clean up personal details

Today I’m fairly cagey about giving out personal information, and asking for a phone number or address on a signup form is an instant turnoff. But in the past I wasn’t as careful, and plenty of sites have information I’d rather they didn’t.

I’ve created a series of tags in 1Password to mark which accounts have what information:

Since taking that screenshot, I’ve also added my debit and credit cards, so I know what cards need cancelling3 if a site gets hacked.

As I was creating these tags, I tried to delete information (or accounts) where it wasn’t necessary. Obviously I’d prefer they never had it at all, but removing it is better than nothing.

This doesn’t increase security, but it gives me an idea of how much of my information is “out there”. And as a bonus, it’ll make me even more hesitant the next time I’m asked for some personal info.

Conclusion

This cleanup was probably a bit overdue, but I’m glad it’s done. I’ll probably do this on an annual basis from now on. It’s also made me a bit more aware of how much personal information I was sharing, and I’ll be a bit more careful in future. A little more vigilance is no bad thing.


  1. The Duplicate Passwords section flushed out multiple entries for the same underlying account. Among others, I had two entries for Yahoo!, three for Windows Live and four for my Google Account. ↩︎

  2. Lots of sites have unstated requirements for their passwords. For example, you can’t use symbols, or there’s an invisible maximum length. If and when you hit these restrictions, record them in the Notes field. It makes life a bit easier when you have to change the password. ↩︎

  3. Speaking of cancelling cards, here’s another tip. Printed on the back of your credit card is a phone number to call if the card gets lost or stolen. But if you lose the card, you lose that phone number (and your credit card number). 1Password can store credit cards, so record the card and some details for how to cancel it if necessary. ↩︎