I’ve made this guide as I think it will help some people really lock down their 1Password account and become more confident with their online security. I know there are things that can be changed here to make it even more secure, however I’ve tried to focus on having an acceptable level of security while maintaining convenience. This is my current setup so would love to hear any comments/additions anyone has!

The setup is divided into 2 sections. The first sections, 1.0 Staying Secure, focuses on general good practices and tips for keeping your 1Password account secure. While, 2.0 Recovery, focuses on getting back into your accounts if you’re ever locked out.

# 1.0 Staying Secure

1.1 Use a different password for everything

Having a different password for everything is important and with 1Password there’s no real reason not to. It can be argued that as long as your most important passwords (bank, email, etc) are unique, then its fine. However, if you’ve got 1Password, you might as well make them all different.

1.2 Tag your most important passwords with the tag “Sensitive”

This means in the case your 1Password account is compromised and you rush to change your passwords, the most important ones will be easily accessible. Additionally…

1.2.1 Change the passwords you’ve tagged as sensitive once a year

Now this is debateable, but I would make the argument that you should at least change your most sensitive passwords once a year. 1Password actually advises not to change your passwords. But I disagree with this when it comes to sensitive passwords, as you have no control over the company’s security, and your password may be part of an undisclosed breach. The first Thursday of May is national password day – this is when I change all my passwords with the sensitive tag and I recommend you do to.

1.2.2 Use double-blind passwords for your passwords tagged as sensitive

Basically, a double-blind password is where you store your entire password in 1Password except for the last 4 digits (which you need to remember, but they can be the same for all your sensitive tagged passwords). Some people like to do this for all their passwords, but I think doing it to just your sensitive ones is enough – this video here explains it . By doing this it means when you visit a sensitive account and 1Password autofills, you just need to put in your 4 digit code on the end of the password. The idea of using double blind passwords means even if someone gets access to your 1Password vault, your most sensitive accounts are still safe and gives you chance to change it. Just make sure not to store your secret key. I like to add “[****]” to the title of my sensitive 1Password entries as a reminder that it’s a double-blind password.

1.3 Tag the accounts with the name of the credit card stored on them

Once a card expires, it means you can easily see all the accounts that may need updating. It also lets you see all the accounts that have payment details stored and therefore should be a priority when resetting in the case of a breach.

1.4 Passwords should at least be 15 characters long

Now obviously the longer the password the more secure. However, I think having a 50 character password is a bit overkill, as by the time you’ve reached 15 characters it is near uncrackable/brute-forcible anyway (up for debate) and and attacker is unlikely going to waste their time. Having a 15-character password is also more convenient for those times you do find yourself manually typing it. This one is kind of up to you, as it can be argued that if you’re not planning on remembering the password, why not make it 50 characters? But as long as its 15 I think you’re okay.

1.5 Enable watchtower

You should enable watchtower as it tells you about password breaches and other security problems with the items you have saved in 1Password.

1.6 Use both random character passwords and word-based passwords

Most of your passwords should use random characters with symbols as this can be considered more secure. You should then use word-based passwords for those accounts that you wish to remember, or if you know you’re going to have to type it into an awkward device that doesn’t support 1Password (E.G Netflix on TV, PSN on Console, work computer, etc).

1.7 Remember your 1Password master password AND your email password!

Obviously, you need to make sure you remember your master password as this is what will get you into your 1Password account. However, you must also remember your email password. This is because if you ever do get locked out of your 1Password account and have no way back in (which I discuss how to prevent in 2.0 Recovery) you will need access to your email in order to reset passwords for all your accounts. Knowing your email password will also be important if you want help from the 1Password support team.

1.8 When sharing a password, do it over 2 different platforms

Now you shouldn’t really be sharing your passwords with people but there will be times you need to (e.g your Netflix password). If you can’t share your password in person and need to send it to them electronically, you should divide it into 2 and send over 2 different platforms (e.g send the first half over WhatsApp, and the second half over SnapChat). By doing so, it means an adversary would need to intercept 2 different channels of communication instead of just one. Once shared you should also make the effort to delete the password from your chat and change it if the person you shared it with no longer needs it.

1.9 Enable 2 factor authentication for your 1Password account

2FA adds an extra layer of security and should be enabled for your 1Password account. You should enable both an authenticator app and security key as a backup (which you should store with your recovery kit discussed in 2.1).

1.10 Enable 2 factor authentication on all your accounts with a backup when available

2FA adds an extra layer of security and should be enabled for all accounts that offer it. Now its debatable whether you should use 1Password’s built in 2FA feature, or use a different app. I use the built in one as I love the convince, but this does kind of remove the point of a 2nd factor – so its up to you. Its also a good idea to add more than one method if its available incase you lose access to your primary 2FA.

1.11 Don’t store the CVV from your credit cards

I think it’s a good idea not to store your cvv. By not storing them, it again means if someone gets into your 1Password account, it reduces the chance of them being able to use your card. I actually scratch the CVV off the back of my cards so even if someone got physical access to the card, they cant use it – just if you do this, make sure you commit it to memory and store it in you recovery kit (2.1)

1.12 Enable auto lock on your vault

I think this one is overlooked. You should make sure your vault auto locks itself after a set period of time. Imagine you unlock your on phone, sign into reddit, then accidently left your phone unlocked and someone takes it. Your 1P vault is now unlocked and if they keep it active, they now have access to all your passwords.

# 2.0 Recovery

2.1 Create an account recovery kit

The account recovery kit is your last hope if you get locked out of your 1Password account so its important that you make one, and you make it properly. Below goes into detail into detail on what should be included in your recovery kit:

2.1.1 1Password recovery kit –

1Passwords recovery kit suggests it has your signin-address, email address, secret key, and master password. However they don’t mention 2FA which can prevent you from getting back in. So you should save your 2FA key as well – you should store your physical security key with this kit as well as a screenshot of the QR code you used to set up your authenticator app. It can also be a good idea to store your 1Password master password as a double blind password if you want to make sure no one can access your account if they get access to the kit.

2.1.2 General account recovery kit

Now I don’t think you’ll have the time to write all your passwords into the kit. So instead the general account recovery kit focuses on 2FA. In this kit you should store all your 2FA backup codes. However, email is an exception here. You should store your email recovery code here in an obfuscated way – for example have it backwards. This way you have guaranteed way back into your email at least.

2.2 Store your recovery kits in a safe place

Your 2 recovery kits can be the same document but its important that you store them in a secure place. Below are a few options and you should do at least 2 of them:

2.2.1 Digital Personal Vault

Some cloud services offer a secure place to store sensitive documents. OneDrive calls this your personal vault. As an extra precaution, you should password encrypt the file too – now its important that you use a password you will remember, and as we’ve already secured it with the personal vault, its okay to use a basic one that you know you’ll never forget.

2.2.2 Fireproof safe

Imagine there’s a fire in your house which destroys every device you have and all your belongings. Are you still able to access your recovery kit? This is why a fireproof safe is a good idea. In the safe you should store both a printed version of your recovery kit and your physical U2F security key.

2.2.3 Trusted 3rd Party

You should make sure you store your recovery kit in place that will be accessible no matter the circumstances. Giving a friend or a family member a copy of your recovery kit is a good idea. Just make sure its not someone you live with.

# 3.0 Extras:

• Fireproof Safe I use

• U2F Security Key I use