Did you know that May 1st is World Password Day?
To celebrate, we asked you to send us your most pressing questions about passwords, passkeys, passphrases, and multi-factor authentication — and you didn’t disappoint.
In this episode of Random but Memorable, Matt Davey, Chief Experience Officer at 1Password, and Michael "Roo" Fey, Head of Password Manager Development, tackle the most popular and thought-provoking questions you submitted.
Read the interview highlights below or check out the full episode in your podcast player of choice. When you've finished, join the conversation in our episode discussion thread!
Editor’s note: This interview has been lightly edited for clarity and brevity.
Why are password spreadsheets considered a security risk?
Matt Davey: Is this still a thing?
Michael Fey: People are still using them and they clearly don't understand why that's not a good idea. I feel like it's a little bit of column A and a little bit of column B.
MD: I feel like it's easy, and that's why people do it. And they understand mostly that it's a security risk...
MF: I don't think so.
MD: ... but don't really know the reasons why? Anyway, it's risky to give anybody access to plaintext versions of all of your passwords and not move them into a platform that is meant for it and encrypted.
"If you're storing your passwords in a spreadsheet, in the cloud, you are effectively putting plaintext passwords on someone else's computer."
MF: I'll put this very, very plainly. If you're storing your passwords in a spreadsheet, in the cloud, you are effectively putting plaintext passwords on someone else's computer. And if you're comfortable having your private information stored on someone else's computer, by all means please continue. But also don't do that. That is not a good idea. You are setting yourself up for some sort of breach.
MD: And it's also really difficult to maintain any control over that as well. If you're doing it in a business it's even worse. You have staff turnover and it's very difficult to manage.
I use strong passwords. Any tips for getting my family members to use a password manager and do the same?
MD: Oh, this one's really difficult. One, you need to just go in and change them all, right? And you need to make that the point in which someone moves.
Because if you put all their current passwords in [a password manager], it's not going to work. Also, if you are around and you've put their current passwords in [a password manager] and they've been made up dog names and number plates and all that kind of thing, they will ask: What's the password to this?
The gibberish [passwords] are really, really hard to have confidence to move people over. You have to technology native, almost, in order to really trust that. But just moving on and having them be pronounceable but random and different for each service [is the best place to start]. Just turn on touch ID, put them in [a password manager] and have them treat [the password manager] like a notepad.
"Don't worry about the browser extension until later on."
Don't worry about the browser extension until later on. Don't worry about autofilling. Just worry about getting a different password for each service. That's the starting point for me.
When will passkey support become the norm in apps and websites?
MD: I think there are two possibilities. The first is there's going to be something that means there is more revenue coming in from people who use passkeys. And that will speed up adoption by website and app developers. For example, when you go to checkout, you can just generate one on the fly and you don't have to create an account in order to buy something. That might help revenue and therefore encourage companies to adopt them. Because that is what drives a lot of the internet–people buying things.
The second way this could go is an incredibly slow slow burn. The website where you order your kebab on a Friday night doesn't use a passkey, but eventually it probably will.
I think we're probably in camp two.
I know it's best practice to use an app like 1Password to store 2FA codes, but many services insist on SMS as a fallback to a for option. Doesn't this defeat the point of using app-based 2FA?
MF: It doesn't defeat the purpose of using app-based 2DA, if it's just different 2FA. It is less secure 2FA–SIM jacking and similar attacks are pretty easy for people to pull off.
But it doesn't defeat the point of it. It's one of those things where certain services support app-based 2FA codes and others do not. And whenever you have the option to not use a text-based one, you should go with it.
Back in 2003, the NIST guidelines recommend changing your password every 90 days. This is now proven to be more harmful than helpful. Why should users trust the current NIST guidelines? And why are the current NIST guidelines so inconsistently and poorly implemented?
MD: I'm going to answer this from my own perspective and say it's all about user experience. The problem with changing your password every 90 days is that people forget them and reset them and come up with schemes to move [characters] around. And this is all behavioral science stuff.
Change is probably the reason why they are implemented inconsistently and poorly in areas. And that's because security teams are just trying to keep up. If something works for a time and you don't know that another thing works [better], you just use what works. There's inconsistency because teams haven't quite adapted yet.
And why has enforced password rotation proven to be more harmful than helpful? Because people will find a way around it.
MF: In terms of the inconsistency, we're all learning how to do better every single day and this is advice that was old for a while. The problem is that once advice is seeded into the world from an authority like NIST, it becomes common guidance that people go and implement. And that gets ensconced throughout the industry.
"Once advice is seeded into the world from an authority like NIST, it becomes common guidance."
Teams are slow to change because they aren't sitting around waiting to upgrade to the latest NIST guidelines. They think "I did the thing that NIST said back in 2003. I'm going to set it, forget it, and move on."
Is there any update on when I will be able to move my passkeys between different password managers?
MD: Work is being done on this. But standards work is really difficult because there are multiple platforms and multiple vendors involved. And this stuff moves really slowly.
So I wouldn't be surprised if we see something this year. But it's probably going to be at least next year.
MF: When you are within one ecosystem, like 1Password, your passkeys will sync across all of your devices, which is really good. But the original intent behind passkeys was that they were device specific. So your Mac would have a different passkey for a service than your iPhone. So the way to think about instead is not "do I move my passkeys between password managers", but rather can I register an additional passkey for this service that's tied to this device. Or, if you're migrating from Apple Passwords into 1Password, can you just register a new passkey for 1Password and use that going forward?
We're still at the very beginning of of the passkeys rollout. So a lot of this stuff is set to change as we figure out the right way to do it.
"Yes, there will be a method to move passkeys."
MD: So the real answer is both. Yes, there will be a method to move passkeys between password managers. But also you can generate multiple passkeys when you move between platforms and devices.
When will 1Password introduce or integrate email aliases?
MF: For folks who don't know, an email alias is when you give a service an email address that is not actually your email address. So you can give it a made up email address that forwards to your regular inbox and protects your real email identity out in the world.
We have an integration with Fastmail. And we had a whole episode where we talked about our Fastmail integration. So yeah, you can sign up if you use Fastmail and 1Password will work with that. You'll be able to generate email aliases within 1Password using your Fastmail account.
"We have an integration with Fastmail."
So that's a solution that exists today.
Is it possible to use 1Password for contact management, or is this something that you've thought about?
MD: People are using 1Password for many things that it was not originally intended for. But we've adapted 1Password for those things.
That's the reason why we have an item type called identities rather than contacts. You can use identities for yourself and other people. And we've worked on profiles piece, which is in the desktop app, to be like, "these identities are you. So we're going to put them to the top of the list." Because if you have a bunch of identities it's really overwhelming. Sorting the like noise from the signal in 1Password is really half of the user experience battle.
So yes, you can use 1Password for contact management. It's possible but it's not great yet. There is probably a dedicated app that will do it a lot better but 1Password ensures that information is securely shared between your family or business. We may make enhancements in this area in the future, because I think there's a lot of information that you want to store on other people that you also want to keep secure.
"We may make enhancements in this area in the future."
MF: I will take a moment to promote friend of the show Flexibits. They have an app called Cardhop. If you're looking for something beyond what your built-in contacts management app does, Cardhop could be for you.
MD: If you have any more questions for us, drop them in the 1Password.community forum or send us an email at podcast@1password.com.
1Password Team