As our lives become increasingly reliant on the internet we need to remember more and more passwords and usernames and as the frequency of on-line criminal activity increases so does the need to have passwords and user names, especially passwords, that are hard to guess and that are not repeated from one place to another. Adding to the complication is the fact that sites have different requirements in terms of length and content – must be minimum 8 digits long, must contain capital & lower case, must contain numbers and letters, symbols. The problem is how to remember them all or if you can’t then how to record them somewhere so you can look them up when needed.
Remembering them all is easy if you don’t worry about security. For example, I could use as my main password sophia and supplement this depending on the needs of the site to be sophia12, Sophia, Sophia12, $ophiA1234, etc… The trouble is that if anyone guesses or finds out one of them then it would take them all of 2 minutes to work out the rest and what starts as a problem with something unimportant like Facebook becomes an empty bank account.
Until a few months ago my security was fairly lax but, thank God, I was lucky and nothing nasty happened. It was worrying me though because I knew it wasn’t good enough plus the sheer quantity of things I needed to remember was getting hard to manage anyway. I used to keep all the data written in a text / Word document which was housed on Evernote. This allowed me to access it both at home and via my iPhone / iPad and it had a certain level of security as Evernote needed a code to open and then the file was encrypted with a password. My passwords were not all the same but the majority of them were variations on about three or four themes. I read a few comments about password managers and decided now was a good time to improve both security and usability.
I had read more good comments about 1Password than anything else but the cost was putting me off – $49.99 for the Mac plus another $17.99 for the iPhone app seemed like too much. Second most comments were about LastPass and this was free for the Mac and only $12 a year to add the app so I decided to try that first.
The initial test went swimmingly so I put everything on LastPass and used it to generate new passwords for all important sites. Then came the day one of my bank accounts asked me to change the password, no problem I thought and pressed away at the “generate password” button, then inserted it into the form and finished my business. When I went back to the account a while later it told me the password was wrong and despite trying everything I could think of, old password, newly recorded password, history of passwords generated…nothing was working and the bank account was frozen!! Eeek. To fix this required a personal visit to the bank, with passport, where they gave me a one-time password for me to open things up. Pain in the arse.
I have no idea what happened. I thought I was following correct process, generate a password, fill the fields, off we go, but something went wrong and suddenly these password managers were looking like more of a liability than an asset. I should add that LastPass had been slightly irritating before this point. It looked like if you were using Chrome on a Windows machine it would be extremely happy but using Safari on a Mac was not as smooth as it should be. It just seemed like good amateur level stuff, which I suppose is reflected in the price.
Having lost faith in LastPass but having seen enough to know idea of a password manager was a good one, I decided to swallow the cost and try 1Password.
Unfortunately, LastPass had one parting blow in its inability to export a file that could be imported by 1Password or to be fair perhaps the other way around but whoever is at fault it meant I had to manually reenter all the data into 1Password – that’s 72 items, log in details, card details, secure notes, etc.
1Password seems like it is better built than LastPass and is certainly happier working with Safari and my Mac. So far I have not had a problem when using it to change passwords. There was one occasion where the new password did not get properly recorded in the log-in details but it was easily fixed because it also showed me passwords that had been generated for this site and the correct one was one of those. If there is one thing about using these managers that you should be extremely careful about it is changing passwords on the fly. Take care, go slowly, record the new password somewhere and test the site again shortly after doing it.
So how do these things work?
You can record all kinds of information but the three I’m using regularly are:
- Log In details – username and password for any site. When you open the web page 1Password will recognise the address, lets say Facebook, and if you click the icon in the browser menu you get a drop down menu the top option being Facebook. Click on that and it will insert you username and password and launch the site. LastPass used to do this automatically, some of the time. Might be that 1Password can do this as well but I have not bothered finding out how.
- Secure notes – just plain old text notes, anything you want.
- Card details – credit cards, etc.
You can also enter things like Identities, Driver Licences, Passports and so forth.
They also have the ability to generate strong passwords of any length and complexity you want so now all my passwords are not Sophia123 but are things like gRT4*bw77*WJ4np2Y5^%HH3.
These strong passwords are impossible to remember but you don’t have to. The password manager has a master password to open up the vault and that’s the only one you need to remember.
I do not have a back up anywhere on a piece of paper tucked under the sofa. I do not use the cloud for synching between phone and Mac – done locally wirelessly – so my security is now down to the simple question of how secure is 1Password. There’s some stuff to read on that here.
When you run 1Password for the first time, you create a Master Password that is used to encrypt your data. No one will be able to view your passwords or other confidential information without knowing the password. All you need to do to stay secure is to pick one strong password and commit it to memory. Since it is only a single password, you can make it long and unpredictable.
….your data is encrypted using AES, the same state-of-the-art encryption algorithm used as the national standard in the United States. 1Password uses 128-bit keys for encryption, which means that it would take millions of years for a criminal to decrypt your data using a brute force attack.
One final point that I have just reminded myself of is the matter of automatic logging off from the password manager. This was one of the annoyances with LastPass because it was never very reliable at doing this. At the beginning it wouldn’t log off at all but finally I was pointed to the right download, which helped but not entirely. I couldn’t see the point of all this security if the damn thing was always open on my home Mac! Suffice to say, 1Password is far better at this and always logs off when you think it should, requiring reentry of the master password.
Twenty Degrees East 
It will be SO much easier, when the IRIS scan will be available in your smartphone.
Great post. Just curious – did you not care for the OS X Keychain?
To be honest I don’t know enough about it. I’ve heard it is a big improvement on what came before but for the moment I like the idea of keeping passwords out of Apple’s grasp. Another thing is that I’m not sure I trust this cloud yet, not with anything serious. Maybe this will all change.
Does the OS X Keychain generate passwords, allow you to store text documents, launch websites and stuff? I must go read about it.
I’m not fully informed either. Because I went with an Android phone, I am still clinging to rock-solid Snow Leopard, so it’s possible Keychain has been improved and I don’t know about it. As best I know, you’re better off with your app since there is no password generation, and if logins pop up in separate Safari windows it may or may not engage the password save/populate mechanism. Seems reliable for wifi logins and such, but passwords, often enough I edit a text document to catch the left overs. No idea about text doc storage or website launch. But so far it has worked well enough that the irritation factor has not yet driven me elsewhere….but your post got me thinking.
I’m not a fan of all this cloud crap either. First, it’s a total money grab to release phones without SD card slots (and then charge another 100USD for 10 more worth of memory hardware at phone purchase), and the phone carriers just love this. I can’t be bothered with music on my phone anyway – no way I’m going to stream it from the cloud. And the idea that consumers have _any_ protection under US privacy law….ha ha ha,,,,I can’t even finish the sentence.
On another note, I’ve decided that 2014 is going to be the year that I wean myself off of the majority of Google services. I’m not sure how far I’m going to get, but I’m looking forward to the experiment.
Opensource KeePass seems to be the standard password manager of choice for the people I know. Worth a try and it’s free.
I’ve tried very hard and been quite successful in avoiding things that will try to lock me in. We use a lot of Apple devices, but that’s about as far as it goes. No cloud, no Google, no Adobe monthly stuff. You should upgrade to Mavericks. Snow Leopard was great, both Lions were pigs but Mavericks is every bit as good as Snow L, if not better. Check compatibility of course.
papageno – a few people mentioned that but I didn’t bother looking. Thanks for the tip.
I just looked. Too homemade-geeky looking for me but if you like old school computer projects it is certainly cheaper than 1Password!
http://keepass.info/
I’m very interested and glad to hear you say that about Mavericks. I wanted to give it a little time, maybe waiting for .1 or .2, but I think it will be an inevitability for me ever since I learned that I can jump to 16GB RAM if I advance past Snow Leopard. I’m going to squeeze my money’s worth out of this Macbook!
A couple of comments:
Apple’s Keychain is cloud-based and since I don’t want the NSA to have access to everything of mine THAT easily, I don’t trust it with any critical passwords. It is nice for unimportant passwords, though, because it syncs across all your Apple devices. I generally don’t like iCloud because it’s just a little too hard trying to figure out WTH is being stored in it.
Mavericks is completely solid. I haven’t had a single issue with it and we’re running it on an older mid-year 2010 Mini, a new 2013 iMac, and an early 2011 MBP.
I’ve been using 1Password for awhile now – I got it when it was on sale at some point last year. It’s taken quite awhile for me to get really into it but I’m getting there. I don’t sync passwords across devices via Dropbox, I just do the occasional wifi sync.
KeePass is probably fine – it’s been around for quite awhile, over 10 years – but it sure is ugly.
Another satisfied Mavericks user. I may have to start looking for some RAM. Thanks for the word.
I have 8GB in my MBP and it runs fine like that.
I also have 8 GB in my iMac and no problem at all with Mavericks.
Thanks, Scatts, for that long and detailed post about password managers. While not your intention I’m sure, your experience with the first one, involving trip to bank with passport, has completely put me off all password managers by making crystal clear the fallibility of any such software. I’ll stick to the notebook and mystic codes.
PS: What’s an MBP?
Mac Book Pro, Stephen, a laptop from Apple.
I wouldn’t let my mishap put you off the whole idea. The benefits outweigh the pitfalls and nothing will go wrong if you just manage that one point carefully.
I think the number of comments here demonstrates well why blogs about technology are always at or near the top of the leaderboards! :-)
i am one of those people that does not trust giving up all that sensitive info. How do I know for sure where it really goes or is used. NSA has no access to my brain…yet.