Password Extravaganza

For some time now, I’ve been thinking that I needed to start changing passwords. Though I’m a sysadmin by trade, and therefore security is a very important aspect of everything I do, I too had fallen into a rut of using too few passwords and too little security for things. Not that I would use one password for everything, but I had about five or six passwords, with a few variations, that I would use everywhere. The passwords were ranked in order of security, so one was used for very high security things, another for less secure things, all the way down to an almost throw-away password for sites where I didn’t really care. But having the iPhone I figured I should be able to find something that would help me keep track of more than just a few passwords. A few applications came into view, but one seemed to have the best features for me: 1Password.

1Password is a program for the Mac which includes plugins for major (and some minor) browsers. The program itself is standalone, so you don’t need to use the plugins, but they make the whole experience even better. 1Password stores all your login information – user name, password, and any other information on the page which you check or uncheck (such as a “Remember me” box or the like) – in an encrypted format on the computer, protected by a “master password” which is in theory the only one you need to remember. You can set how often the keychain which stores this information is locked, with the defaults being quite sensible. When you go to a site that requires your password, type Cmd-\ to ask 1Password to fill it in for you. If the keychain is locked, you’ll be prompted for your master password, otherwise the information is filled in and the submit button “clicked” for you (an option which can also be turned off system-wide or per site).  The companion iPhone app syncs with the desktop application, so you can easily take all your passwords with you (instead of being protected by the “master password” you set in the desktop program, you use a PIN to get access to the list followed by a passphrase you can set to actually retrieve the passwords themselves).  All in all, this setup has given me the ability to set passwords the way you’re supposed to do it: one password for each website/system/service.  No more do I have to vary passwords based on how secure I want the site to be, but instead I might vary if I use a “pronounceable” password on a site or one that is a jumbled mess of characters.  The built-in password generator helps you to choose good passwords, and is almost infinitely adjustable letting you change the overall length, style (pronounceable: separator characters, random: number of numbers or symbols, avoid ambiguous characters, allow characters to repeat), save the password right to the clipboard or create a new login based on the information which is saved right into the database.

Speaking of the database, that’s where 1Password shines even more.  You can save the database anywhere on disk, but one recommended thing to do is save it to a Dropbox folder (yes that’s a referral link, sign up using it and we both get an extra 250MB of space) so you can synchronize your password database among all your computers.  Now, not only can you share them among Macs – where you can natively run the plugin and desktop app – but you can also access it on Windows or Linux machines, since there’s an HTML file in the database containing JavaScript code that can decrypt the files therein and get you access to your passwords.  Until they come up with a way to run the plugin in Linux (hopefully they will, but there’s no saying either way) this works to be able to access all my passwords on the work desktop.

I started writing this in late October, but didn’t want to publish it until I was done with my migration (and then kept putting it off).  Now that I’ve migrated all my old passwords away from the 2-3 that I was using, not only do I feel better about the whole deal but I have no regrets getting a copy of 1Password to help me do it.  I’d recommend anyone else use something like this – there’s other options for Windows- or Linux-centric password databases too – before one of your passwords gets compromised, and it happens to be one that you use somewhere very important as well as the little web retailer that you never suspected would be a problem.

One comment

Leave a Reply