NOTE: Because of Heartbleed, 1Password is current 50% off! Take advantage and buy it, RIGHT NOW.
Given the recent brouhaha over Heartbleed, I feel as if a post on passwords in almost a requirement. As a TL:DR, the short answer to this post is to just use 1Password.
Proper password management is a bit more complex than that, and I’ll describe it below, but if there’s one simple thing you could do to GREATLY improve your personal information security, it would be to start using 1Password. Yes, I know it’s relatively expensive for software, coming in at $50 for the desktop and $18 for the iPhone/iPad when not on sale, but the cost is well worth it.
So what is/was Heartbleed? The web comic XKCD has a great strip that explains the issue exceptionally well. In summary, Heartbleed is a vulnerability in the open source OpenSSL, which is a software library that manages cryptography for SSL/TLS on a majority of servers currently on the internet.
Basically this means that for most websites you visit, OpenSSL is being used to help make sure that when you use a user name and password for a site, like say Facebook or your bank, the content you’re viewing can only be seen by you. Because of this vulnerability, it’s possible that the private content you viewed and stored on any affected website or your account name and password could have been viewed and stolen by a malicious attacker. Even worse, the secret key (piece of data used by a website to sign data and keep it secure) could have been leaked, basically allowing for the entire keys to the castle to leak.
It’s not easy to tell as to if this attack was ever used maliciously, or by whom, because with the way it works, it’s extremely difficult to track and leaves little to no trace on a server, unlike many other sorts of attacks that are immediately evident. Bloomberg has reported that the NSA knew about and used this bug for years (it had been created with a code change in late 2011), and it’s impossible to know who else may have known about the exploit, and what they intend to do with any data they received as a result.
It’s because of this possibility that many security analysts and researchers are treating this bug as a D-Day situation. Many are advising that all passwords be changed, so if you don’t use a strong and secure password system, preferably controlled via a password manager like 1Password, there’s no better time to start.
(Side note. It’s my personal advice as well that you begin the process of changing all passwords, on every site you use. I know this sounds crazy, but given how potentially dangerous Heartbleed is, it’s really the best course of action.)
1Password seems complicated at first, but it’s actually a fairly simple idea. You use the app to create a unique, long, and complex passwords that are unique to every web service or application you use. These unique passwords are then locked in a vault, behind a single password that you know and in coordination with their fantastic Mac, Windows, iOS, and Android applications, you can access your variety of passwords and quickly enter them into any website using their various tools and plug-ins.
Agilebits’s great app also keeps your passwords locked down using some of the best security practices available. Your passwords are encrypted against the master password you use using 265-bit AES encryption, and then can be shared/backed up using either iCloud/Dropbox/via WiFi. Even if your 1Password vault file was compromised and lost through some sort of hacking attack, it would theoretically take an attacked a million years or so to brute force through, given that you use a fairly secure password. Simply stated, there’s no more secure solution available today that provides support for such a large number of devices. 1Password is the gold standard in password management, and you should begin using it immediately.
So why is something like 1Password better than your current password system? The biggest problem solved by a password manager is the issue of credential duplication. We’re all likely to have user accounts for potentially hundreds of different on-line services. Because the number of services used by the average Internet user can be so large, it’s likely that you (like millions/billions of others) typically use the name user name or email address for each account, tied to the same password for each account as well.
I’ll admit it. Up until buying 1Password 2.5 years ago, I used/rotated a handful of email addresses and passwords across every single on-line account I used. This means that if any of those sites used poor security or if just a single site made a big mistake, my entire on-line identity could be compromised. That’s all it would take, a single lapse of judgment by a network administrator, or a single data leak, and all is donezo. Now, because I have unique passwords for every service I use, a database leak or compromised account may not be that big of an issue, depending upon the value of data I have on the service, as only that account’s data could be potentially leaked.
1Password stores essentially any information you want to have kept private. I use it to store the license keys for any piece of software that I don’t buy from the Mac App Store. I store my personal bank account numbers, a few private important documents, credit card numbers, server SSH login details, and a variety of other information inside of the app. I do worry sometimes that I’m placing all of my eggs into a single basket, so to speak. I have a basic understanding of the math and cryptography behind the app’s security, so I feel confident in trusting it. But what would happen if my user file was compromised and my master password was leaked? Essentially, my entire digital person would be out in the open.
This is definitely a concerning issue, I do think about it somewhat regularly. I know, that’s probably pretty lame, but I think about it so you don’t have to. If this were to happen, I’m not quite sure what I would do. I do believe it would be a pretty messy situation, but I trust 1Password more than I trust anything else right now. I think we’re moving to a world of biometrics, which hopefully solve many of the issues inherent with passwords, but we’ve got a ways to go before this is dependable and secure enough to work universally. Technology like Apple’s Touch ID is a huge step, but it still requires us to place all of our trust in a single company/technology. I’m not sure how we overcome this obstacle, but I do feel as if it’s one of the next really big obstacles in technology. As we place more and more of our lives on-line, it’s essential that we secure this information.
If 1Password sounds like too big of a jump, there are some alternatives. The only one that I know with enough confidence to recommend is Apple’s iCloud Keychain. This tool works very similarly to Agilebits product, but does have some limitations. First and foremost, it’s requires you to be on software/hardware exclusively. If you use Windows or Android, you’re out of luck. This can be a significant disadvantage if you depend on a PC for work. Additionally, you can’t back up notes, software licenses, or files in iCloud Keychain like you can in 1Password.
My other biggest complaint about the service is that to manually manage your identities (say you need to paste a server root password in an SSH session or share a client’s Twitter password with a co-worker using PGP) using OS X’s horrid Keychain Access application, which requires root access, so you need to type in your user account password every time you want a password, even when grabbing a handful of passwords at a single time. Passwords are hidden in the Settings app, inside of Safari’s preferences under Passwords & AutoFill, and also require that the user enter a password to retrieve every entry. This can be especially time consuming if you’re using a complex, difficult password to enter along with another type of security like Touch ID or Knock for Mac. But if you’re looking for a free solution and don’t foresee leaving the Apple ecosystem, it’s definitely a great alternative.
(Aside: I also use very long, complex passwords for both my iPhone and OS X user accounts. The passwords are each 32 characters long, and consist of four words separated by spaces. But in using an iPhone 5S with Touch ID and Knock on my laptop, I find myself rarely entering my password when logging in or checking my phone. I highly recommend this strategy if you’re willing to tolerate it.)
This is one post I plan to revise somewhat often, with better advice on how to protect passwords. It’s a huge problem on the Internet today, and this is my first initial thoughts on the topic. In general, passwords and user names are a crummy answer to the problem of verifying on-line identity. But so long as this is the best we have, we need to really secure ourselves. And the only way to do that today is through long, complex passwords that are unique to every service we use. And so far as I know, 1Password is the best service through which to do this today.