Password Managers — Worth it?
Given all the news lately about login accounts getting hacked, its time to discuss password managers and the advantages and disadvantages of using a password manager. Overall, my impression with password managers is that it’s generally a good idea to use one to manage passwords for websites and to have secure access to information that you might need, like social security numbers, drivers license numbers, credit card numbers, etc. However, be aware that there are some limitations.
In this post, I will discuss 1Password by agilebits.com. However, there are other password managers on the market you might consider, such as LastPass, Dashlane and Mitro. This isn’t a recommendation for one solution over another, just a recommendation to consider using one.
Before we start, a few thoughts about login security.
- In previous posts, I have discussed the criticality of good password hygiene, including using complex passwords, being careful to not use the same password across many sites, especially between very secure sites (e.g. financial) and sites not required to be as secure (e.g. magazine subscriptions).
- Almost all sites today use your email address as the login “name”, which makes it even more important not to use the same password in multiple places. It’s believed that the iCloud hack that released nude celebrity pictures was not really an iCloud hack at all, but simply using email/password combinations found elsewhere.
- There is the on-going problem of how to keep track of these passwords and how to retrieve a password if you forget.
- Though this is improving, sites can have different standards for what’s required for your password. For example, some sites require special characters (e.g., !$#%), while others will not permit their use.
- There is the issue of passwords for websites and apps. For example, the New York Times has both apps and a website for accessing their content.
- Though its not specifically a password issue, there is also a need for being able to store and access sensitive information on various computers and devices.
So with this in mind, I’ve been using 1Password as a tool to store and use sensitive information. I chose 1Password because it has a strong Mac focus, though it works fine on PCs. It also works on iOS, Windows and Android devices.
One more comment before describing my experiences with 1Password. Both Windows and MacOS have been beefing up their own built in password managers and using them is definitely worth considering, especially if all you need is to generate complex passwords and auto-fill them into websites. My experience with MacOS Keychain was documented in my Tech Tidbit: MacOS Keychain post. Since that post over 2 years ago, iCloud support has been added, which extends its capability. All that said, Keychain remains a basic solution compared to third-party solutions.
What is a Password Manager?
A password manager automates and helps you manage your various login accounts. They also help you securely store and manage various other sensitive data like: credit cards, identiies, passport information, etc. They allow you distributed access to this information across your computers and devices. Some managers are allow selected information to be shared with others.
Some of the features include:
- Ability to generate complex, hard to crack passwords according to whatever rules are required by a specific website.
- Ability to store and automatically fill in login information to various websites.
- Ability to create, modify and read secure messages. Secure messages are encrypted usually contain sensitive information.
- Ability to store and automatically fill in credit card information.
- Ability to store and automatically fill in personal identity information (e.g., name, address, etc).
- Ability to store and recover software activation keys.
- All data should be locally encrypted with only encrypted data stored in the Cloud (to permit retrieval from multiple devices and computers). The keys must be stored on the device and not in the Cloud unencrypted. Some managers don’t meet this criteria.
- They should have an easy-to-use interface and good integration into your browser.
- All passwords should be available to you. You should be able to read the password if needed, eliminating the need for a file with favorite passwords. Again, this ability needs to be securely encrypted.
Experiences with 1Password
Several months ago, I purchased a premium family license for 1Password. I purchased it from the AgileBits.com website (the author) and not the App Store. More on where to get it later. I decided to go in this direction after using MacOS Keychain and hoping that Apple would catchup to the competition in password managers, which is hasn’t (yet).
I was using Keychain for management of web login information, which largely works very well. I was also using it for management secure notes, which again I was largely happy with. What I wasn’t as enamored with was the support for distribution of the information to my devices. For example, though web credentials are distributed, my secure notes are not. Also, I’m still a little skittish with iCloud security. Again, I don’t want my sensitive data in the Cloud when I can’t control the encryption key. With iCloud, I know that the key is generated from your login credentials, but I don’t really understand how and where this information is stored.
Purchasing and installing 1Password
For Windows, you can purchase it on their website. For devices, you can purchase it through the appropriate app store. For the Mac, you can purchase it either from their website or from the App Store. Acquiring it from their website allows you to try the product before purchasing. However, acquiring from the App Store enables storing the encrypted data on iCloud. My recommendation is to download from the App Store.
One other comment about the Mac implementation. I’m currently running version 4 on Mavericks. Version 4 allows you to store its encrypted files either on iCloud or in Dropbox. I’ve chosen the latter as being more secure. Version 5 will only run on Yosemite or later. The reason? It leverages the new CloudKit for synchronizing between computers/devices. Dropbox is still an option. CloudKit sync looks to be a very secure option, but will be useful only if you are running Yosemite and iOS 8 or later on all computers and devices. In a more blended environment, which is any environment running Windows or older MacOS or iOS devices, leverage Dropbox and it doesn’t matter whether you’re running 1Password versions 4 or 5.
Installation was easy, but before you start, think about creating a pass phrase. This pass phrase will be used to create a key for encryption and needs to be difficult to brute force crack. It should be long, include numbers and special characters and be more than 16 characters. Since it’s the one not to write down, be sure you can remember it.
If you are storing the encrypted files on Dropbox, you will be promoted to give 1Password access to your Dropbox account.
Advantages of a Password Manager
First and foremost, they are really the only reliable method to generate complex, hard to crack passwords, while maintaining easy to use management of these passwords.
1Password has a robust and easily configurable password generator, which is preferred to personally generated passwords that typically are very weak. It will also indicate the strength of your passwords (and I’ve found even the ones I thought were strong, were not).
Besides password management, I’m leveraging secure notes, credit cards, identity information. In one of the secure notes, I have a list of passwords for stuff that isn’t covered by 1Password. For what I do have covered, I can easily see my credentials if I need to.
The primary advantage is that I have access to all this stuff across my computers, phone and tablet. This is a huge advantage.
Another advantage is the ability to segment some sensitive data into “vaults” that you can share with others. For example, my wife and I have several magazine and newspaper subscriptions that we share. We can now share a vault that contains the credentials for these sites. Also, if one of us changes the password, the other will receive it.
I like the security model better than iCloud. I like the fact that the application generates and controls the encryption key on my computer/device. Also, using a third party storage vendor means that someone cracking into Dropbox might get my encrypted files but not the key that generated them.
On iOS, if you have an device with a fingerprint reader running iOS 8 you can use your fingerprint to provide quick access to 1Password, which is definitely an improvement over a very long pass phrase.
Drawbacks of 1Password
The principal drawback is the lack of app support. Take Facebook, if you access Facebook via a browser, 1Password will gleefully fill in the credentials for you. However, if you access Facebook via their app, then you need to open the 1Password app, find the Facebook entry, copy the password, then paste it into the app. Useful, but hardly quick and easy. The good news is that there is now a programming interface for iOS 8 that will permit app developers to include support fro 1Password within their apps. However, it will be a while before this support is in a wide range of apps.
The other drawback is much less of a concern, but its the looser integration with the operating system than say Keychain. Keychain is well integrated and its use is almost second nature. This is especially true for the casual, non-technical user. Though 1Password is easy to use, it is not quite as integrated. The most glaring example is iOS Safari. Until iOS 8, there was no integration. To fill in credentials at a website, you’d need to use the built-in browser. Starting with iOS8 8, there is a method to fill in credentials from within Safari, but I find it awkward. I think for now, I’ll stick with the build-in browser.
They don’t work on all websites. For example, Bank of America and Verizon have multi-level authentication sequences. In the case of BoA, there is a login code you enter, it takes you to a picture and phrase that you set up in advance. Then you enter your password. For Verizon, you enter your login credentials and upon successful completion, you now need to enter a passcode.
To summarize, I’d highly recommend that you consider using a password manager as a method to help you strengthen and manage access to sensitive sites and data.