With the recent disclosure of ShellShock, a serious security vulnerability that likely impacts many web sites on the internet, we are once again reminded that the internet is a fragile place. The bug exploited in ShellShock is likely decades old. Face it. software is buggy, and it will always be buggy. The internet will never be 100% safe. And other than choosing not to use it, we have little control over it.
But there is one area we do control. And that’s our passwords. You have to assume that there is a real chance that one of the online services you use will be compromised. A common target of compromised web sites is the password database. And even though any legitimate website will encrypt (or hash) that data, that does not stop crackers if either the encryption or your choice of password is weak. And what if your username on a compromised site is your e-mail address? And what if your e-mail password is the same as the one that was compromised? Then the cracker has the family jewels, because once you hack somebody’s e-mail you are well on your way to resetting passwords on other sites.
So the number one defense is good password practices. And that means:
- Using unique passwords on different web sites (especially critical ones like banking, e-mail, etc)
- Using strong passwords. And these days that means a combination of length and randomness.
- Change them periodically
And we know that no human can do this without some help. You need a password manager.
Like many, I had objections to the thought of relying on a password manager…
But I Have A Scheme!
Before adopting a password manager I had a scheme. And most “smart” people I know have a scheme. They have a couple of tiers of passwords (one for e-mail, one for banking sites, one for social media, etc) that they base on some nonsense words and throw in some punctuation and numbers. That’s much better than many folks. But the fight against password crackers is an arms race, and our only weapon is length and randomness. So odds are your scheme isn’t good enough. At least not for your critical sites.
That’s what I finally decided after I read that a Russian hacking ring had 1.2 billion username/passwords. And even if many of those accounts are old and previously compromised, it was still sobering.
But It Will Complicate My Life!
I had resisted adopting a password manager because I was sure it would make my life more complicated. It is another piece of software to deal with, and what happens if I’m stranded on a desert island and a notebook computer washes up on the beach and I want to log into g-mail and I have internet but not my password manager? I’m much better off in that case if I memorized my password!
But then I realized I had already been using a password manager. A cruddy one. The one built into the browser (that saves passwords for you). I realized this when I borrowed my wife’s iPad to check my email while on vacation. I realized I had forgotten my password. My scheme had broken down. My password was stored (in browser data) on devices not with me. I had all the downside of using a password manager (depending on it), without the upsides of a good one (security and ubiquity).
So my life was already complicated. And maybe a good password manager would make it simpler.
But I Already Use a Password Manager (sort of)
As I said above, I was using a manager of passwords of sorts already. Many folks are already using some form of ad-hoc password manager.
For example some people write-down passwords in a little book and store that at home. This is actually not that bad — assuming this enables you to use strong passwords and you don’t carry that book in your laptop bag! But it is not necessarily convenient, nor ubiquitous.
Others use the browser’s “save my password” capability. Again, not too bad as long as you are encrypting those with a master password (which many folks don’t do).
But many of these solutions have shortcomings or limitations. The most common limitation is lack of ubiquity. I want my passwords available on all my devices, regardless of platform, and on any browser. I would also prefer that my passwords be managed by software whose only job is to securely manage my passwords and by a company whose entire business is based on helping me securely manage my data.
So I Took The Plunge
So I decided to take the plunge. But which one? There are a number of options.
I decided to limit my choices to the two most popular: LastPass and 1Password. My plan was to try one for a couple weeks, and then the other. I picked 1Password first because, believe it or not, I liked their video. And after a week I was hooked, and never got around to trying LastPass. What I like about 1Password:
- Their engineering effort is focused on making their password repository (they call it a vault) impenetrable. They assume the worst — that bad guys are going to some how get a hold of your vault. And they have engineered the encryption so that If you pick a strong master password, then a 1Password vault is practically uncrackable (everything is theoretically crackable given enough time, horsepower and luck).
- They do not provide a web service. Unlike LastPass, 1Password is not a service. It interacts directly with the vault on your local system. You are guaranteed that your password and keys never go to a 1Password server, because there are no 1Password servers. Because of this they have reduced their attack surface area, which means they have been able to avoid an entire category of attacks. It also makes the system easy to understand. Update: 1Password now offers the 1Password for Families and 1Password for Teams services, which are hosted services.
- You choose how to synch your vault between multiple devices. You can do it by manually copying files around, or by local synch over wifi, or by DropBox or iCloud. Your choice. You are not forced to use a 1Password service for this, because there is none!
- You can store any useful info you want in your vault. Not just passwords. Bank account info, social security numbers, pins to ATM cards, etc. You can even attach files — for example I have scans of our passports stored in the vault. It provides a secure, convenient place to store import information.
- Ubiquity. I have access to my vault on all my devices. I never have to worry about forgetting a password. When signing up for a new service I don’t have that extra burden of deciding what password to use and how to remember it. I also have access to other info I keep in the vault.
- Their website and blogs have great information provided in a simple, transparent, easy to understand fashion.
That said, I have also heard many good things abut LastPass. While they did have a vulnerability (and to be fair 1Password had a design flaw) it was fixed almost immediately. They also have some interesting features, like the ability to share accounts while keeping the password hidden.
The point of this post is not to sell folks on 1Password, but on using a password manager, and to share my experiences.
But What About All Your Eggs in One Basket?
Yes, this is a concern. If all my secrets are in my vault, then I’m screwed if somebody cracks my vault. Some thoughts on that:
- Pick a strong basket. I am trusting AgileBits (makers of 1Password) to make a strong vault. I have given them that trust based on research I’ve done, their clear and transparent documentation/blogs, and the fact that the survival of their company solely depends on them providing a safe and secure password store.
- Pick a strong master password. This is huge. Adopting any solution is dangerous if you don’t encrypt your data with a strong master password.
- The practical dangers of poor password hygiene outweigh the theoretical dangers of using a good password manager. It is far more likely my accounts will be compromised from weak passwords or some other hack than from somebody compromising my vault. It is so much easier to use social engineering or exploit web vulnerabilities (that seem to show up monthly!) than to crack a well encrypted data store.
- I have no choice. At this time I don’t see a better solution. We are stuck with passwords (and password managers) — for now at least.
The good things about adopting a password manager is that you can take it a step at a time. You don’t have to change your passwords until you are comfortable using the password manager. Here were the phases of my adoption.
- Pick a master password. This is the most important step, and Agile Bits has a good blog posting on it.
- Install on my home Mac and import passwords from Firefox. BTW, this import step is cumbersome for 1Password at the moment — I expect they will improve that. I had to install a plugin into Firefox to export my passwords into a comma separated value (CSV) file. Then edit that file to match 1Passwords CSV schema, then use the 1Password import operation to import it.
- Use the 1Password app to clean up my stored passwords since there was lots of cruft that had built up over the years.
- Install the 1Password browser plugins and experiment with the browser integration.
- Turn off my having my browser remember passwords.
- So at this point I’m fully using 1Password on one machine. I used it for a few days until I was comfortable with it.
- Then I installed it on my laptop and synched the vault.
- Erased all “saved passwords” from the browsers I was using.
- Then purchased the app for our iPads and iPhones and set that up
- Started changing passwords on web sites to be random strings. 1Password has a password generator to help you with that.
And now after using it for over a month I can say I love it. And it has actually simplified my life, not made it more complicated.
Update: One Year Later
We (wife and me) have been using 1Password for over a year now. One of my early concerns was that a password manager would complicate things, but exactly the opposite has happen. A good password manager simplifies your life! How? Let me count the ways:
- Never forget a password again. No more racking your brain to remember a password for a little used site. Or going through the hassle of a password reset.
- New site? New password? No problem. Signing up or registering at a new site no longer has that extra burden of deciding what password to use. Just generate one with your password manager and it remembers it for you.
- Piece of mind. We made sure all of our critical sites now have unique, secure, random passwords.
- Securely sharing passwords. My wife and I share a vault. No more coordinating on passwords. If something happens to me she has piece of mind that she knows the location of our accounts and can access them.
- Safe place to store information. In addition to passwords we store other sensitive information in our vault. Really handy. No longer wonder where you should write down this type of stuff — just put it in your vault.
- Helps recovery when something does go wrong. My wife succumbed to a phising attack and potential exposed one of her passwords. Because we used a password manager, the number of sites where she re-used that password was limited. And with the password manager we could quickly find all sites where she used that password or similar ones (so we could change them). So we were able to recover from this much more easily and more safely than if we had not been use a password manager.
- Reduces brain clutter. By taking a task that our brains are bad at (creating and remembering random string of information) and turning it over to software that is much better at it — we have free’d ourselves of mental clutter.