Apple iCloud: Photo Library vs My Photo Stream vs Photo Sharing

When photo management consisted of taking pictures on your digital camera and uploading them to your Mac for use with iPhoto, things were pretty simple. But then along came iPhones and iPads and Apple’s cloud services. I recall getting confused as to how in the heck Apple’s cloud solutions worked for photos, and to make matters more confusing they were a moving target as they evolved over iOS releases.

Things seem to have stabilized now. So here is an overview of what you need to know.

In iOS 11 when you go into iCloud settings (Settings->Your Name->iCloud) you’ll see three sharing choices under Photos:

  1. iCloud Photo Library: Automatically upload and store your entire library in iCloud to access photos and videos from all your devices.
  2. My Photo Stream: Automatically upload new photos and send them to all of your iCloud devices when connected to Wi-Fi
  3. iCloud Photo Sharing: Create albums to share with other people, or subscribe to other people’s shared albums.

OK — those descriptions help, but how do these impact my iCloud storage capacity? What are the limitations? How are they used in practice? Why wouldn’t I just turn them all on?

iCloud Storage

As of this writing you get 5GB of free iCloud storage when you create your iCloud account. That’s enough for backing up your phone, and storing your contacts, calendars and some documents. But it isn’t enough for any significant number of photos and videos. You can bump that storage to 50GB for $0.99 a month. That is large enough for modest photo libraries. Apple, of course, is happy to sell you more capacity.

So how do the above plans use iCloud storage?

  1. iCloud Photo Library: uses iCloud Storage
  2. My Photo Stream: does NOT use iCloud Storage
  3. iCloud Photo Sharing: does NOT use iCloud Storage

So only iCloud Photo Library will consume your iCloud Storage. Great! Of course that means there must be some limitations to Photo Stream and Photo Sharing.

So, what do each of these plans provide?

Summary of Features and Limitations

Uses Storage  Limitations  Best For
Photo Library Yes Your storage quota Access to all your photos everywhere and a safe backup of all your photos.
Photo Stream No 1,000 photos or 30 days. There are additional upload limits Easy access to recent photos on all devices
Photo Sharing No 5,000 photos. There are additional sharing limits Sharing photos with friends



If you want to have access to all of your photos everywhere and want to have a safe backup of your photos then enable iCloud Photo Library. But be aware that this will use your iCloud Storage, and you will likely need to purchase additional storage.

If you just want easy access to your recent photos on all your devices then turn on My Photo Stream. It costs nothing. But keep in mind this does not ensure all your photos are backed up. You might have some duplicate copies (for example your iMac might have some stored locally) but that is not guaranteed.

If you want to share photos with friends then enable iCloud Photo Sharing. It costs nothing and lets you share photos with other Apple device users. There is even a way to share through a web site. Note that these shared photos are essentially backed up onto Apple’s servers. So you can consider creating a shared folder just to store your important photos (if you don’t enable Photo Library).


These are all tech articles from Apple:

Amazon Kindle Fire HD 8 Review

Update: This review is for the original Fire HD 8, not the updated model that was just introduced in Sept 2016. The new HD 8 is faster and cheaper, which makes it even more compelling. Now if they could just improve what is offered in the Amazon App Store!

For the past couple of years I’ve been using a hand-me-down Apple iPad 1 as my tablet, and while it might have been revolutionary in 2010, today it is pretty archaic: slow, low-res screen, and a web browser that crashes more often than not.

So I decided to get myself a new tablet for Christmas. My requirements were modest, and I decided I did not want to pay the “Apple Tax” for an iPad. Android would be fine. And being an Amazon Prime user, there was some appeal in getting a Fire OS device. So when Amazon put their HD 8 tablet on sale I pulled the trigger.

After using the device for a few weeks, here are my impressions.

What I Got

  • Fire HD 8, 8″ HD Display, Wi-Fi, 16 GB – Includes Special Offers, Black:  $169.99 $149.99 (on sale)
  • AmazonBasics 8-Inch Tablet Sleeve:  $6.79
  • SanDisk 64 GB micro SD Memory Card: $22.99

So I got an 80GB, 8″ tablet with sleeve for $179.77 ($198.49 after tax delivered to my door). I chose not to buy a case for it, since who wants to spend $40-$50 on a case for a $150 device? ( I will be keeping an eye out on refurbished cases).

By comparison a 64GB iPad mini4 is $499. A 32GB iPad mini2 is $319. Yes, those are better tablets — but that much better?


Let’s see how this device compares to my old iPad 1, and the current iPad Minis.

Fire HD 8 iPad 1 iPad Mini 2 iPad Mini 4
Screen Size 8 inches 9.7 inches 7.9 inches 7.9 inches
Screen Resolution 1280 x 800 1024×768 2048×1536 2048×1536
Screen PPI 189 132 326 326
RAM 1 GB 256 MB 1 GB 2 GB
Processor 1.5/1.2 GHz quad-core MediaTek 1 GHz ARM Cortex-A8 1.3 GHz dual-core Apple Cyclone 1.5 GHz dual-core Apple Typhoon
Back Camera
5 MP/1080p N/A 5 MP/1080p 8 MP/1080p
Front Camera
720p N/A 1.2 MP/720p 1.2 MP/720p

So the Fire holds its own against the current Mini’s on most specs, except for the screen (and it soundly trounces the old iPad 1). Also, Apple devices are known for  good quality cameras, so while the specs here are similar, one has to assume the Apple cameras would out-perform the Fire’s — something I believe is true based on informal comparisons.


One fantastic thing about the Fire is that it accepts micro SD memory cards, so it’s cheap to upgrade from 16GB to 80GB. But there is some confusion as to how this add-on storage is used. So to clarify:

  1. Not everything can be stored on the add-on SD card. According to Amazon: audio books, books, Silk Browser downloads, email, and some apps must be stored on the internal storage.
  2. For other stuff you control use of the external SD card in Settings under Storage. This lets you store movies, TV shows, music, photos, videos and some (“supported”) apps to the SD card.

So the internal storage is always used for some stuff. Because of this I got the 16GB model instead of the 8GB model. Fortunately large things, like music and video, can be stored on the external SSD card.


One of my concerns with the HD 8 was the display. The specs are OK, but nowhere near Apple’s retina displays. So would the HD 8 display be sufficient?

In short, the answer is yes. The HD has an IPS display that is bright, with vivid colors and good viewing from off-angle. It is very good for games and video.  It is fine for photos, and is sufficient for book reading if you are not doing lengthy reading sessions.

This last point is important. If you intend to use the HD 8 as a primary Kindle e-reader, then you might be disappointed due to it’s fairly low (by Apple standards) PPI.  The HD 8 is fine for casual reading, but if you want a serious e-reader then I’d get a Kindle Paperwhite. Fortunately you can get an  HD 8 and a Kindle Paperwhite for less than an iPad mini!

So overall the display, while not fantastic, is sufficient — at least for my use.


So far I’ve only used the rear facing 5MP still camera. Based on initial results I’d say the camera is fine for Facebook posts and other casual snapshots, but there is some degree of softness and lack of detail. This won’t be replacing your iPhone 6 or dedicated digital camera, but it is perfectly fine for quick social media shots.

Fire OS 5.5

If you’ve used a Fire TV or Fire Stick then the Fire operating system will be familiar. While the home screen has the obligatory set of app icons, the rest of the user interface is oriented around content — especially Amazon content. Swiping vertically on the home screen scrolls through your apps. Scrolling horizontally takes you through content types: Books, Video, Games, Shop, Apps, Music, AudioBooks, Newsstand.

This works fine, although results in multiple ways to get to the same content, and the content is presented in different ways. Want to play music? You can open the Amazon Music app from the Home screen, or you can tap on the Music category. Why would you want to do one over the other?  Generally speaking the categories tend to focus on Amazon content with recommendations for you, while the apps focus on your content more specifically. But still, it’s two different ways to get to the same stuff, and any UI based on that is bound to be a bit sub-optimal.

One nice feature is that swiping to the left of the home screen shows a “Recents” page that summarizes apps and content that you’ve recently accessed. Very convenient.

So overall the user experience is fine, but this would not be my first choice for my mom where the simpler and more consistent Apple iOS experience would be easier to use.

Which brings me to my next point. Much of Fire OS focuses on Amazon Prime content. That’s one of the appeals of a Fire tablet for Prime members. But if you are not an Amazon Prime member then that takes away a large portion of the benefit of using Fire OS.

Basic Apps: E-Mail, Silk Web Browser

E-Mail works fine. Simple to set up. Runs and performs well. No complaints.

The Silk web browser works and preforms ok, but overall it feels less mature than Safari on iOS. For example the Southwest Airlines web site doesn’t load on my Fire HD 8, but it loads fine on my wife’s iPad. My wife has confidence that she can do any web browsing on her iPad that she would do on a iMac. I do NOT have that confidence with Silk. It’s fine for most uses, but it does not replace your laptop.

Performance and Stability

Performance of the tablet is tolerable. It performs well for games and media. Surfing the web is ok for many sites, although on occasion Silk is sluggish to respond to taps on links, and more complex sites can bog down (Note: the extra memory in the updated version should help this).

The tablet has been pretty stable except for one incident that could have been part user error. After using the tablet for a couple weeks I started getting random messages about the SD card being removed improperly — even though I never touched the SD card after initially installing it. This led to the tablet failing to launch apps, and eventually getting into a reboot / filesystem repair loop.

I then removed the SD card, did a factory reset on the tablet, reinstalled the SD card and erased it, then re-downloaded apps. That seemed to do the trick and I have had no problems since. My theory is when I initially installed the SD card I did not seat it fully in its slot.

Update: The SD card has continued to be an issue with the tablet occasionally having issues reading the card. I suspect it is my SD card, but it has not happened often enough for me to try another card to verify this. I’m now thinking it might be best to always have apps installed onto the built-in storage, and use the SD card only for media (music and video). This is controllable via the Settings.

Other than that the tablet has been pretty stable. I do end up power cycling it once a week or so to keep issues at bay and it running smoothly.

The Kindle App Store

One of the advantages of Fire OS is easy access to Amazon Prime content. But one of the disadvantages of Fire OS is the relatively weak Kindle App Store.

You want DropBox? Not there.

1Password? Nope.

Instagram? Snapchat?  Sorry.

These are all available in Google Play. But not in the Kindle AppStore. And this can be frustrating.

There is a way around this — it’s called sideloading. Basically you

  1. Change a setting on your Fire tablet to allow applications installed from untrusted sources.
  2. Go download the app’s software package from somewhere
  3. Install it on your Fire tablet
  4. Hope it works

#2 can be the hard part. In some cases it’s not bad, for example DropBox provides an Android download on its website. But 1Password does not — I ended up signing up as a Beta user to get an Android download.

There are ways to trick Google Play into letting you download packages onto FireOS, but it gets fairly complicated.

This is the big tradeoff with an Amazon Fire tablet. You get easy access to Amazon Prime content, but you loose easy access to some number of Android apps. Also, the Kindle Store has a fair amount of cruft in it. For example, there actually is a version of Instagram in the App Store, but it is old and doesn’t support the current tablets.

So once again, if you don’t have Amazon Prime then you probably don’t want a Fire tablet. In that case a more vanilla Android tablet would be a better choice.

Update: Amazon seems to be making a renewed push for developers to use their App Testing Service to verify their Android apps for Fire OS — touting that 85% of all Android apps “just work” on Fire OS. Let’s hope that this starts bringing new content to the Amazon App Store.

Security / Encryption

As expected you can set a pin or password that is required to unlock the device after it has been idle — a highly recommended precaution to take.

But as far as I can tell, there is no device encryption. Apparently this was available on some earlier fire tablets, but I don’t see this option on the HD 8. Maybe it doesn’t have the hardware necessary to support (fast) encryption, or maybe it will come in a later OS update. But depending on your use this could be a deal killer.

Update: It’s confirmed. Amazon did remove device encryption from Fire OS 5 and they now have announced plans to bring it back in the spring.

Special Offers

I opted for the Special Offers edition to save a few bucks. A couple observations:

  1. The offers only appear on the lock screen. You don’t see them otherwise (well, except for the next bug).
  2. On rare occasions I’ve had the “special offers” screen saver linger in the background after I switch to the Home screen. This problem seems to have gone away after I set my own wallpaper — fingers crossed. Update: since setting my own wallpaper this problem has gone away.
  3. While unlocking the tablet, once in a while I inadvertently tap something concerning the speical offer and end up getting more information on the offer or playing a video concerning the offer. Annoying.

You can disable special offers after purchase by paying $15. Due to #3 above I am now considering this!


Overall the tablet works pretty well, but there are some drawbacks:

  1. The Kindle App Store is weak compared to Google Play
  2. No full device encryption, but hopefully that will be remedied in a few months.

If you have Amazon Prime and you are looking for a cheap tablet to access Amazon content, then the tablet is good choice. Otherwise a generic Android tablet might be a better way to go.


Converting Protected iTunes Audio Files So You Can Play Them Anywhere

Music purchased in iTunes in Mid 2007 and earlier can’t be played on any non-Apple (iOS/MacOS) device. These music files are protected with Digital Rights Management (DRM) and are labeled in iTunes as Protected AAC audio file and have a file suffix of m4p. Apple introduced iTunes Plus in 2007 — a DRM free, higher quality format. These files are labeled as Purchased AAC audio file and have a file suffix of m4a and can be played on (most) any device. By 2009 Apple stopped selling DRM encumbered music and all was iTunes Plus.

Since we were an early iTunes adopter our iTunes library had a lot of protected files. Over a thousand. In the last year or so I’ve started using the Amazon ecosystem more and more. We use Amazon Prime music, we have an Amazon Fire TV Stick and Echo, and I’m considering getting an Amazon Fire tablet. With Amazon Prime I can upload my purchased iTunes music — yeah! — but NOT if it is Protected AAC. Boo! And if I do get that Fire Tablet, those protected iTunes files won’t play. The more recent stuff will — but not most stuff purchased before 2009.

Bottom line is: you do not want any DRM protected music in your music library. So how do you get rid of the iTunes DRM?

There was a period of time where you could upgrade protected files to iTunes Plus for a fee. But that option is no longer available. Fortunately there is still a way — it’s just a little indirect and will cost you $25.

Before doing this process you should check your iTunes library and see how many protected music files you have. One easy way to do that is to create a smart playlist where Kind contains “Protected AAC audio file”. You can then see how many you have and if it is worth the $25 to convert them.

iTunes Match

Apple introduced iTunes Match in early 2013. The concept is simple. iTunes Match scans your iTunes music library. Most of your music files Apple already has sitting on their servers (“in the cloud”). For those that don’t match, iTunes uploads them to your own private corner of the cloud. Once the scanning/uploading is complete your music is available to you on any iOS device. You no longer have to sync the music files from your Mac to your phone. And you don’t even need to keep local copies of the files on your Mac if you don’t want to.

The catch? It costs $25 a year. But for the $25 you get another bonus. Since all the music in Match is iTunes Plus (DRM free) you can convert your m4p files to m4a by simply forcing a re-download of the files. Once you do that you can upload them to Amazon Prime, copy them to your Android tablet, etc.

Here’s How

1) Subscribe to iTunes Match

You can do this in the iTunes store. It will cost you $25.

2) Turn off Auto-Renewal

If you are primarily using iTunes Match to convert your library, then go to your iTunes Account settings and turn off auto-renewal now so you don’t forget. When iTunes Match lapses in a year you won’t get the cloud benefits, but all the converted files you have downloaded will stay converted.

3) Click on the Match tab in iTunes

After subscribing to Match it will go through three phases:

  1. Gathering info about your iTunes library
  2. Matching your music with songs in the iTunes Store
  3. Uploading artwork and remaining songs

I stopped the process after it finished #2. I will likely go back and start it up again to finish #3, but it’s not critical at this point.

4) Examine Your Library

Now click on My Music. Bring up the Songs menu in the upper right corner and make sure “Kind” is checked in the Show Columns menu.

Next click on the Kind column to sort your music by file type. Scroll down to your “Protected AAC audio files”. These are the files you want to upgrade.

5) Delete a protected file and re-download it

First try just one file to make sure things are working as you expect. Do this:

  1. Select one of your Protected AAC audio files
  2. Press the Delete key
  3. Click Move to Trash
  4. In iTunes the song will now be labeled “Purchased AAC audio file”. There will be a ready to download icon next to it: available
  5. Control-Click on the selected song and choose Download off of the menu
  6. The music file will download as an m4a file! Yipee!

6) Repeat for the rest of your library

I did it this way:

  1. Sort by Kind to identify Protected AAC audio files
  2. Some of my protected songs had the Waiting cloud icon: waiting. From what I could tell these are songs that did not match and iTunes wanted to upload them. This seems like a bug, since one would think that any song I purchased in iTunes would match, but for some reason they did not. Less than 1% of my Protected songs had this icon, so I decide just to ignore them for now.
  3. For the other protected songs I selected large chunks of them and hit Delete then Move to Trash.
  4. Once I was done deleting the protected songs I sorted the song list by the cloud icon column, then selected all the “ready to download” songs and downloaded them
  5. It took a couple hours to finish the downloads

7) You iTunes Library is now DRM free!

I then uploaded some Nirvana to my Amazon Prime account and listened to it on my Echo (Alexa! Play Nirvana). Something I could not do before the conversion


  1. Subscribe to iTunes Match
  2. iTunes Match: Understanding the iCloud Status icons
  3. About iTunes Plus and Converting DRM music

Amazon Echo Review


Last fall Amazon announced the Echo:  a combination personnel assistant (think Siri) and bluetooth speaker. For some reason I found the cheezy video strangely compelling, so I signed up for one (and at $99 for Prime members it seemed pretty reasonable). And here we are in February and it just arrived.

Unbox and Setup

IMGP7806The unit arrived in a nice compact box. The internal box followed Amazon’s Fire branding: low key black outside with a pop of orange on the inside. Contents of the box:

  1. The Echo tower
  2. Power adapter
  3. Remote control
  4. Batteries for remote control
  5. Getting started guide and Echo tip sheet

The Echo tower itself is nicely finished and pleasantly hefty due to the two speaker drivers with large magnets. On top of the tower is a light ring that is both a volume knob and a visual indicator that changes color/pattern depending on what’s going on with the Echo.

So I plug it in and it powers up, first flashing some blue, then changing to a sweeping orange. Echo then speaks, telling me that it’s time to start the setup app. My dog is slightly spooked.

The companion app for the Echo runs on iPhones, Android phones, and browsers on your computer. I decided to do the setup using my iMac and Safari, so I went to and the app loaded. So far so good. I advanced to the connection screen where I’m informed that the Echo has set up a WiFi network, and it was time to turn on my iMac WiFi and connect to Amazon-XXX. I did, and the Echo pleasantly informed me that my client had connected and to continue with the setup app.

And then I hit a problem. The application was stuck on “Connecting….”. My iMac had joined the temporary wifi network just fine (according to my network settings), but it couldn’t connect to the Echo. I tried all the normal things you try in this situation: power cycling the Echo, trying the app on an iPad, etc. Nothing helped. So I called Amazon support.

Initially I talked to a general support engineer in some far away country, but he quickly transferred me to an Echo specialist, Stephanie, who sounded like she was right next door.  After going over some basics, Stephanie had me reset the Echo by inserting a paper clip into a small hole in the base of the Echo. And to make a long story short — that did the trick. I was able to perform the setup process. So to highlight this for others:

If your Echo setup application hangs on “Connecting…”, then turn your Echo over, insert a paper clip into the small hole in the bottom of the Echo, hold for 5 seconds to reset the Echo to factory defaults, and then re-do the setup process.

OK! So now our Echo was up and running.

Speaker Quality

The first thing I was interested in was the speaker quality. One of the primary uses of Echo is to play music so it better sound pretty good. And it does.

The tower contains two downward firing drivers: a 2″ tweeter and a 2.5″ woofer.  Clearly you’re not going to get window shaking bass, but the Echo does produce a full rich sound. Since it is a point source of audio, it’s not going to fill your room like a good home system does. But for background music while you are cooking dinner? Perfect!

Overall the Echo played louder and sounded better than the Cambridge Soundworks Oontz we have (a small decent sounding bluetooth speaker). But it likely lacks the punch of higher end ($200) speakers. I do wish the Echo had some way to support adding external speakers — maybe a headphone out.  But it does not.

In general I have no complaints with the sound quality. It sounds great for what it is.

Voice Recognition

To get the Echo’s attention you use a wakeup word — “Alexa” by default (you have an option to use “Amazon” for those families that already have an Alexa). In general the voice recognition works well. Both my wife and I had no problem using the Echo, and even when it is playing music it easily recognized me without needing to shout. The Echo comes with a remote control with a microphone for those cases when the room is too noisy, or you are too far away. The companion app contains a voice recognition training feature, but so far we’ve felt no need to use it.

In terms of range — it is quite good. The Echo seemed to easily hear us from any point in a large room — and even a room away (with no music playing).

In fact, the voice recognition might be too good! We were watching American Idol one evening, and there was a contestant named “Alexis”. I’m not sure exactly what Ryan Seacrest said, but in the middle of the show our Echo announced “Adding Books to your shopping list”.

Music Streaming

Currently the primary use of the Echo will be to stream music. The Echo has access to your Amazon Prime music, as well as the streaming services iHeartRadio and TunieIn. Some example of requests you can ask Echo:

  • Play my “Dinner Party” play list
  • Play Journey
  • Play KNBR radio
  • Play Taylor Swift
  • Louder
  • Softer
  • Next
  • Volume 4
  • Mute

Generally Echo first tries to satisfy your request using your Prime Music library, then falls back to free content on Prime Music. At times it has also fallen back to iHeartRadio and TuneIn. For example Amazon Prime has plenty of Journey, but apparently no Taylor Swift. So “Play Journey” played stuff from Prime, and “Play Taylor Swift” went to iHeartRadio.

iHeartRadio also streams live radio, so “Play KNBR” plays our local sports radio station. And of course you can explicitly pick an iHeardRadio custom station by saying “Play iHeartRadio My Jazz”.

TuneIn has a variety of podcasts and NPR shows, so “Play This American Life” will play the latest episode.  Unfortunately I have not found a way to select a specific podcast episode via voice command. For example I want to listen to Episode 1 of the Serial podcast, but I can’t get the Echo to do that unless I use the companion app to select it.

Overall the music streaming works pretty well, but it is not without frustration. There have been times that I just can’t get the Echo to understand what I’m requesting. For example, I have some tracks from the soundtrack to Whiplash in my Prime music library, but no matter what I said it kept playing some song name Whiplash. I had to resort to creating a specific playlist — at which point “Play playlist whiplash” did the trick.  Also, sometimes requesting specific classical pieces does not go well. It just has no idea what I’m asking for.

But these frustrations have been relatively minor, and we find ourselves using the music streaming capability often.

Other Features

In addition to streaming music Echo has some additional features:

  • Sports: The Echo has some integration with sports results. It’s very handy to be able to ask: “Alexa, when do the Warriors play next” or “What was the score of the Giants game?”.
  • Setting a timer: we love this feature! If you’ve just phoned in your Japanese take out order and you need to leave in ten minutes to pick it up: “Alexa, 10 minute timer!”. Our your hands are covered in bread dough: “Alexa, 15 minute timer!”.
  • Shopping and ToDo list: You can add and remove things from these lists by asking Alexa. These lists are made available in the companion app so you can access them on your smart phone. “Alexa, add Almond Milk to the shopping list”.
  • Flash Briefing: You can get a brief update on news and weather by asking: “Alexa, flash briefing”. We have ours configured to use NPR for the news.
  • General info: I was concerned that the Echo might be a temptation to cheat on my Sunday NY Times crossword puzzle — after all, I’m used to asking my wife questions. Why not Alexa? Well no worries there — the Echo is not as smart as some of the other digital assistants — at least not yet. For example it did not know the largest lake in South America. And in general, these type of queries are hit and miss. But the Echo does know about local sports teams, which is huge! So this does work: “Alexa, when do the Warriors play next?”.  And I get the answer in Pacific Time  (which is better than Yahoo Sports which seems to list everything in ET).
  • Spelling: oh yes, the Echo can spell. So now my family can ask Alexa instead of me!


So why is this better than Siri on your iPhone plus a bluetooth speaker?

It’s better because the Echo is always on, and always there. You don’t have to find it. You don’t have to touch it. You just talk at the room and voila — you have your answer or your music. So for $99 bucks I think it’s a bundle of fun for Amazon Prime members.

Using a Password Manager: I did it. So can you.

With the recent disclosure of ShellShock, a serious security vulnerability that likely impacts many web sites on the internet, we are once again reminded that the internet is a fragile place. The bug exploited in ShellShock is likely decades old. Face it. software is buggy, and it will always be buggy. The internet will never be 100% safe. And other than choosing not to use it, we have little control over it.

But there is one area we do control. And that’s our passwords. You have to assume that there is a real chance that one of the online services you use will be compromised. A common target of compromised web sites is the password database. And even though any legitimate website will encrypt (or hash) that data, that does not stop crackers if either the encryption or your choice of password is weak. And what if your username on a compromised site is your e-mail address? And what if your e-mail password is the same as the one that was compromised? Then the cracker has the family jewels, because once you hack somebody’s e-mail you are well on your way to resetting passwords on other sites.

So the number one defense is good password practices. And that means:

  1. Using unique passwords on different web sites (especially critical ones like banking, e-mail, etc)
  2. Using strong passwords. And these days that means a combination of length and randomness.
  3. Change them periodically

And we know that no human can do this without some help. You need a password manager.

Like many, I had objections to the thought of relying on a password manager…

But I Have A Scheme!

Before adopting a password manager I had a scheme. And most “smart” people I know have a scheme. They have a couple of tiers of passwords (one for e-mail, one for banking sites, one for social media, etc) that they base on some nonsense words and throw in some punctuation and numbers. That’s much better than many folks. But the fight against password crackers is an arms race, and our only weapon is length and randomness. So odds are your scheme isn’t good enough. At least not for your critical sites.

That’s what I finally decided after I read that a Russian hacking ring had 1.2 billion username/passwords. And even if many of those accounts are old and previously compromised, it was still sobering.

But It Will Complicate My Life!

I had resisted adopting a password manager because I was sure it would make my life more complicated. It is another piece of software to deal with, and what happens if I’m stranded on a desert island and a notebook computer washes up on the beach and I want to log into g-mail and I have internet but not my password manager? I’m much better off in that case if I memorized my password!

But then I realized I had already been using a password manager. A cruddy one. The one built into the browser (that saves passwords for you). I realized this when I borrowed my wife’s iPad to check my email while on vacation. I realized I had forgotten my password. My scheme had broken down.  My password was stored (in browser data) on devices not with me. I had all the downside of using a password manager (depending on it), without the upsides of a good one (security and ubiquity).

So my life was already complicated. And maybe a good password manager would make it simpler.

But I Already Use a Password Manager (sort of)

As I said above, I was using a manager of passwords of sorts already. Many folks are already using some form of ad-hoc password manager.

For example some people write-down passwords in a little book and store that at home. This is actually not that bad — assuming this enables you to use strong passwords and you don’t carry that book in your laptop bag!  But it is not necessarily convenient, nor ubiquitous.

Others use the browser’s “save my password” capability. Again, not too bad as long as you are encrypting those with a master password (which many folks don’t do).

And others might use something like Apple’s iCloud Keychain or FireFox Sync.

But many of these solutions have shortcomings or limitations. The most common limitation is lack of ubiquity. I want my passwords available on all my devices, regardless of platform, and on any browser. I would also prefer that my passwords be managed by software whose only job is to securely manage my passwords and by a company whose entire business is based on helping me securely manage my data.

So I Took The Plunge

So I decided to take the plunge. But which one? There are a number of options.

I decided to limit my choices to the two most popular: LastPass and 1Password. My plan was to try one for a couple weeks, and then the other. I picked 1Password first because, believe it or not, I liked their video. And after a week I was hooked, and never got around to trying LastPass. What I like about 1Password:

  1. Their engineering effort is focused on making their password repository (they call it a vault) impenetrable. They assume the worst — that bad guys are going to some how get a hold of your vault. And they have engineered the encryption so that If you pick a strong master password, then a 1Password vault is practically uncrackable (everything is theoretically crackable given enough time, horsepower and luck).
  2. They do not provide a web service. Unlike LastPass, 1Password is not a service. It interacts directly with the vault on your local system. You are guaranteed that your password and keys never go to a 1Password server, because there are no 1Password servers. Because of this they have reduced their attack surface area, which means they have been able to avoid an entire category of attacks. It also makes the system easy to understand. Update: 1Password now offers the 1Password for Families and 1Password for Teams services, which are hosted services.
  3. You choose how to synch your vault between multiple devices. You can do it by manually copying files around, or by local synch over wifi, or by DropBox or iCloud. Your choice. You are not forced to use a 1Password service for this, because there is none!
  4. You can store any useful info you want in your vault. Not just passwords. Bank account info, social security numbers, pins to ATM cards, etc. You can even attach files — for example I have scans of our passports stored in the vault. It provides a secure, convenient place to store import information.
  5. Ubiquity. I have access to my vault on all my devices. I never have to worry about forgetting a password. When signing up  for a new service I don’t have that extra burden of deciding what password to use and how to remember it. I also have access to other info I keep in the vault.
  6. Their website and blogs have great information provided in a simple, transparent, easy to understand fashion.

That said, I have also heard many good things abut LastPass. While they did have a vulnerability (and to be fair 1Password  had a design flaw) it was fixed almost immediately. They also have some interesting features, like the ability to share accounts while keeping the password hidden.

The point of this post is not to sell folks on 1Password, but on using a password manager, and to share my experiences.

But What About All Your Eggs in One Basket?

Yes, this is a concern. If all my secrets are in my vault, then I’m screwed if somebody cracks my vault. Some thoughts on that:

  1. Pick a strong basket. I am trusting AgileBits (makers of 1Password) to make a strong vault. I have given them that trust based on research I’ve done, their clear and transparent documentation/blogs, and the fact that the survival of their company solely depends on them providing a safe and secure password store.
  2. Pick a strong master password. This is huge. Adopting any solution is dangerous if you don’t encrypt your data with a strong master password.
  3. The practical dangers of poor password hygiene outweigh the theoretical dangers of using a good password manager. It is far more likely my accounts will be compromised from weak passwords or some other hack than from somebody compromising my vault. It is so much easier to use social engineering or exploit web vulnerabilities (that seem to show up monthly!) than to crack a well encrypted data store.
  4. I have no choice. At this time I don’t see a better solution. We are stuck with passwords (and password managers) — for now at least.

My Adoption

The good things about adopting a password manager is that you can take it a step at a time. You don’t have to change your passwords until you are comfortable using the password manager. Here were the phases of my adoption.

  1. Pick a master password. This is the most important step, and Agile Bits has a good blog posting on it.
  2. Install on my home Mac and import passwords from Firefox. BTW, this import step is cumbersome for 1Password at the moment — I expect they will improve that. I had to install a plugin into Firefox to export my passwords into a comma separated value (CSV) file. Then edit that file to match 1Passwords CSV schema, then use the 1Password import operation to import it.
  3. Use the 1Password app to clean up my stored passwords since there was lots of cruft that had built up over the years.
  4. Install the 1Password browser plugins and experiment with the browser integration.
  5. Turn off my having my browser remember passwords.
  6. So at this point I’m fully using 1Password on one machine. I used it for a few days until I was comfortable with it.
  7. Then I installed it on my laptop and synched the vault.
  8. Erased all “saved passwords” from the browsers I was using.
  9. Then purchased the app for our iPads and iPhones and set that up
  10. Started changing passwords on web sites to be random strings. 1Password has a password generator to help you with that.

And now after using it for over a month I can say I love it. And it has actually simplified my life, not made it more complicated.

Update: One Year Later

We (wife and me) have been using 1Password for over a year now. One of my early concerns was that a password manager would complicate things, but exactly the opposite has happen. A good password manager simplifies your life! How? Let me count the ways:

  1. Never forget a password again. No more racking your brain to remember a password for a little used site. Or going through the hassle of a password reset.
  2. New site? New password? No problem. Signing up or registering at a new site no longer has that extra burden of deciding what password to use. Just generate one with your password manager and it remembers it for you.
  3. Piece of mind. We made sure all of our critical sites now have unique, secure, random passwords.
  4. Securely sharing passwords. My wife and I share a vault. No more coordinating on passwords. If something happens to me she has piece of mind that she knows the location of our accounts and can access them.
  5. Safe place to store information. In addition to passwords we store other sensitive information in our vault. Really handy. No longer wonder where you should write down this type of stuff — just put it in your vault.
  6. Helps recovery when something does go wrong. My wife succumbed to a phising attack and potential exposed one of her passwords. Because we used a password manager, the number of sites where she re-used that password was limited. And with the password manager we could quickly find all sites where she used that password or similar ones (so we could change them). So we were able to recover from this much more easily and more safely than if we had not been use a password manager.
  7. Reduces brain clutter. By taking a task that our brains are bad at (creating and remembering random string of information) and turning it over to software that is much better at it — we have free’d ourselves of mental clutter.