Strong Passwords

Dave Nathanson on

+1 vote for 1Password.

(Yes, they have a free trial!)

1Password (from AgileBits) is an awesome tool. Very easy to get started, and once you get used to knowing that you have a safe place to find all your passwords, usernames, safe combos, credit card numbers, software install codes, and other important bits of personal data, you'll feel a peaceful easy feeling.

As a computer consultant for 20+ years, I have to securely, safely & quickly manage over 3,000 passwords, alarm codes, safe combos, credit cards, and other secret bits, many of which do not belong to me. I plan to NEVER need to apologize to a client for mishandling their secret passwords or alarm codes.

I have tried several password managers, and I have used 1Password for well over 10 years. It really is great. Easy to use, safe & includes a bunch of advanced features you can get into later if you want to. Including encrypted cloud backup which is fantastic if anything happens to your phone or computer.

To address your concern; "What if someone gets into my password manager, then they have my everything?"

I do recommend using a sort of long password for the 1Password app, to prevent someone ever cracking into that. It is the "1 Password" that you do need to memorize. But the the bad guys would have to first break into either my DropBox or my iCloud, or get hands-on access to my phone or computer before they can even begin to start guessing passwords. It's the very unlikely event that is necessary before the other very unlikely event can even begin.

So I'm saying that if you have a good password for your password manager, that having a password manager (like 1Password) is far far better & safer than not using a password manager. It's important to focus on the actual risks without ignoring the other risks & costs. If you are not using a password manager you may be doing some risky behavior in the name of "simplicity". Such as reusing passwords, or writing them down somewhere that is not as safe as you think it is. Or only writing down the password, neglecting the username, website uRL, or security questions. Yes, modern life can be crazy.

And losing your simple password list is a danger too! Especially since it is not encrypted as a good password manager would do. Not only do you need to worry about bad guys getting your passwords, you need to be concerned about you not having all your passwords. There are many perils; burglars, internet hackers, fire, flood, pandemic. A quality password manager does greatly mitigate the risk of all of those.

And of course, some best practices:

Definitely use a different username and password for every different thing.

Passwords longer than 13 characters are better. Even longer is even better.

Store your password in a safe format (encrypted).

Use quality tools that help you work better, stay organized & calm.

Remember that email is the master key to all your other stuff. So protect & change your email password occasionally.

Remember to only download software from the correct website! Usually that is the software manufacturer's website.

If you fail to plan, you plan to fail.

Best,

Dave Nathanson

Pam Kirk on

Thank you for all the info. Something I have been lax on and need to improve.

On May 21, 2020, at 7:45 AM, Rob Nagler <nagler@bivio.biz> wrote:

Hi Pam,

> How secure is Apple's keychain?

When I want to understand "how secure" a product is, I ask some questions:

* Do they have a bug bounty program?
* How do they respond to public breeches?
* How is their record on reporting vulnerabilities?
* Is it open source? And, if so, is there an active community?
* How old is it?

You can search on these things. For example, there's a database of vulnerabilities that can be searched for apple keychain. There are a lot of vulnerabilities. The most recent vulnerability was reported in 2018. The technical details are not important, but you can see that "It allows local users to bypass intended restrictions on Keychain state modifications." That's not good. However, Apple responded quickly and publicly. That's a good thing.

Apple has an active bug bounty program. They have made significant payments. Another good thing.

Keychain is closed source so nobody can inspect the code to see if it has security flaws. All security research has to be done without inside knowledge.

Keychain has been around several decades. That means many of the bugs have been shaken out.

Comparing with KeePass. A search for KeePass has only a handful of vulnerabilities. The most recent "bypass" vulnerability was in 2016. The author responded quickly.

There is no bug bounty program. For open source software, that's not unusual.

It's open source, and they have an active community.

KeePass was initially released in 2003 so it is old enough.

To be fair to Keychain, it's a much more visible tool, because it is installed on every Mac and iPhone. Therefore, it's much more likely to be the subject of security research and attacks by black hats.

It's not much of an answer, I realize. Keychain is probably just fine for the general user who only has Apple devices.

One concern I have with Keychain is that it doesn't make it easy to generate unique passwords. It's not as integrated as independent password managers like KeePass and 1Password.

I hope this helps.

Cheers,
Rob

Mail