Embracing forgetfulness, or taking the pain out of passwords (Mac and iOS)
January 31, 2012
Change your password day falls February 1 (tomorrow, in other words), and it's a day as good as any other to add some beefy heft to your online security regimen. One thing to strongly consider, if you haven't done so already, is to apply unique passwords across all your log-ins. That might sound daunting, but tools now exist that make it unnecessary to remember a password again. Unfortunately, a lot of the password management software out there isn't as painless as it might be, with cluttered interfaces full of empty text fields asking for a wealth of unnecessary information. And often, they don't come cheap. But there is another, simpler way - one that involves encrypted text files and painless data-syncing.
Why unique passwords?
The problem with sharing passwords across different websites and services, is that your password (and also the data it protects) is only as secure as your weakest link in the chain. If your password is compromised for one, you have potentially handed over the keys for the whole lot. Some people use a hierarchy of passwords, according to how important and secure they deem the sites in question, and though this might reduce the risk, it does not eliminate it. And in any case, once one accepts the idea that they need never remember a password again, it's actually quicker and easier, at least in my experience, to manage 200 passwords than it is to manage seven or eight - it at least eliminates the two or three attempts it will sometimes take to recall just which of your memorized passwords it is you're reaching for. The guesswork is gone.
The problem with password management software
Unique passwords are great, but I also indicated that this would be painless. In my experience, password management software is anything but. If you're looking for a comparison of the password managers available, this isn't it: all the ones I have used are either expensive, flawed, or worse, both.
Agile Bits' 1Password seems to be the password management app attracting the plaudits at the moment, and doubtless the praise is deserved. But it costs a non-disposable US$49.99 and appears to add unnecessary complexity, if not over its direct rivals, then at least over the alternative. The ability to sort your log-ins into categories and to add all the possible fields of data that accompany every log-in might sound useful, but compared to the simple searchability and navigability of a text file, in my view the illusion of usefulness evaporates before your eyes.
It takes much longer to get data in and out compared to a text file, and the tasks of categorizing logins and noting down usernames, registration email addresses, postal addresses etc. is often unnecessary because that sort of information lives safely in your head. You're free to leave the fields blank, of course, but then you've forked out good money for a screen-filling app just to retrieve a single line of information at a time.
There's another way
With the assistance of a text editor that supports file encryption - my present choice is Password Pad for OSX and iOS - almost all of the pain of password management disappears. The paid version of the app employs Triple DES encryption, a method it shares with Microsoft's Outlook 2007. It should be noted that though Triple DES is mathematically less robust than AES encryption, it's thought to be sufficiently robust to withstand attacks from the technology available today (unlike DES). It's a caveat worth mentioning. The paid desktop version of Password Pad costs US$2.99 and the iOS app $1.99.
With the password file stored in Dropbox, I have a powerful, robust means of maintaining a nice, accessible list of passwords from both my Mac and my iPhone. A plain text file - obviously - lets you add as little or as much information per log-in as is needed, launches in an instant, and is completely searchable. Getting all my data out of it is as simple as selecting-all and hitting copy, and pasting it into my new encrypted text editor of choice. If you favor a text file over unnecessary task management and to-do list apps, the principle here is exactly the same.
How does it work on my Mac
Using a Mac, the trick to the speedy adding and retrieving of passwords from your encrypted file is to embrace Spotlight. Upon creation of a Password Pad .pwdp file, the app prompts you for a password to access the encrypted file. Once created, and filed away in your Dropbox folder, it's simply a matter of hitting command-space to activate Spotlight, and then typing the first few letters of the filename and pressing return. Go for a nice, unique file name just to avoid a cluttered confusion of Spotlight search returns. Enter the password to access your file and there are your passwords. Trust me, in action rather than word, that's much quicker and simpler than it sounds.
If you're anything like me, however, you'll have dozens of passwords, and scrolling up and down a long text file to find them is going to take time. Well, there are a few things to do to make this as painless as possible. The first thing to do is to alphabetize your log-in list by site name. The second is to extract your frequently-needed passwords and compile a shorter alphabetized list at the very top of the file. That way, they'll appear right on screen the moment you open the file. The final nugget of advice, for when retrieving those passwords buried a little deeper, is to just hit command-F to search the text file and start typing the site name - you'll jump right to the password you need. Once you have your password, it's simply a case of copying and pasting it wherever you need it. Again, this is much quicker in practice than it sounds, and considerably quicker than launching password management apps.
And on my iPhone?
The Password Pad iOS app stores a local cache of files on your iPhone, so you need only access Dropbox for your password file on rare occasions to send the latest copy of the file to the Password Pad app - otherwise the cache sitting right there in the app will do. Other than that, accessing passwords is much the same, except that instead of searching Password Pad for passwords, on an iPhone it's probably easier to free-wheel through the file with the assistance of iPhone's inertial navigation. There again, copy the password for pasting where need.
My only tip would be to be to consider the iPhone keyboard when choosing your master Password Pad password to access your passwords file. A nice secure password is, of course, desirable, but if you choose one that flits too fancifully between letters, numbers and symbols, you're adding a lot of screen tapping to access the file because of the need to switch between different iOS keyboards for letters, numbers and symbols.
Now when faced with a log-in screen, I'm only ever a few taps from copy-paste password nirvana. And there's no reason to limit the approach to log-in info. Since adopting Password Pad, I've maintained a file of the WiFi details of friends, family, local haunts - anywhere that has given me their password to access their network, just to avoid the hassle of asking again when I next visit.
If there's a caveat it is that, though there are other methods of syncing files across devices, this approach relies on Dropbox, so you have to be happy to store sensitive data on Dropbox's remote services, even if it is protected with 112-bit encryption. It's worth remember that some of the fully-fledged password manager apps also support or rely on Dropbox syncing to get your data to all devices. In the end, though, this is a decision for the user.
What about Windows?
The good news is that there a no shortage of text editors for Windows that support file encryption, and WindowsPhone apps are coming. WindowsPhone app Password Padlock ($0.99) appears to offer similar functionality to Password Pad, but without, it seems, the desktop equivalent.
Though strongly Mac-biassed, I do use a Windows PC on a regular basis, and those times I do need to log into sites, reaching for iPhone Password Pad and then manually typing in the password isn't much of a problem. Those that lead a truly platform-agnostic existence that are keen to embrace the maximum security that unique passwords offer may, for now, be forced to adopt a more hefty cross-platform manager such as 1Password, or to study advanced mnemonics in case there's an outside chance of actually memorizing all of them.
As ever, we're keen to hear from our readers for their password management tips and recommendations. There are bonus points for simplicity without compromising security.