Long ago, I hit the threshold where the number of accounts I had and needed passwords for exceeded my ability to remember them. I thought it reasonable, then, to have tiers of passwords:
- Banking and financial – alphanumeric, mixed-case, non-alpha characters. An unpronouncable base plus an unique addition for each institution.
- Shopping (where a credit card wasn’t attached to the account) – alphanumeric, mixed-case, non-alpha characters. There were three of these that I cycled through.
- Crap I don’t care about. Sites that force me to create a login to do something that I’m not likely to revisit ever. (Cough, like certain business-y Marketing Partnerships.) The password was alphanumeric, but kept to the lowest common denominator among the retarded password storage mechanisms. This password was shared.
I knew this wasn’t a good long-term strategy, but I didn’t do anything about it until Gawker was hacked late last year. I’m unaware of any specific incidences of personally being hacked, but certainly the nearly ubiquitous “we’re sorry, our system has been compromised, and you lose” messages caused concern. Like:
- Marketing firm Epsilon, which services brands like Marriott, JP Morgan Chase and others, had “a subset” of its vast email database exposed. This will no doubt lead to what’s known as spear phishing.
- Trip Advisor – March 2011 email addresses.
- A June 2001 software error left Dropbox accounts accessible to any password for four hours.
- WordPress‘ revision control system was broken into, leading to some dubious checkins of malware. This one sucked because people (like me) who were helping beta test the software automatically got the vulnerability.
I briefly considered using this idea recently recommended by XKCD:
|Was my password horseshitpasswordsystem or passwordsystemhorseshit?|
While it’s a cute idea, it won’t work with sites limiting password length or enforcing some site’s mandatory upper, numeric or nonalphanumeric characters. And it still requires one be able to remember a gazillion passwords or share passwords among accounts. Troy Hunt elaborates this very well.
Thus, I came around to realizing I needed a password manager. The requirements:
- Passwords should be sufficiently difficult to brute-force guess.
- Passwords must be unique across accounts.
- Support for multiple logins on each domain.
- Must run on my Macbook.
- Keychain is stored locally. (My motivation is to avoid connectivity problems and stuff like this.)
- Must be lightweight and unobtrusive. (I don’t want utilities sucking the life out of my machine.)
- Nice to have: runs on iPhone and Windows.
- Nice to have: Syncs with browsers.
My esteemed colleague John Chawner has raved about KeePass on his Windows machine. Unfortunately, the Mac version required Mono, which I was never able to get functioning on my Mac. Furthermore, the project seemed (again, at the time) to be inactive. (There was subsequent drama as Attachmate bought Novell’s assets, cut the Mono team, then allowed Mono’s lead a perpetual license. In his blog entry, he introduces his startup focusing on mobile .NET.) Keepass’ iPhone project was also coughing up blood. (Now, I see there is another, working iPhone product plus another soon to be submitted.)
The next tool I looked at was AgileBits’ “1password.” The trial version worked right away – easily saving me the time I spent fiddling with Mono — and they offered integration with all three browsers. There are versions available on Windows and iPhone.
Once I had selected a tool, I had to sort through the morass that was my accumulated browser history of passwords, some embarrassing. I went through each account and changed its password to something unique, savoring the perverse, geeky pleasure of pushing each site towards the longest, ugliest, randomest password it would handle… and not having to remember it.
There are still hiccups when the underlying site requesting the password is different from the one I’m browsing or the iPhone database gets out of sync. (The app auto syncs only I have my phone near the computer and both apps are running.) It seems a bit safer, though.