Long ago, I hit the threshold where the number of accounts I had and needed passwords for exceeded my ability to remember them. I thought it reasonable, then, to have tiers of passwords:
I knew this wasn’t a good long-term strategy, but I didn’t do anything about it until Gawker was hacked late last year. I’m unaware of any specific incidences of personally being hacked, but certainly the nearly ubiquitous “we’re sorry, our system has been compromised, and you lose” messages caused concern. Like:
I briefly considered using this idea recently recommended by XKCD:
|Was my password horseshitpasswordsystem or passwordsystemhorseshit?|
While it’s a cute idea, it won’t work with sites limiting password length or enforcing some site’s mandatory upper, numeric or nonalphanumeric characters. And it still requires one be able to remember a gazillion passwords or share passwords among accounts. Troy Hunt elaborates this very well.
Thus, I came around to realizing I needed a password manager. The requirements:
My esteemed colleague John Chawner has raved about KeePass on his Windows machine. Unfortunately, the Mac version required Mono, which I was never able to get functioning on my Mac. Furthermore, the project seemed (again, at the time) to be inactive. (There was subsequent drama as Attachmate bought Novell’s assets, cut the Mono team, then allowed Mono’s lead a perpetual license. In his blog entry, he introduces his startup focusing on mobile .NET.) Keepass’ iPhone project was also coughing up blood. (Now, I see there is another, working iPhone product plus another soon to be submitted.)
The next tool I looked at was AgileBits’ “1password.” The trial version worked right away – easily saving me the time I spent fiddling with Mono — and they offered integration with all three browsers. There are versions available on Windows and iPhone.
Once I had selected a tool, I had to sort through the morass that was my accumulated browser history of passwords, some embarrassing. I went through each account and changed its password to something unique, savoring the perverse, geeky pleasure of pushing each site towards the longest, ugliest, randomest password it would handle… and not having to remember it.
There are still hiccups when the underlying site requesting the password is different from the one I’m browsing or the iPhone database gets out of sync. (The app auto syncs only I have my phone near the computer and both apps are running.) It seems a bit safer, though.