Security Notes: Manage Your Passwords With 1Passwd
In our ongoing look at password security, this week we take a look at an application for Macs.
Last week, I wrote about Password Composer, a handy tool for creating a kind of do-it-yourself single sign-on for Web sites.
To recap: Password Composer uses a strong root or master password in combination with the domain name of the site you're logging into and produces a password unique to that site using encryption techniques that make it impossible to discern your master password. A simple bookmarklet or Greasemonkey script can recall the unique password using the original master password. Using Password Composer, users get both the security of multiple, strong passwords for all their Web identities, and the convenience of remembering just one password.
This week, we'll take a look at an application for Macs: 1Passwd from Agile Web Solutions takes a different approach to the same problem password proliferation poses, and leverages some key pieces of Mac technology to do its work.
One solution people use to get around the problems caused by having too many passwords involves taking advantage of a common feature in browsers: remembering passwords for later.
That feature is implemented at varying levels of security: Some implementations simply save the password and username combination, others (like Firefox) offer the opportunity to lock the user's list of passwords and usernames behind a master password.
There are a few problems with this approach:
1Passwd addresses these problems by relieving browsers of the duty of remembering passwords and handling that itself in conjunction with Apple's Keychain. It also generates strong passwords, stores user identity information to help fill out forms, and it provides a secure note-taking facility.
The 1Passwd application installs a browser plugin. It currently supports Safari, Firefox, Camino, OmniWeb, Flock and DevonAgent.
At installation, 1Passwd prompts for a master password that should be very secure.
It's able to import stored passwords from the browsers it works with as well as a number of other password manager applications, such as SplashID and Roboforms.
Once you've imported your passwords into 1Passwd, you should turn off password saving and autofill in your browsers and purge their password records.
From that point forward, 1Passwd steps in when it detects a form and offers to save the login information. It stores that information in a Mac Keychain that, by default, locks automatically if the computer is idle for more than 60 minutes, or if it sleeps.
There are a few convenience features built-in to the password saving process: Users can opt to be presented with an option to name the password (which is useful with the many pages that have somewhat obscure names for signon pages and HTTP Authentication realms), and users can opt to override 1Passwd for HTTP Authentication in favor of their browser.
1Passwd can also provide a secure password during registration at a site with its Strong Password Generator. The nice thing about the generator is its customizability: Users can tell it how long the password can or must be; how many letters, numbers or punctuation characters it must contain; and whether or not to avoid potentially ambiguous characters like "0" and "O" in the password it generates.
Recalling passwords is simple: 1Passwd can automatically submit forms when it comes across a site it can fill out automatically (Autosubmit) or it can be invoked with a keystroke ( ⌘ \ ) in cases where it can't.
The latter case pops up with unfortunate frequency in cases where one might have multiple logins under the same domain. For instance, a user who has logins at webmail.foo.com, a blog login at blog.foo.com and an HTTP Authentication signon at dev.foo.com won't get the benefit of Autosubmit because 1Passwd takes a conservative approach to guessing which identity to use. It does, however, offer a useful visual guide to which password it thinks is the most likely to work in the form of red bars next to each choice. The more bars a choice has, the more closely it matches the form 1Passwd remembers saving.
Managing passwords is also pretty easy: 1Passwd provides an easily searchable list organized either by domain name or the name the user assigned when the form was first saved. It's possible to change autosubmit settings, which URLs match the password, and which values go in a field. Passwords can also be organized into folders.
Password entries also include a menu that permits the user to "Go and Fill," which opens the saved form in the user's browser, or "Copy Go & Fill Link," which copies the appropriate link to the user's clipboard for use in a browser besides the current default, or to create a "Go and Fill" bookmark for use right from the browser.
Managing Identities1Passwd also has facilities for remembering form data outside user names and passwords. It calls this stored information "identities," and provides fields for a number of pieces of data: Basic name and address information, a reminder question & answer, e-mail address, numerous instant messaging handles, forum signatures, phone numbers, social security, driver's license and credit card information (number, expiration date, security code).
1Passwd remembers multiple identities. That makes it possible to fill out forms appropriate to a given situation quickly: A work identity might use an office phone, work e-mail address and work IM handle. A formal personal identity might store the name, e-mail address and information you'd want to use if you were filling out an application. An informal identity might use your nickname instead of your given name and provide a less important e-mail address or IM handle for site registrations.
Once an identity is created, it can be recalled to fill out a form with a single keystroke ( ⌘ ⌥ 1-9 )
All this information is stored in the 1Passwd keychain, so it's encrypted and somewhat secure if you mind your keychain security.
ExtrasAt the top of the column, I mentioned that 1Passwd could help get around the problem of using multiple computers. It handles that in two ways: One's good for .Mac users and the other's good for cross-platform or non-.Mac users who own a PalmOS-based organizer.
For .Mac users, the 1Passwd Keychain can be synced among computers. It's an option under the Keychain Settings window in 1Passwd's configuration.
For Palm & Treo users, there's 1Passwd Reader for Palm, a $12.95 extra that stores 1Passwd data in the device for recall away from a Mac. I don't have a Palm, so I can't speak to how effective or secure it is, but, like 1Passwd, it's available for trial download.
Finally, there's the overall issue of Keychain security: By creating a convenient, automatic mechanism for recalling passwords, 1Passwd's convenience involves some increased danger.
If you're frequently away from your computer and it's in an area where others could use it without your knowledge, none of the security Keychain provides does much good. In those cases, make sure the idle interval at which 1Passwd will lock the keychain is short.
You can also consider going to the Security settings in System Preferences and setting the option to require a password to restore the computer from its screensaver. Combined with an Active Screen Corner setting in the Dashboard & Exposé preferences, you can activate the screensaver and secure your computer with a flick of your wrist.Add to del.icio.us | DiggThis
For more help, don't forget to try one of our PracticallyNetworked Forums.
|Home | Networking | Backgrounders | Internet Sharing | Security | HowTo | Troubleshooting | Reviews | News | About | Jobs | Tools | Forums|