Whether it's a password policy that says you need 8 to 14 characters with a capital letter and a number, but no symbols, or a policy that changes it every 20 days, or a policy that requires 10 letters, 2 numerals, a soundtrack and a plot, managing passwords can be ridiculous.
But there's a reason we need to get better at passwords: We are human. We are weak. We use the same username, email address, and password repeatedly. The most commonly used password is, well, "password."
In addition, major companies like Adobe and Sony have been hacked and user passwords have been stolen. From these breaches, take away some good practices:
- Never use the same password in two places.
- Never save your credit card, address or other personal information if possible.
This is where 1Password comes in. 1Password is a Mac, iOS, Windows, and Android application. It's a password locker, generator, and new in version 4, an auditor.
At its most simple, 1Password offers to store passwords as they are entered into websites. It will then allow you to autofill them on subsequent log in attempts using Cmd-\ as a keyboard shortcut. It uses either a browser plug-in or a menu bar application, 1Password Mini, to autofill the username and password. It will recognize the username and password needed for the page, but also allows searching of all saved passwords.
But 1Password is a little better than just a password locker. It generates passwords that comply with the various absurd requirements, fills in the fields as you're creating web page accounts, and saves them for you all in a few short steps.
It also saves credit card information, logins (similar to passwords), identities contaning address information for easy autofill, secure notes, and other categories (bank accounts, social security numbers, reward program numbers, licenses, and more.)
And new in version 4 is the ability to create 'vaults' so users can store account logins and passwords in contexts, such as a "work" vault, a "parents" vault, and so on.
How can this be secure?
Users are required to essentially trust their digital life to this application and its data file. How can it be trusted? Because AgileBits, makers of 1Password, are using good encryption.
AES-256 Authenticated Encryption and PBKDF2 calibration. AES-256 uses long keys that are difficult to attack and tough to derive. PBKDF2 is used to slow down attempts to crack the master password that secures the 1Password data.
That's glossing over the math, but it is safe to say that AES-256 is quite difficult to attack. Additionally, securing the metadata, the information around the login is important. Item titles and URLs are now always encrypted.
How does 1Password assist in correcting a user's bad habits?
1Password does two things:
- Password generation. You can use the application, browser plug-in, or menu bar mini-app to create and auto-fill a strong password that complies with the requirements of the site (mixed case, numerals, hyphens, and password length.) It's appreciated that they've also made "pronouncable" an option, which helps with remembering passwords occasionally.
- For password generation, it does NOT create long passwords made of multiple words. These are desirable, because they're also human memorable.
To help manage existing passwords better, the 1Password window has a series of filters that display accounts consisting of weak passwords, duplicate passwords, and date ranges on passwords for those between 6 and 12 months old, 1 and 3 years old, and more than 3 years old.
Admittedly, we had to spend some time and go through resetting passwords to clean up the bulk of old, duplicate weak passwords. But 1Password does a good job of making users aware of their bad habits.
1Password syncs the encrypted password store, and can sync it to the cloud. All versions of 1Password v4 for Mac sync to Dropbox. The Mac App Store version syncs to iCloud as well. However, the Mac App Store does not allow upgrade pricing from earlier versions, so it's worth it to decide if users need iCloud syncing, as well as preferences for purchasing from the Mac App Store, or directly from Agilebits.com
A Word on Mavericks
OS X 10.9 Mavericks includes a new feature called iCloud Keychain, where Safari will suggest a password and track it, syncing to iOS. However, its password generation and organzation are much more simplified, taking away options 1Password provides, and notably only working on Apple iOS7 and Mavericks.
In short, Apple's solution is good, and solves encouraging Apple users to use good passwords almost by default, but 1Password is much more flexible ? data isn't tied to iCloud, isn't tied to Apple products only, and doesn't have to be synchronized over Wi-Fi. 1Password will also allow synchronization over USB, which means users can still have passwords on iOS without having to store them on Dropbox or iCloud.
Score: 4 out of 5
- Strong password generation
- Synchronization of encrypted password file
- Easy password form filling to login
- Doesn't create any diceware-style passwords.
- Due to the awkward way some websites create a password on a separate page as the username, 1Password will occasionally only save the password and not username to its locker.
$39.99 from Agilebits.com and the Mac App Store for a limited time.