Rethinking Passwords

By Zac Szewczyk on 2014/04/18 06:10:41 EST in Tech

Until a few days ago, I was the cautionary tale; everyone told my story leading up to a punch line in which some unfortunate schmuck lost everything after a malevolent hacker gained access to one of his online services. Despite his best efforts, an obscure — or not so obscure, ahem Heartbleed — security breach had given an attacker access to one of this poor individual’s passwords, and although he had selected lengthy combinations and varied them slightly from service to service, they ultimately remained only marginally different; he had to keep them all straight in his head, after all, and so after the initial break-in, determining the appropriate combinations to everything else from Gmail to bank accounts proved relatively easy for his maligned attacker. Thankfully, it never actually got as far for me as it did for our hypothetical Job. It could have, though, and that realization has weighed heavily on me for quite some time now.

Although I had taken a step in the right direction a few months ago when I began using iCloud Keychain to generate strong, randomized passwords that my Apple devices could, theoretically, keep track of for me, I never quite felt satisfied with this solution: not only did Safari often fail to properly recognize and populate the appropriate fields both when logging in to existing accounts and creating new ones on my Mac, Mobile Safari supported this key feature even less: it proved incapable of generating passwords when creating new accounts on my iPhone, and also rarely remembered to fill in the complex combinations of letters, numbers, and symbols it had previously generated for me when I wanted to use a service for which I already had an account. Having handed every aspect of my password management over to Apple in exchange for the promise of greater security and a streamlined user experience, this inability to manage and use my passwords consistently was completely unacceptable.

And then, as if to add further insult to injury, iCloud Keychain completely owned my passwords. If I had for some reason become unable to use my Mac, whether through my own fault or another’s, I would have had no way to recover or even access this information, let alone the accounts and services it unlocked: iOS had proven next to useless for this task, and short of a full-disk backup — a great thing to have on standby in its own right, but not as the sole solution for recovering my Gmail password — I had no feasible alternatives. I would have lost Twitter, Instapaper, Feed Wrangler, and every other online service I spend hours with every single day. And unable to open my email, I would have been able to do absolutely nothing about it. Needless to say, this made me extremely uncomfortable, and so a few days ago, at around nine o’clock at night, I decided to do something about it.

Ever since I can remember, I have heard and seen ads for 1Password all over the place: during all the best podcasts, and on nearly every one of my favorite websites, everyone whose opinion I respect seems to hold this program in incredibly high esteem. And so, looking to drastically improve the sad state of my password management system, I decided to give the critically-acclaimed application a try. $33.98 and two hours later, I had 1Password on both my Mac and iPhone, and was well on my long journey of changing all my passwords; by the following afternoon, I had 1Password set up to work with every online service I used regularly, and had changed every one of those passwords in the process.

Less than twenty-four hours had elapsed between my overdue acknowledgment of my lacking security precautions, and fixing the situation. Less than twenty-four hours, just over thirty dollars, and such a minor expenditure of effort I feel embarrassed that I did not deign to set this up earlier. For peace of mind and security that I no longer have to fret over every time a massive data leak occurs, those were well worth the price.