Password security

Posted 28th November 2013 in Security and Website admin

Road trips are exciting. When I was wee, we made the long trip from Glasgow down to North-East England to visit my cousins three or four times a year.

My uncle had an estate car and we were regularly ferried around to theme parks, the beach and swimming baths in it. There were nine of us in total and the mums and dads and the eldest of my cousins would be safely seat-belted up in the front and back seats. The four youngest of us were piled into the big, open boot.

Fast forward to now and we have a completely different set up. Children are (rightly) strapped into car seats that are in turn attached to the car’s chassis. Compared to the '80s, it’s a total pain to take my two-and-a-half year old daughter anywhere in the car; wrestling her into the seat and convincing her to stop struggling so that I can clip the five-point harness together.

But, of course, there is a very good reason that we all have to do this: safety.

So what’s that got to do with passwords?

I should probably explain what 1Password actually is, shouldn’t I!? Basically, it’s a password manager. You add each of your online accounts to a list and generate a unique, ridiculously long (and therefore secure) password. The long and short is, it’s a bit more of a pain to use but the security benefits and peace of mind are more than worth it! See where I was going with the seatbelt analogy now?

Before I go any further, I should probably point out that I have no affiliation with 1Password.

The way I used to work

I used to have three passwords that I used for pretty much everything:

  1. a longer one for higher security log ins like Internet banking
  2. a normal password that was quite easy to type for things I used regularly like Twitter
  3. a short, easy to remember password for services I’d sign up to but not know if I’d use very often

These passwords didn’t change very often. I always knew it was good practice to update my passwords regularly but it was always a real chore to remember all of the services I had to change the passwords for, log in and change the password. On top of that, I had to dream up 3 new memorable passwords…

What 1Password does differently

You have one password that you use to log into 1Password. The app contains details of every login that you’ve entered (usernames, passwords, etc.), which can be copied and pasted to a login form or configured to automatically fill in the forms for you.

This means that every login can (and should) have its own hard-to-crack password. These are generally something ridiculously long and pretty much impossible to remember. The generator will usually kick out something as unintelligible as this: UjgJ7mygH/NQ$ccC4yJGnDm only usually much longer!

The information in your 1Password account can sync across all of your devices via iCloud (if you’re an all-Apple customer) Dropbox. So if you add a new password on your Android device, if you need it on your Mac it’ll be there when you open the app!

Convince me

So that sounds great, but there were plenty of factors that were getting in the way of my investing in 1Password…

Changes are hard

So the first obstacle I encountered was the whole ‘familiarity versus change’ thing – I’d been doing the same thing for a very long time and changing the way I approached passwords felt like a lot of work and a bit of a learning curve.

Seems like a lot to do

I’m quite a busy person and it felt like it would be a mammoth task to move from my previous ‘one or two passwords fit all’ routine to using 1Password and having a password for every individual account I used.

It’s true that remembering where I had accounts, logging into each one and generating a new, secure password would have been a huge undertaking. Instead, I decided to make my changes on a gradual basis, resetting passwords one by one as I used each account.

It’s not free

Every great product has to have some way of making money otherwise it won’t be around long. Some companies, like Apple, make their money by selling products, others like Facebook and Google sell their users’ data to advertisers, others like Evernote or Dropbox rely on their users paying monthly or yearly subscriptions. 1Password charge a one-off fee for the purchase of their software.

It was going to set me back £50 for the apps I needed…

So what happened?

In the months leading up to moving to 1Password I had, by chance, encountered a few interesting articles on Twitter and through RSS feeds. This one from XKCD was one of them; it basically says “changing it to a few unconnected words will mean your password something like 550 years longer to crack”, by which point you probably won’t care very much anyway!

There were a few other factors that led to me taking the plunge…

Responsibility to my clients

Even though I had personally never had an account hacked, signing up to the Data Protection Act means I have a legal (if not already moral) responsibility to keep my client’s details as safe as possible.

It’s necessary for me to keep not just contact information but login details of all kinds, so that I can edit and maintain my clients’ websites, domain names, etc. Sensitive stuff that deserves to be as protected as possible!

Unexpected surprises are not good for business

If one of my accounts were to be compromised I would have to down tools and change all accounts that had that password or contained other passwords in order to keep further accounts being broken into.

This would be a time consuming (not to mention stressful) activity that would take me away from normal client work, meaning my cash flow might take a hit and deadlines could be missed. My reputation would also be called into question – I am very careful with client details and equally true to working deadlines.

Weighing up the potential loss while I picked up the pieces of a hack against the cost of the apps made the decision a lot easier.

The final straw?

In fairly quick succession I received spam emails from a family member and a client’s personal mailbox. Their email accounts had been hacked, which meant their passwords were known by a third party. They had to list and log into every account they used and reset each and every password before any other accounts were broken into (and, unfortunately, one or two had already been).

I’ve since known people who have had their accounts hacked and their passwords changed so that they can no longer log into the account. Scary stuff.

Enough messing about

All things considered, I gladly purchased both their app for iOS (iPhone and iPad) and Mac. (The 1Password app is also available for Android and Windows so there’s probably a version for you out there.)

Set some time aside

After buying the apps, the next few evenings were spent brainstorming and adding all of my existing usernames and passwords to my 1Password database.

I then went through them all systematically and changed the passwords in each and every account until they were all unique and hard to guess.

One thing to mention is that it was by no means comprehensive – just the other night I used eBay for the first time in months and realised I still had an old-style password associated with it. It was quickly fixed!

Workflow changes

As I mentioned, things are a bit different now, but it quickly becomes second nature. And the 1Password apps are pretty cleverly put together and offer lots of help along the way!

Signing up

Signing up for a new account now is a little bit lengthier a process than it used to be as I add the new account to 1Password first, generate a unique password and head back to the website to finish the sign-up.

Logging in

Logging into an account on the web is actually easier now on my desktop computer – click the little key icon on my browser (these browser extensions are a synch to install) and enter my master password (if I’m not already logged into 1Password) and it fills the login form out for for me!

Logging into apps on my iOS devices only has to be done once, so I don’t mind heading to 1Password to copy the passwords. Logging into apps in my web browser is a little bit clunkier as I have to close it and open the 1Password app, but they’ve even found a work-around for that – they have their own built-in web browser that automatically fills in login forms for you!

Resources

1Password don’t just take your money and leave it at that – they have an excellent blog which, while on the geeky side, demonstrates pretty clearly how useful the product is and gives lots of tips for keeping even more secure!

Passwords aren’t perfect

Passwords aren’t necessarily the best way to keep our information secure, but they’re all we’ve got until someone comes up with something better. So in the meantime 1Password makes the hackers’ lives a lot trickier and keeps your information as safe as possible.

Sure, it’s a little bit more effort to set up an account, but it’s well worth it for the peace of mind a password management tool brings, and this one’s the best on the market.

Hire me

If you like what you’ve read and think we’d work well together, I’d love to hear from you.

Contact me now

More resources

Here are a couple more resources for you to enjoy. If that’s not enough, have a look at the full list.

  1. Alt text for CSS generated content

    There’s an interesting feature in Safari 17.4 that allows content added with CSS to have ‘alt’ text. I’m not sure how I feel about this.

  2. The accessibility conversations you want to be having

    In most companies, accessibility conversations centre around WCAG compliance, but that’s just the start. Thinking beyond that is where you want to be!