These days we all have far more accounts and passwords than we know what to do with. Managing a set of over 100 unique usernames and passwords for online services like banking, productivity, hosting, social media is becoming untenable even for casual Internet citizens. As a high-octane user of web services, I have over 500 unique accounts for different things, hundreds of which I rarely use, but occasionally need. This combined with the risk of having an account compromised with sensitive information make the need for a hyper secure password strategy for any online accounts. The trouble is that to be truly secure, you should use strong passwords, vary them from site to site, and reset or update them from time to time.
No human being can realistically (and securely) manage having strong passwords for everything. This is why you should be using a password management system like 1Password to house all of your passwords and help you stay safe online.
Here’s how it works:
1Password is a desktop and mobile application for keeping a database of accounts and passwords for everything you need to keep secure. It helps you to generate strong passwords for sites, tracks which is which, keeps you organized, and also assists you in keeping them up to date over time.
You’re probably wondering how 1Password itself is even secure, since it means all of your secrets are in a single file. Your entire password “Vault”, as it’s called, lives in an encrypted file on your computer. When you set up 1Password, you create a single super-strong master password, one that you do remember, to unlock the vault to access your passwords within1.
The real strength of 1Password is that it helps you keep extremely strong, unique passwords for everything, without having to reuse the same one repeatedly. If one of your accounts is compromised, a hacker with your credentials for the site can’t go hammer any other service using your email and identical password to compromise others, too. Things are compartmentalized much better and staying secure is much easier.
Though the thought of compiling all of your passwords into a single locked virtual vault might sound like a huge risk, when balancing all the factors with good practice, it’s far more secure overall than the alternative. The AgileBits product team has a design goal to make it “easier to behave securely than to behave insecurely.” If users take shortcuts in their security procedures in order to make things easier, they’re already compromising their own security2.
Let’s review a few of the great features that make 1Password indispensable for me.
The app itself is feature-rich and powerful for all of the things you need to stay secure, without the security tripping you up and becoming a hassle to maintain. This starts with having a simple way to login to sites automatically within the web browser. Using 1Password’s browser extensions, when you visit a site to login (like your Twitter account, or Fulcrum), a single keyboard shortcut will magically and securely fill your username and password for the site. For me, when I visit a site to sign into, I hit ⌘-\ and it fills my username and password automatically—which is fantastic since nearly all my passwords are long and complex.
The whole concept of what makes a strong password can be pretty complicated, and techniques for making ones both strong and memorable are few. At a basic level you want to increase length and complexity, while maximizing randomness in the characters used. Throw in needing to do this hundreds of times for unique passwords and it’s quickly unmaintainable.
1Password has an awesome password generator. For each account you add, you can generate a random new password, and also control its length, whether you want something readable, with symbols, or just alphanumeric only. Now once you’ve got your strong password, you don’t even need to remember it. 1Password does that for you.
The 1Password desktop app is cross-platform, on both Mac and Windows. One of my favorite parts, though, is the mobile app. There are mobile apps for both iOS and Android, which give you secure access to your vault from your mobile device, in case you need to sign into a mobile app or website from your phone on the go. Just enter your master password there, unlock your vault, and grab the password you need. You can even use the mobile app standalone to manage files and passwords if you want to. If you use both, it gets more powerful with this…
If you want to keep your whole 1Password vault available to you everywhere, desktop and mobile, Dropbox syncing is the best bet. Storing your 1Password vault file in a Dropbox folder gives access to it to all of your approved devices. I use 1Password many times every day, on my laptop and my iPhone, and the Dropbox sync keeps everything in order. If I sign up for a new account from my phone, I add a new login entry from 1Password mobile and it makes its way to my desktop, as well.
If you don’t like the idea of syncing your vault via Dropbox (or you don’t use that service), you can use iCloud, or you also sync locally on wifi every now and then to keep your mobile vault up to date.
The AgileBits team also provides a service to all 1Password users that will check your login entries against their service of known vulnerabilities out there based on your entry URLs. If they know that a particular service is still vulnerable to the Heartbleed SSL bug, for example, the Watchtower service will let you know. Using the “Security Audit” section in the app, it’ll identify passwords you haven’t touched in years, find duplicates, and identify weak passwords that might need to be corrected. Because new data accrues here over time, I put a recurring task in my task list to review my accounts and clean things up once every couple of months. When running through an audit, I always find accounts I created that I don’t need anymore, so I’ll sign in and actually close the account so I can keep tabs on what I have passwords for.
If you aren’t already using a password management system, 1Password is a fantastic solution for all of your devices. I’ve been using it for years and can’t imagine dealing with the craziness of account management these days without it.