1Password and DropBox. A tough call?
Today I switched my password handling - as from now I'm using 1Password and DropBox.
It was a critical decision. Do you want to know why? Read this post…
The trouble with reused passwords
Password handling is always a mess. Strong passwords are hard to memorize; weak are easy to crack. For each new website you register, you need a new password. Reusing the same password multiple times is bad, because you can't be sure that your password is stored highly encrypted on the website's server. If you register in a dubious site with your email and your (shared) password, its easy to let a bot try to login with your data in thousands of well-known websites - and you won't be aware of it even if it succeeds.
The only choice to get around of it is to use different, strong, hard to remember passwords for each site.
The trouble of sharing passwords between computers
“But where's the problem?” you may ask - after all FireFox and Safari have their buildin password managers.
The problem arises
The trouble with MobileMe
In the past I used Safari and MobileMe (In fact, this was one of the reasons I purchased MobileMe. The others are AdressBook + iCal sync). With MobileMe you can share your key chain with MobileMe.
It took a long time for me to suppress my bad feelings about that (wow! Do I really want to share the *complete key chain*?. BTW - I haven't found any specifications about the security of MobileMe.). Anyway, MobileMe syncing worked most of the time, but not anytime.
A broken sync leads to a stupid forgot password sequence on the computers: With a resetted password on one mac, the (unsynced) passwords of the other won't work either. So you reset passwords over and over, unless you write them done on a piece of jotting paper and carry them in the pocket of your trousers. But hey, thats the Stone Age you came from. Thats boring.
Password Managers are the better choice
I decided that using a credible password manager is more safe than using multiple passwords - under the presumption of a well chosen master password. There is a good and short explanation of the risks in this Wikipedia article with a clear essence: A compromised master password renders all of the protected passwords vulnerable. This demonstrates the inverse relation between usability and security: one might enjoy better security having memorized all passwords, but the effort is inconvenient and usually annoying.
My solution to this problem is 1Password and DropBox. 1Password stores all the passwords in a “password store”, which is itself encrypted with a single master password, which is the only one you have to memorize. Because there are plugins for FireFox and Safari (and many more), you can use the same database for all browsers. If you move your password database in the cloud (with MobileMe or DropBox), you can access it from different computers. If you already have MobileMe, you are tempted to sync via MobileMe. However, there is a risk a data loss with MobileMe; so you better choose DropBox (which is free up to 2 GB).
The trouble with 1password installation
For a detailed guide to set them up correctly take a look at Switcher's Blog
The installation is straight forward, but there are some odd ends:
However, there are some disadvantages in this solution: Moving your password database store in the cloud is a security risk. DropBox claims thats all content is itself secured, but can you rely on this for all time? If your password database gets into the wrong hands, a password cracker may try to crack it for days 3). This is a big difference to login-attacks on websites, which can be detected by intrusion detection guards. And don't forget: The access to dropbox can be resetted via “forgot password”. Anyone who has access to your mailbox can take over control. BTW: Do you use Webmail? This even raises risks to higher level…
Some golden rules for more security
The reduce security risks, I'm following some obvious rules
I don't put the 1Password master password in the login keychain of my Mac's.
I don't even put it into any electronic files.
I don't store accounts of banking sites into 1Password
I don't use Webmail addresses for authenticating with webservices.
With 1password and DropBox I'm not not fully satisfied, because my iPhone doesn't fit into it. Indeed DropBox (free) and 1Password (3,99€ or 5,99 for the Pro Version) are available in the App Store, but sadly they don't cooperate on the iPhone (prohibited by Apples rules). It's only possible to sync manually via Wlan - hell: my MacPro doesn't have it. But anyway: manual syncing guarantees out-of-sync. The iPhone app still has some more disadvantages (you have to copy & paste your credentials), but thats another story (or blog post).
But on my Macs (Pro, Macbook & Air), I have synced passwords in FireFox and Safari for all time.