Password Managers – LastPass, 1Password and iCloud Keychain
I’m forever advising clients about online security and the importance of secure, unique passwords, but it is amazing how lax some people can be with their passwords and how blasÃ© they are with regards to online security.
The Problem with Passwords
Passwords of course aren’t the ideal way of protecting our accounts online for a number of reasons:
- Many of the passwords we use are weak – they often have to be so that we can remember them.
- Computers can easily brute force many of our passwords no matter how strong we ‘think’ they are. The algorithms and techniques used by password cracking software is getting ever more sophisticated and they are available to anyone who wants them
- Many of us will use the same password for many different websites. This is a huge problem as you never quite know how secure all of these sites are. If a password you use across many sites is exposed on just one of them, you could see hackers take control of all your accounts. Online profiles, financial accounts, and social networking profiles all come under their control and if they can access your email account then all of your passwords can be exposed to them.
On top of which, we as humans have very little time for passwords:
- Secure passwords are difficult to remember – which is why we use the same insecure passwords across a number of websites. A password such as ‘password123‘ is so much easier for us to manage than ‘sf%6HYfare£$(NHg&&&tsF£‘. It’s easier to type as well.
- We are lazy. Convenience is key for us and keeping track of multiple highly secure passwords is a nightmare. Just entering them on a keyboard is bad enough so we take the route of least resistance and end up using the same, easily cracked password all over the web.
Unfortunately until every keyboard and device has some form of reliable and secure biometric scanner and we are all using two-factor authentication to access our online accounts passwords are here to stay. They certainly seem to be here for the time being and therefore we should learn ways to manage them and use them as securely and efficiently as possible.
A Matter of Balance – Convenience vs Security
As with may things, it is all a matter of balance. In the case of online security and password management it’s a matter of balancing convenience and security. In a paranoid but completely secure world we would all use long secure passwords, some form of biometric authentication and a two-factor authentication technique to access any of our online accounts. This means that in order to access every account we need to prove who we are using:
- Something we know – a strong password
- Something we are – the biometric scanner element
- Something we have – the two-factor authentication (this is where a unique pin is sent to another device that you own)
Doing all of this is inconvenient, even if it is to access our bank account, let alone our social media accounts so for the time being we are stuck with passwords.
A strong password should contain:
- A minimum of 12 characters
- Be randomly generated
- Contain a selection of upper and lower case characters
- Contain letters, number and special characters
- Not be part of a pattern or sequence
Generating and remembering such passwords across dozens of website just isn’t feasible so many of us revert to using insecure passwords.
Levels of Security
Some people have different passwords for different applications based on their perceived levels of security or risk. People may have one fairly insecure password that they use when they sign up to forums and such like, a slightly stronger password for email accounts and social networking sites and then a more secure password for their banking. This is slightly better than using one password for everything – if an insecure forum is hacked and your password revealed it can’t be used to access your bank accounts, but it still isn’t ideal. The passwords will be weak and there is still a very real risk of them being exposed across multiple sites.
You could have a big black book in which you religiously store and manage all of your passwords. This wouldn’t be particularly secure unless kept in a vault, nor would it be very convenient. Having to look up password all the time would be too much of a chore for most of us.
As a website designer I need to generate and keep track of literally hundreds of username and password combinations. Even the simplest of websites usually needs a whole host of accounts, all of which need login credentials. Most have the need for
- A domain name account login
- A hosting account login
- A MySQL database account login
- An administrator Content Management System login
- A Client Content Management System login
- Various email account logins
Keeping track of all of these could be a nightmare, so that is where password managers such as LastPass and 1Password come in. It is also the reason why I was quite excited about the inclusion of iCloud Keychain within the new release of OSX Mavericks.
Built-in Browser Password Managers
Before I go into the details of dedicated password managers such as 1Password and LastPass, a quick word about the in-built password managers within browsers. Most browsers such as Internet Explorer, Safari, Firefox and Chrome will store passwords for you. Opinions are mixed however on their security. Many people believe that browser-based password managers make it too easy for malicious applications to retrieve your passwords.
Google Chrome’s password manager does not allow users to create a master password, allowing others access to your passwords if they’re borrowing your computer. Anyone with access to your computer can see all of your passwords in plain text simply by going into the Chrome settings and clicking “Manage saved passwords”. Internet Explorer also lacks master password capability. Firefox does allows users to create a master password to protect their login data. Safari now has it’s iCloud Keychain feature for storing and syncing passwords across devices, but it’s security has yet to be fully tested.
These built-in browser password managers can help, but they offer less flexibility than dedicated password managers and may lack the security.
Password managers such as LastPass and 1Password allow you to generate unique, long, random passwords for each website account that you need to login to and store them securely for easy access when you need them. They require one master password that you need to remember, but as long as you remember the master password using unique passwords for every site should be a breeze.
Most of them also have many other features.
- Password Managers can generate secure passwords
- Password Managers can store your passwords
- Password Managers can store profiles for online forms allowing you to autofill forms easily
- Password Managers can be a vault for other sensitive information
- Password Managers can store credit card details
- Password Managers can auto-login to sites for you
- Password Managers can often perform a security audit of your passwords and online accounts
- Password Managers can warm you of security breaches on sites that you use
- Password Managers can allow you to share passwords with other members of your family / team meaning that managing passwords for joint accounts is simple.
I’ve been using one for years and it does simplify the process of registering and logging into website accounts whilst keeping me more secure online. Even so, I was still guilty of having some insecure and duplicate passwords so I’ve been using the security audit feature of LastPass recently to eradicate these and improve my online security still further. With over 700 passwords stored in my password manager this was quite a task. My passwords still aren’t perfect but all of the weak and duplicate passwords are now those created by my clients – I just need to educated them to change their passwords and improve their security too!
The Issues with Password Managers
Before getting too excited about password managers though a word of caution. Yes, they generate secure passwords for you and yes they allow you to manage a huge number of passwords so that you can have a unique password for every website, but can you trust them?
With all of your passwords stored in just one place you need to have confidence that they are stored securely. The vault in which they are stored needs to be safe because should it be compromised the hacker could have access to all of your passwords. And don’t forget, that the key to that safe is in itself usually just a password. It may be slightly ironic, but in order for a password manager to be secure, it needs to be protected by a strong, unique password itself. Most password managers also offer an optional two-factor authentication process in order to increase security should you wish to use it but for many this adds a level of complexity they aren’t willing to accept. Once again it comes down to a balance between security and convenience. A password manager can help us take control of our passwords but we will only use it if it is convenient.
The other issue is one of cross-platform and app support. Password Managers such as 1Password and LastPass are browser plugins and therefore only work within the browser. They may have plugins for most browsers and will sync between various browsers, meaning they will work in the majority of situations, but not all. This is especially true for mobile browsers as many of them won’t support browser plugins.
Password Managers particularly fall down when you need to use them outside of a browser. For example, if you use a Facebook app on your phone. The Facebook app isn’t a browser so there is no way for a password manager to enter your login credentials. This may mean that you need to look up the password via the web interface of your password manager and then copy and paste it into the app. Most apps will then remember this but it can be a chore to look up passwords all the time rather than have them auto-entered. The alternative is not to use the app for such services but to access the service via a browser which isn’t always a pleasant experience on a mobile device.
LastPass is a cloud based password manager with many of the features listed above. It has plugins for all of the major web-browsers on both PC’s and Macs. Once you set up an account and install the browser extensions it will prompt you whenever you visit a website with a login or registration form.
LastPass stores your data on its servers, but it is encrypted on your computer before being sent to LastPass so it should be secure both on their servers and whilst being transmitted to and from their servers. Your master password is never sent to LastPass’ servers (although a one-way hash is sent to LastPass allowing you to authenticate). All encryption and decryption happens on your own devices. The LastPass browser extensions do also store data on your computer allowing it to keep working even in the rare occurrences that the LastPass servers go down.
Once you have signed up and installed the relevant browser plugin LastPass gets to work as soon as you visit a web page with a registration or login form.
On registration forms it will pop up with a password generation tool. This allows you to choose the number of characters a password should have and the types of characters it should contain along with a few other parameters. Ideally, seeing as you are using a password manager you should make the password as long and complex as possible, but some sites will only allow passwords of a certain length and may not allow special characters, so being able to tweak it here is good.
Once you’ve allowed LastPass to generate a password for you, simply click the ‘Use Password’ button and it will be stored in your vault.
Entering a Password
Next time you visit that site to login LastPass can enter you username and secure password for you. If you have multiple logins for a single website then you can select the correct one from a drop down menu of those available.
The LastPass browser plugin provides you with easy access to the other features offered, such as the ability to alter your preferences and settings (of which there are many), generate passwords, organise your stored passwords, import and export your passwords, perform a security audit and access your vault.
You can access your vault online and here you can view your stored passwords, organise them into groups, add form fill profiles and much much more.
LastPass has a free version for the desktop and a paid service costing $12 per year that provides mobile applications and priority support. It also enables other features such as the sharing of passwords via groups.
1Password takes a slightly different approach by strong your passwords on your computer rather than in the cloud. It is comprised of a desktop application and a browser plugin that automatically fills your passwords into Web forms. As with LastPass you have a single master password that you will use to sign into 1Password. 1Password stores all of your passwords in an encrypted file, which can only be accessed with this master password.
1Password on the Desktop
The desktop application allows you to take control and manage your passwords. Being a desktop application rather than the web-based application of LastPass does mean that it has a much nicer interface (if you are into that sort of thing – I am!).
As with LastPass, there is also a browser plugin available of most browsers that allows you to generate and enter passwords within web forms.
1Password allows you to sync your passwords between devices using iCloud or Dropbox or locally over Wi-Fi and has apps for mobile devices that allow you to access you password vault.
As with LastPass it has many other features such as group sharing, a digital wallet and security audits.
1Password charges a £34.99 one-time fee for the desktop application. The 1Password mobile application costs £12.99 on iOS while the Android app is free.
Both LastPass and 1Password work well within the most popular browsers on the desktop and both have password manager apps for mobile devices. Their browser plugins don’t work within browsers on mobile devices though so they both have their own browsers for such devices. 1Password has a built-in browser within it’s iOS password manager app and LastPass has it’s own standalone LastPass Tab browser. These both allow you to surf the web and use your password manager on your iOS based mobile device, assuming that is that you remember to use them rather than the default browser on these devices.
With the announcement of iCloud Keychain on OSX Mavericks and iOS7 it seems as though some of the issues of using a password manager may have been solved – at least for users within the Apple ecosystem. iCloud Keychain promises to generate and store password within your Safari web browser and sync them between you desktop and mobile devices.
First you have to set up the devices to use the iCloud Keychain. When setting up the first device, you’ll choose either a four-digit numeric code or a complex password to secure the keychain. To add any subsequent device to iCloud Keychain, you can type in the passcode or approve the new device from a device that already runs the password manager.
You then need to set up a few things within Safari on the desktop and within the Keychain Preferences within iOS7 so as to allow them to store and enter password for you.
This seemed like a prefect solution at first, an inbuilt password manager at the operating system level. Unfortunately it doesn’t quite live up to the promise yet. It does provide a useful addition to OSX and iOS for people who use Safari across both operating systems by addressing the issue of other password managers when it comes to a lack of browser integration on mobile devices. It doesn’t however quite cut it in comparison to the competition in other respects.
iCloud Keychain doesn’t provide any control over the complexity or length of the passwords is generates, it struggles with multiple logins for a single site and of course, it is Apple only and therefore not cross-platform. It also only works if you have OSX Mavericks and iOS7 or better on all of your devices (I don’t!). It also only works within browsers, not other apps, although Apple may well open this up at some point via an iCloud Keychain API.
iCloud Keychain can help people who don’t already use a password manager improve and hopefully Apple will improve on it and add more of the features offered by the likes of LastPass and 1Password. But for now, iCloud is unlikely to satisfy people who take security seriously.
Time to Take Control
Whatever option you decide to use, it’s time to take control of your passwords. Free yourself from scraps of paper and jumbled notepads with lists of insecure passwords, get rid of duplicate passwords and embrace the magical world of password managers today. You’ll thank me for it and before long will be convincing your friends to do the same. You’ll probably end up using many of the other features offered by the likes of LastPass and 1Password too and will no doubt leaner something about online security in the process.
Finally, if you are going to sign up to LastPass, then please do so using this link: https://lastpass.com/f?2688036 That way I get an extra months premium subscription for free and it doesn’t cost you a thing – it may even improve your online security. Thanks.