Security Tips: Manage Your Passwords With 1Passwd 1Passwd Basics for Mac Users Michael Hall
Last week, I wrote about Password Composer, a handy tool for creating a kind of do-it-yourself single sign-on for Web sites.
To recap: Password Composer uses a strong root or master password in combination with the domain name of the site you're logging into and produces a password unique to that site using encryption techniques that make it impossible to discern your master password. A simple bookmarklet or Greasemonkey script can recall the unique password using the original master password.
Using Password Composer, users get both the security of multiple, strong passwords for all their Web identities, and the convenience of remembering just one password.
This week, we'll take a look at a somewhat similar application for Macs. 1Passwd from Agile Web Solutions takes a different approach to the same problem password proliferation poses, and leverages some key pieces of Mac technology to do its work.
One solution people use to get around the problems caused by having too many passwords involves taking advantage of a common feature in browsers: remembering passwords for later.
That feature is implemented at varying levels of security: Some implementations simply save the password and username combination; others (like Firefox) offer the opportunity to lock the user's list of passwords and usernames behind a master password.
There are a few problems with this approach:
Some implementations are very insecure. They rely on the user always having control of the computer the passwords are being stored on.
Users who have more than one browser can never be sure that the browser they're currently using has all their passwords and usernames.
Users who work on multiple computers can't take their passwords with them from machine to machine.
Some browser-based solutions are circumvented by sites that use a number of tricks to disable password saving for their customers' own good.
1Passwd addresses these problems by relieving browsers of the duty of remembering passwords and handling these tasks itself in conjunction with Apple's Keychain. It also generates strong passwords, stores user identity information to help fill out forms, and provides a secure note-taking facility.
1Passwd Basics
The 1Passwd application installs a browser plugin that currently supports Safari, Firefox, Camino, OmniWeb, Flock, and DevonAgent.
At installation, 1Passwd prompts for a master password that should be very secure.
1Passwd is able to import stored passwords from the browsers it works with as well as a number of other password manager applications, such as SplashID and Roboforms.
Once you've imported your passwords into 1Passwd, you should turn off password saving and autofill in your browsers and purge their password records.
From this point forward, 1Passwd steps in when it detects a form and offers to save the login information. It stores the information in a Mac Keychain that, by default, locks automatically if the computer is idle for more than 60 minutes, or if it enters sleep mode.
There are a few convenience features built into the password saving process: Users can opt to be presented with an option to name the password (which is useful with the many pages that have somewhat obscure names for signon pages and HTTP Authentication realms), and users can opt to override 1Passwd for HTTP Authentication in favor of their browser.
1Passwd can also provide a secure password during registration at a site with its Strong Password Generator feature. The nice thing about the generator is its customizability: Users can tell it how long the password can or must be; how many letters, numbers, or punctuation characters it must contain; and whether or not to avoid potentially ambiguous characters like "0" and "O" in the password it generates.
Recalling passwords is simple: 1Passwd can automatically submit forms when it comes across a site it can fill out automatically (Autosubmit) or it can be invoked with a keystroke ( ⌘ \ ) in cases where it can't.
The latter case pops up with unfortunate frequency in cases where one might have multiple logins under the same domain. For instance, a user who has logins at webmail.foo.com, a blog login at blog.foo.com, and an HTTP Authentication signon at dev.foo.com won't get the benefit of Autosubmit because 1Passwd takes a conservative approach to guessing which identity to use.
1Passwd does, however, offer a useful visual guide to which password it thinks is the most likely to work in the form of red bars next to each choice. The more bars a choice has, the more closely it matches the form 1Passwd remembers saving.
Managing passwords is also pretty easy: 1Passwd provides an easily searchable list organized either by domain name or the name the user assigned when the form was first saved. It's possible to change autosubmit settings, which URLs match the password, and which values go in a field. Passwords can also be organized into folders.
Password entries also include a menu that permits the user to "Go and Fill," which opens the saved form in the user's browser, or "Copy Go & Fill Link," which copies the appropriate link to the user's clipboard for use in a browser besides the current default, or to create a "Go and Fill" bookmark for use right from the browser.
