Computers

Embracing forgetfulness, or taking the pain out of passwords (Mac and iOS)

View 4 Images
Gizmag examines a painless approach to password management using encrypted text files synchronized across devices (Photo: Damien Ayers)
Gizmag examines a painless approach to password management using encrypted text files synchronized across devices (Photo: Damien Ayers)
A password is required every time a file is opened with Password Pad
Password Pad desktop app: keep your most frequently used passwords at the top of the file for easier access (no, the passwords aren't real)
Password Pad for iOS (no, these passwords aren't real either)
View gallery - 4 images

Change your password day falls February 1 (tomorrow, in other words), and it's a day as good as any other to add some beefy heft to your online security regimen. One thing to strongly consider, if you haven't done so already, is to apply unique passwords across all your log-ins. That might sound daunting, but tools now exist that make it unnecessary to remember a password again. Unfortunately, a lot of the password management software out there isn't as painless as it might be, with cluttered interfaces full of empty text fields asking for a wealth of unnecessary information. And often, they don't come cheap. But there is another, simpler way - one that involves encrypted text files and painless data-syncing.

Why unique passwords?

The problem with sharing passwords across different websites and services, is that your password (and also the data it protects) is only as secure as your weakest link in the chain. If your password is compromised for one, you have potentially handed over the keys for the whole lot. Some people use a hierarchy of passwords, according to how important and secure they deem the sites in question, and though this might reduce the risk, it does not eliminate it. And in any case, once one accepts the idea that they need never remember a password again, it's actually quicker and easier, at least in my experience, to manage 200 passwords than it is to manage seven or eight - it at least eliminates the two or three attempts it will sometimes take to recall just which of your memorized passwords it is you're reaching for. The guesswork is gone.

The problem with password management software

Unique passwords are great, but I also indicated that this would be painless. In my experience, password management software is anything but. If you're looking for a comparison of the password managers available, this isn't it: all the ones I have used are either expensive, flawed, or worse, both.

Agile Bits' 1Password seems to be the password management app attracting the plaudits at the moment, and doubtless the praise is deserved. But it costs a non-disposable US$49.99 and appears to add unnecessary complexity, if not over its direct rivals, then at least over the alternative. The ability to sort your log-ins into categories and to add all the possible fields of data that accompany every log-in might sound useful, but compared to the simple searchability and navigability of a text file, in my view the illusion of usefulness evaporates before your eyes.

It takes much longer to get data in and out compared to a text file, and the tasks of categorizing logins and noting down usernames, registration email addresses, postal addresses etc. is often unnecessary because that sort of information lives safely in your head. You're free to leave the fields blank, of course, but then you've forked out good money for a screen-filling app just to retrieve a single line of information at a time.

There's another way

With the assistance of a text editor that supports file encryption - my present choice is Password Pad for OSX and iOS - almost all of the pain of password management disappears. The paid version of the app employs Triple DES encryption, a method it shares with Microsoft's Outlook 2007. It should be noted that though Triple DES is mathematically less robust than AES encryption, it's thought to be sufficiently robust to withstand attacks from the technology available today (unlike DES). It's a caveat worth mentioning. The paid desktop version of Password Pad costs US$2.99 and the iOS app $1.99.

With the password file stored in Dropbox, I have a powerful, robust means of maintaining a nice, accessible list of passwords from both my Mac and my iPhone. A plain text file - obviously - lets you add as little or as much information per log-in as is needed, launches in an instant, and is completely searchable. Getting all my data out of it is as simple as selecting-all and hitting copy, and pasting it into my new encrypted text editor of choice. If you favor a text file over unnecessary task management and to-do list apps, the principle here is exactly the same.

How does it work on my Mac

Using a Mac, the trick to the speedy adding and retrieving of passwords from your encrypted file is to embrace Spotlight. Upon creation of a Password Pad .pwdp file, the app prompts you for a password to access the encrypted file. Once created, and filed away in your Dropbox folder, it's simply a matter of hitting command-space to activate Spotlight, and then typing the first few letters of the filename and pressing return. Go for a nice, unique file name just to avoid a cluttered confusion of Spotlight search returns. Enter the password to access your file and there are your passwords. Trust me, in action rather than word, that's much quicker and simpler than it sounds.

Password Pad desktop app: keep your most frequently used passwords at the top of the file for easier access (no, the passwords aren't real)

If you're anything like me, however, you'll have dozens of passwords, and scrolling up and down a long text file to find them is going to take time. Well, there are a few things to do to make this as painless as possible. The first thing to do is to alphabetize your log-in list by site name. The second is to extract your frequently-needed passwords and compile a shorter alphabetized list at the very top of the file. That way, they'll appear right on screen the moment you open the file. The final nugget of advice, for when retrieving those passwords buried a little deeper, is to just hit command-F to search the text file and start typing the site name - you'll jump right to the password you need. Once you have your password, it's simply a case of copying and pasting it wherever you need it. Again, this is much quicker in practice than it sounds, and considerably quicker than launching password management apps.

And on my iPhone?

The Password Pad iOS app stores a local cache of files on your iPhone, so you need only access Dropbox for your password file on rare occasions to send the latest copy of the file to the Password Pad app - otherwise the cache sitting right there in the app will do. Other than that, accessing passwords is much the same, except that instead of searching Password Pad for passwords, on an iPhone it's probably easier to free-wheel through the file with the assistance of iPhone's inertial navigation. There again, copy the password for pasting where need.

Password Pad for iOS (no, these passwords aren't real either)

My only tip would be to be to consider the iPhone keyboard when choosing your master Password Pad password to access your passwords file. A nice secure password is, of course, desirable, but if you choose one that flits too fancifully between letters, numbers and symbols, you're adding a lot of screen tapping to access the file because of the need to switch between different iOS keyboards for letters, numbers and symbols.

The smallprint

If there's a feature missing from this approach, it's that some password managers include tools for password generation. Not to worry, though, as equivalent tools are available online. My current favorite is strongpasswordgenerator.com, which generates secure passwords in your browser using javascript, so nothing is transmitted over the web. It's certainly preferable to one expensive password manager I tried which had the rather worrying habit of generating the same few passwords over and over again. There again, there's nothing wrong with choosing your own passwords so long as you avoid the pitfalls.

Now when faced with a log-in screen, I'm only ever a few taps from copy-paste password nirvana. And there's no reason to limit the approach to log-in info. Since adopting Password Pad, I've maintained a file of the WiFi details of friends, family, local haunts - anywhere that has given me their password to access their network, just to avoid the hassle of asking again when I next visit.

If there's a caveat it is that, though there are other methods of syncing files across devices, this approach relies on Dropbox, so you have to be happy to store sensitive data on Dropbox's remote services, even if it is protected with 112-bit encryption. It's worth remember that some of the fully-fledged password manager apps also support or rely on Dropbox syncing to get your data to all devices. In the end, though, this is a decision for the user.

What about Windows?

The good news is that there a no shortage of text editors for Windows that support file encryption, and WindowsPhone apps are coming. WindowsPhone app Password Padlock ($0.99) appears to offer similar functionality to Password Pad, but without, it seems, the desktop equivalent.

Though strongly Mac-biassed, I do use a Windows PC on a regular basis, and those times I do need to log into sites, reaching for iPhone Password Pad and then manually typing in the password isn't much of a problem. Those that lead a truly platform-agnostic existence that are keen to embrace the maximum security that unique passwords offer may, for now, be forced to adopt a more hefty cross-platform manager such as 1Password, or to study advanced mnemonics in case there's an outside chance of actually memorizing all of them.

As ever, we're keen to hear from our readers for their password management tips and recommendations. There are bonus points for simplicity without compromising security.

View gallery - 4 images
  • Facebook
  • Twitter
  • Flipboard
  • LinkedIn
12 comments
GvillaThrilla
While its not the method I use, I used to teach kids and taught them to draw a design on the keyboard (zse4rfv for example), and if they wanted to get really fancy I taught them to hold the shift key for a couple of the letters to get a really unique password since nearly all passwords are case sensitive. Then, when you need to change your password you can either use another design, or just move where your design is on the keyboard. With a class of 30 kids the biggest challenge was trying to keep them from watching each other\'s hands to try and guess each other\'s passwords.
Chris Maresca
I\'ve used SplashID for years - it\'s available for OSX, Windows, iOS, Android, BlackBerry, etc and they now have a \'cloud\' version. $20 for the desktop, $10 for mobile (pick your flavor). It uses 256-bit Blowfish for encryption and has a built in password generator. Syncs wirelessly device-to-device and will sync between several desktops/mobiles.
As an aside, research has shown that adding random incomprehensible characters to your password does virtually nothing to make it more secure. What matters is length.... So if you want a secure password, just_use_a_really_long_phrase
Wayne Taylor
WOW, what a hassle. Use Keypass (free) or Pasdsword Safe (free).
VirtualGathis
Personally I prefer Keepass. It\'s free open source and you can apply multiple levels of encryption. My password file is triple encrypted with layered AES, Cobra and Twofish. The weakest link there is probably the files password rather than the encryption. I\'m working to add a biometric based key in addition to the password. I won\'t go so far as to say it would be impossible but it would be quite challenging and generally not worth the effort to break it at that point.
Keepass also has a random password generator you can seed to create a truly unique log in credential for every site. Since you have them recorded in keepass and it can supply them to sites the fact that it\'s a random unrememberable password is not so important. The only issues I\'ve had are that it requires a locally installed app and a database file so using passwords across multiple or work machines is not simple.
Francois Retief
I\'m surprised that there\'s no mention of lastpass, especially for online usage.
LessTolerant
Ok, the article falls short of addressing the real that all password keychains have: creating a single point of failure for your security.
Further, the recommended app is little more than what some people I know already do: keep passwords organized in an .XLS file with a strange name that I just type into a search box, and the password list pops up. I used to have a 128-bit cryptographic password to open the file. There really is little difference, and you still have the same single-point weakness.
An iPad app I started using provides a place to put my passwords, pics, numbers, etc., but instead of using an alphanumeric password of frustrating complexity, I interact with a picture of my dog on a slider in a certain pattern. Now how do I get rid of the other 180 passwords in the file........? -LT
Jerome Thomas
Just use a very long nonesensical phrase that is easy to remember. (that\'s all I do) e.g.\" www.mycall.mobi - best mobile directory! \" - who\'s going to crack that!
Mike Hill
To LT:
The iPhone app you are referring to is called Avimir Lite. It eliminates passwords by enabling you authenticate yourself through a personalised authentication method that you specify. Additional features include GPS position locking, authentication by device orientation, authentication by interaction with augmented reality objections. While you could store passwords in it, this is simply a \"Lite\" version that we have developed to demonstrate how Avimir will eventually replace all passwords with safe, very secure and simple 2- and 3-factor authentication methods. We have patents assigned and pending and hopefully we can help get rid of your other 180 passwords in the near future. ;c) -Avimir Management
yrag
A easy and built in way I came up with (I'm sure many others have too, at least on a Mac) is to create a text file with all your passwords the way you want within the built in TextEdit app and export the file as a pdf.
Then open that file with the built in Preview app (an general purpose app to view graphics and pdfs) and within Preview hit 'Save' or 'Save As' in the dialogue box that comes up, keep the format to be saved in a pdf, but 'check' the 'Encrypt' button under that selection, a dialog box pops up to allow you to create a password and to verify - voila!
The essence here on any platform, is that if you can get your password list into a pdf format, you should be able to then encrypt it.
Stan Sieler
I\'ll echo Chris Maresca\'s comments...been a SplashID user for years (in my case: Palm, iPhone, Mac). It (finally) has a decent method of synchronizing accounts/passwords across multiple platforms, much like contact managers have done for years. That means I can update a password via SplashID on the Mac, and get the changes propagated to my iPhone. Of course, it has copy/paste functionality. The one thing I\'d like to see is \"smart\" integration with copy/paste, so I could tell it (or any password manager) \"here\'s the first thing to paste, and here\'s the second thing\" ... then, I\'d paste into the account name field, and then the password field. That matters because there are some sites where my login name isn\'t my \"standard\" one, for various reasons. So, a multi-paste capability would seem like an obvious thing to want :)