[ClaraT]

I'm wondering what the wisdom is here about online password keepers and staying safe and secure in cyberspace. In doing a search of this forum I couldn't find much on this topic as of late but what I did find was that 1Password is highly favored. Since it costs $39 I'm curious why it trumps free services such as Mitto and Clipperz.

Being more concerned about identity theft these days as I learn about hackers getting in to our computers at public places-coffee shops, cafes, libraries, airports, etc.--or even through their wireless routers--I'd like to be aware of what are the best practices regarding online security. Someone posted their concerns about mint.com and they were closing that account. Since I use that website, I'm wondering as well how wise it is to have all my financial information available there.

So what is the smart way to be these days with regard to using online services that have all our sensitive data. Are some browsers more secure than others? Are password keepers airtight?

Thanks.

[ghporter]

I think the reason 1Password reigns is that it works. They use good encryption and tell you what it is they're using. Further, they offer storing your data online as an option, but by default it seems to be stored in an encrypted file on your device, which adds to the app's security.

[besson3c]

I just use the OS X keychain for entering and storing passwords and account info I want to keep. I'm sure that 1Password is secure and all, but to me this is sort of like trying to know how the animals you eat were raised and treated - you can't know, so if this is a concern for you, the best solution is to avoid this thing altogether. I personally avoid these password managers like this because I'd prefer just to use my keychain app than to worry about whether a compromise to their network or systems is likely and will put myself at risk. Others will obviously have a different take on this...

[ClaraT]

I like the idea of using OSX Keychain for the reasons you state. Do you have to enter each password for each site you use directly into Keychain? I ask because I see only some of my passwords.

[turtle777]

Originally Posted by besson3c 

I just use the OS X keychain for entering and storing passwords and account info I want to keep.

How is 1Password different from the standard Mac OS X keychain?

-t

[besson3c]

Originally Posted by ClaraT 

I like the idea of using OSX Keychain for the reasons you state. Do you have to enter each password for each site you use directly into Keychain? I ask because I see only some of my passwords.

If you use a browser that integrates with the keychain such as Safari, forms that don't have autofill disabled and will store your passwords in the keychain providing you also have this enabled in your browser. However, you can also easily input any usernames and passwords you want manually and recall them easily, which is what I do.

[turtle777]

Keychain (i.e. Safari Auto-Fill) is really mediocre compared to 1Password.

One of the best features of 1PW is that it syncs for free to multiple computers, iPhones, iPads etc.
Its Dropbox integration is superb and super-safe.

Now there's even 1PW for Windows, so you can go cross-platform.

-t

[ClaraT]

Originally Posted by besson3c 

If you use a browser that integrates with the keychain such as Safari, forms that don't have autofill disabled and will store your passwords in the keychain providing you also have this enabled in your browser. However, you can also easily input any usernames and passwords you want manually and recall them easily, which is what I do.

Thanks. Just went in to Safari preferences and noticed I had not checked the user name and password box to be on.

[besson3c]

Originally Posted by turtle777 

How is 1Password different from the standard Mac OS X keychain?

-t

I'm sure that 1Password offers many useful features that the Keychain doesn't, but the fact still remains that your password data lives in the cloud. Or, am I confusing this product with another?

[besson3c]

Originally Posted by ClaraT 

Thanks. Just went in to Safari preferences and noticed I had not checked the user name and password box to be on.

ClaraT, just to be clear since a lot of people don't realize this, the application I'm talking about is in your Applications -> Utilities folder and it is called "Keychain Access"

[turtle777]

Originally Posted by besson3c 

I'm sure that 1Password offers many useful features that the Keychain doesn't, but the fact still remains that your password data lives in the cloud. Or, am I confusing this product with another?

Uhm, yeah, it's encrypted, 128bit AES, they use OpenSSL.

How Secure Is 1Password?

Agile Keychain Design

I really don't see how this is NOT secure, as long as your master password is of sufficient strength.

-t

[ClaraT]

Yes, good to be clear on specifying it's in our Applications folder. But. . .uhm, I would also like to hear what
others think about cyber security as well and being smart about preventing identity theft. Any thoughts on the vulnerabilities of using our computers in public places and/or how hackers can get in through our wireless routers?

[turtle777]

Originally Posted by ClaraT 

Any thoughts on the vulnerabilities of using our computers in public places and/or how hackers can get in through our wireless routers?

Well, this is a different question than how to store / retrieve your login IDs and passwords.

As a rule of thumb: on unsecured (untrusted) networks (using my own laptop / iPad), I only login to websites that use SSL, of which I would verify the certificate before going ahead.

Some might be paranoid enough to say that's still not secure enough - oh well.

I would NEVER type in any passwords on a public computer, since a key logger might be installed.

Your own wireless network is as safe as your router and encryption. If you use WEP2, you're considered safe by today's standards.

-t

[ClaraT]

Originally Posted by besson3c 

ClaraT, just to be clear since a lot of people don't realize this, the application I'm talking about is in your Applications -> Utilities folder and it is called "Keychain Access"

Oh, and I understood that Keychain is in Applications, but I needed to check the box for user names and passwords as mentioned already in Safari for it to work with Keychain. Otherwise I'm presuming you must enter into Keychain each user name and password manually.

[turtle777]

Originally Posted by besson3c 

I'm sure that 1Password offers many useful features that the Keychain doesn't, but the fact still remains that your password data lives in the cloud. Or, am I confusing this product with another?

Oh, one more thing re: Keychain security:

The Mac OS X keychain uses Triple DES as its encryption algorithm which is quite secure, but is growing older and has been superseded by newer encryption algorithms with longer key lengths. The US government has deprecated the use of Triple DES and has set AES as its new standard.

History of OS X Keychain Integration in 1Password

Read: 1Password is actually SAFER than OS X keychain.

-t

[besson3c]

Originally Posted by turtle777 

Uhm, yeah, it's encrypted, 128bit AES, they use OpenSSL.

How Secure Is 1Password?

Agile Keychain Design

I really don't see how this is NOT secure, as long as your master password is of sufficient strength.

-t

That's not necessarily the part I'm worried about. What about the physical and local security where this data is housed? What about their internal security practices, employee turnover, etc.?

Like I said, one just can't know this. I'm simply more comfortable storing this information locally, as irrational as that may seem to you.

[besson3c]

Originally Posted by turtle777 

Well, this is a different question than how to store / retrieve your login IDs and passwords.

As a rule of thumb: on unsecured (untrusted) networks (using my own laptop / iPad), I only login to websites that use SSL, of which I would verify the certificate before going ahead.

Some might be paranoid enough to say that's still not secure enough - oh well.

I would NEVER type in any passwords on a public computer, since a key logger might be installed.

Your own wireless network is as safe as your router and encryption. If you use WEP2, you're considered safe by today's standards.

-t

Yeah, this is good advice. An SSL site technically doesn't guarantee absolute security since somebody could still be intercepting traffic before it leaves the local network if there is no encryption in place. Probably not terribly likely, but just sayin'...

I would say that in public places, do not log into anything that has any sensitive information, and if you want to login to a place such as this forum, use a password that is different than your most sensitive of accounts.

Secure your home network enough to deter war divers (i.e. the stuff turtle is saying here)

Do not do business with a company that sends you your password in an email, this means that it is stored in plain text somewhere. Do not do business with a company that wants sensitive information of yours on a site that is not SSL protected (i.e. does not have a URL that begins with https://). Do not work with a company that you suspect has lousy internal security practices. Having secure tunnels and encrypted this and that doesn't really do much for you if some dude in the company is going to do something stupid and non-security minded. Obviously you can't really know this either, which is the rub...

Just keeping mindful of this sort of stuff is smart, but learn enough so that you are paranoid and driving yourself crazy - there is a definite balance here! Still, it is good that you are interested in learning some...

[besson3c]

Originally Posted by ClaraT 

Oh, and I understood that Keychain is in Applications, but I needed to check the box for user names and passwords as mentioned already in Safari for it to work with Keychain. Otherwise I'm presuming you must enter into Keychain each user name and password manually.

Correct!

With your banking sites and other sensitive accounts though the login page will often intentionally disable autofill via the HTML, so don't be shy about entering stuff on your own... What you'll get via autofill will be incomplete.

[turtle777]

Originally Posted by besson3c 

That's not necessarily the part I'm worried about. What about the physical and local security where this data is housed? What about their internal security practices, employee turnover, etc.?

Like I said, one just can't know this. I'm simply more comfortable storing this information locally, as irrational as that may seem to you.

WHY is this relevant ?

If it's 128bit AES encrypted, who the f*ck cares about people having access to it.

They could post it to their blog and it would still be safe.

-t

[ClaraT]

Thanks once again. It's been an interesting subject and I've learned alot.

[besson3c]

Originally Posted by turtle777 

WHY is this relevant ?

If it's 128bit AES encrypted, who the f*ck cares about people having access to it.

They could post it to their blog and it would still be safe.

-t

At what point is the password encrypted into the hash? Is it encrypted at the desktop level, shipped off to the server end via a secure tunnel and written to their database? Shipped off to the server and encrypted at their end prior to being written to their database? The latter would make some sense since they could be using the most recent versions of the crypto library...

Either way, we don't know. We don't know if their machines have not been compromised or some employee has done something to inject some code to intercept prior to saving as the encrypted hash, if this is even what is going on. There is much we don't know.

Is there a huge cause to be worried? No. But, some amount of trust is definitely still needed. Some amount of trust is needed for me to save to the OS X keychain, but at least it is just being written locally, there are fewer variables involved that can be exploited.

I wouldn't even necessarily discourage people from using 1Password, I just prefer to take matters into my own hands rather than trusting a third party unless I really have to or there is an overly compelling reason to do so, that's all.

[turtle777]

Originally Posted by besson3c 

At what point is the password encrypted into the hash? Is it encrypted at the desktop level, shipped off to the server end via a secure tunnel and written to their database? Shipped off to the server and encrypted at their end prior to being written to their database? The latter would make some sense since they could be using the most recent versions of the crypto library...

Each individual password is written as an individual file with names like 0A73DB9B5B4646DDA915682BE427A4FE.1password

It contains the encrypted password and other data.

The encryption takes place at the desktop level, then it's transmitted to the storage.

There is no "database", it's really a collection of encrypted password files that reside inside a OS X file "package".

Originally Posted by besson3c 

Either way, we don't know. We don't know if their machines have not been compromised or some employee has done something to inject some code to intercept prior to saving as the encrypted hash, if this is even what is going on. There is much we don't know.

Not possible, unless they have access to your desktop, and find a way to exploit the 1PW app.
At the server side, all they have is encrypted data.

-t

[besson3c]

That changes things then, but the 1Password site says this:

No worries: You're always in control of where your data is. The cloud is an option but not a requirement.

If the cloud is an option, how is it used? It looks like one way is via Dropbox (which introduces new variables). What you are describing sounds completely local, which I'd be far more comfortable with personally... If this option is enabled, is the hash still created locally and then just shipped off for remote storage (that's how I'm interpreting what you are saying)? If so, there is still trust involved to trust that the encryption is taking place locally, that it is taking place at all, that the app isn't doing anything malicious, etc.

This is an acceptable amount of risk for most people, for me I can live without the convenience of a password manager, so I'd just prefer to not have this risk at all.

[turtle777]

You can chose to store it locally, or on Dropbox.

Either way, once the data is written to the local disk (or Dropbox), it's encrypted.
It's basically encrypted in 1PW, and then written out to wherever you chose.

Of course, you have to trust 1PW.

-t

[besson3c]

Originally Posted by turtle777 

You can chose to store it locally, or on Dropbox.

Either way, once the data is written to the disk (Dropbox), it's encrypted.
It's basically encrypted in 1PW, and then written out to wherever you chose.

Of course, you have to trust 1PW.

-t

And I have to trust the OS X Keychain too. I would revise what I said and would say that 1PW is a great solution for local storage of passwords, and perhaps even more secure than OS X Keychain too. For cloud based syncing/saving of passwords it is probably also fine, but additional trust is required at multiple levels. One simply has to ask themselves whether the utility provided is worth the necessity to trust, that's all.

For me, the utility isn't there. I'm happy enough with the OS X Keychain. Then again, maybe I don't know what I'm missing...

[turtle777]

Originally Posted by besson3c 

For me, the utility isn't there. I'm happy enough with the OS X Keychain. Then again, maybe I don't know what I'm missing...

If you have one computer, you might be fine.

Having multiple Macs in the same household, all up-to-date with all passwords is really great.

Plus, you have 1PW for the iPhone, so even when you're on the go, you can have access to all your secure passwords, and don't need cheat sheets or something like that.

-t

[besson3c]

Originally Posted by turtle777 

If you have one computer, you might be fine.

Having multiple Macs in the same household, all up-to-date with all passwords is really great.

Plus, you have 1PW for the iPhone, so even when you're on the go, you can have access to all your secure passwords, and don't need cheat sheets or something like that.

-t

That might be useful. I have a few different passwords I use for different sorts of accounts, but every once in a while there is some sort of system with different password requirements or uses pin numbers of various lengths or something like that. There are also systems that are aggressive about locking you out, case sensitivity on password reminders, and various other hassles.

Maybe some day I will change my mind, but I would still say that having conversations like this is still a good practice. It is a good thing for everybody who is interested in using a product like this to think through all of this just as you have, because if people get into the habit of just treating their passwords and storage of passwords casually problems can ensue.

I know somebody who used to do IT for this one woman you used the password "a" for everything