Heartbleed, 1Password and You

onepassword

Heartbleed is a bug in OpenSSL. What this means to you is that if you’ve used HTTPS connections to access secure sites for online shopping and other activities, you might be affected.

News of this bug has spread like wildfire, and companies that have been impacted by it are doing their best to patch it. For now, it’s best to take a wait and see approach for announcements from these companies on whether or not they have addressed the issue.

Heartbleed (and other security breaches in the past) have taught me one important thing: passwords are kind of a big deal.

Picking a password to use has gotten much more involved than it has been at any earlier point in time.

Your password should be difficult to crack. So no dictionary words. No favorite pet names. No anniversary dates or kid’s names. Ideally, your password should include mixed cases, numbers, underscores, special characters and spaces and between 12 to 14 characters long.

The problem is: good, lengthy passwords are tough to remember.

The situation gets worse when you have to remember unique passwords for each site you visit. Therefore, most people don’t bother to do this. Instead, the average person will stick with one or two passwords that they use on multiple sites.

Not changing your password periodically (or worse yet, using the same password on multiple sites) can potentially lead to data compromise. It took Heartbleed for me to take password security seriously.

Like most people, I was lazy.

My passwords, I felt, were difficult to crack, yet easy for me to remember. So, like most people, I would alternate between two to four such passwords for many of the sites I visited. The problem with this approach is that potentially increases the likelihood of data breach. If my passwords were discovered by a malicious individual, each and every one of my online accounts could be easily compromised.

Two weeks ago I purchased agilebit’s 1password 4 (available for Mac, iOS, Android, and Windows), during their 50% off sale. Over the past two weeks I have been reacquainting myself with this program. In my experience, 1password version 3.x was buggy, and never quite worked the way it was supposed to – so I resisted upgrading when version 4 was released. I’m pleased to report that my experience with the latest version has been excellent so far.

There are plenty of thorough reviews and screenshots on this product, as it has been available for over a year.

For a visual sense of what 1password is, take a look at the following video:

With 1password (currently version 4.3.2), I was able to generate robust, unique passwords for each of the sites I visit. All I have to do is remember my master password – 1password remembers the rest for me. (Aside: use XKpasswd to come up with a simple to remember, but difficult to crack password.)

With the mobile app, I can take my passwords with me. Both my iOS devices and my Macs maintain the same master list of passwords thanks to Dropbox synching, so I always have the most up-to-date passwords wherever I go.

1password keeps its data in a fully encrypted file. It not only stores login credentials, but it also can be used to input secure notes, credit card information, licences, software serial numbers, and much, much more. In short, the best analogy I can give about 1password is that it serves as my digital encrypted wallet.

The desktop version of 1password includes browser extensions you can install for Safari, Firefox and Chrome. With the extension you can autofill username and password information in your browser of choice, after you have supplied your master password. 1password also installs in your menubar for quick and easy access.

The iOS version of 1password includes a built-in browser that you can use to auto-fill username and password fields. (Alas, the iOS version of 1password does NOT work with Safari – because of Apple’s restrictions.)

Both iOS and Mac versions are very easy to use and in my own testing, synching is flawless and fast between the devices. The best part about using 1password is that I now have strong passwords in place for all the major sites I visit – and I only have to remember one password.

1password’s support team is excellent. Even when I was cobbling along on version 3, their engineers worked with me to remedy the issues I was experiencing with that product.

1password for iOS retails for $17.99 (currently it’s available for $8.99) and Mac versions retail for $49.99 (currently on sale for $24.99 in the Mac App Store). I found both iOS and Mac versions to be well worth their retail price, and a steal at their sale prices. I’m very glad I upgraded.

If there’s any good thing that has come out of Heartbleed, it’s that I have finally embraced the use of 1password. I now have a robust password system that’s both secure and organized.

-Krishna

Related: For an excellent in-depth primer on using 1password (with a wealth of power user tips and tricks), be sure to listen to Mac Power Users Episode 173, featuring hosts David Sparks and Katie Floyd.

These beautiful and intelligent people wrote

  • hariReply
    April 10, 2014 at 11:58 pm

    KeePassX is a free and open source password manager that I use myself.

    Yes, it’s good to have tough to crack passwords, but this particular bug, the Heartbleed bug, is not about passwords, but about the underlying encryption protocol the OpenSSL layer which was broken, so having a tough password wouldn’t have helped in this scenario.

    The other problem is that many sites have stupid restriction on the length of passwords, like 15 characters or worse still 8 characters.

    So the problem is at many levels.

    • Krishna M. SadasivamReply
      April 11, 2014 at 6:05 am

      Yes. But the connection is this: if password data has already been compromised via Heartbleed, new passwords are in order.

  • SoItBeginsReply
    April 11, 2014 at 6:24 am

    I understand that you prefer to use a password manager, but in this age of the whole NSA thing I really can’t trust any password storage program (except MAYBE Keychain Access).

    That said, yeah, I’m going to have to work on fixing my I-only-use-3-passwords habit (though I did use custom ones for each of my financial accounts, so those are safe at least).

  • ArkanabarReply
    April 12, 2014 at 10:40 am

    Changing your password at a site which has not patched SSL for Heartbleed is counterproductive, especially if your last use of that site was prior to Heartbleed’s introduction.

    I also use KeePassX, because it’s FLOSS and it’s cross-platform (I dual-boot Win7 and an assortment of mostly debian-based Linux distros). I don’t know if it has the sort of power-user options that make 1Password so appealing to you.

    I got into the habit when I was deep into my job search, because most applicant tracking system sites will allow you to retrieve your SSN when you are signed in.

Tell me what you think!

  • This site uses Akismet to reduce spam. Learn how your comment data is processed.