It was a relaxed SMUG crowd that heard Owen Saxton's Shareware presentation (available online here) and they were apparently unrattled by Phil Geller's warnings about our diminishing internet security either:
Phil Geller of WorkingMacs demoed 1password. (Note from Dave: Phil is not an employee of 1Password/Agile Solutions.)
There are a LOT of websites out there that we go to where we enter passwords. So we pick a password that we remember. He showed on the Huffington post the most common passwords, like 12345, password, trustno1, etc. (Note from Dave: Hmm, kind of easy to guess those.)
Phil showed that Sony was hacked again, and 1 million passwords were exposed, and Gmail and Yahoo passwords were exposed.
Here's a formula we should think about: same password + many sites + frequent breaches = compromised security.
So what should we do about our passwords?
Phil recommends 1Password. It is easy to use once you get into it (there is a learning curve).
You pick one good, memorable password. Then you let 1Password remember your current passwords. Use 1Password to generate better passwords for websites containing sensitive data. Be sure to have a backup of your 1Password stuff! (You can use DropBox for that.)
What makes a good password?
Functional: It is memorable and typeable.
For most of us: Longer, mix of numbers, letters, punctuation, and spaces.
Even better: nonsense, not in dictionary, unpredictable.
A 9 character password takes a few months to break; 10 characters, 14 years.
You never have to remember the passwords generated by 1Password.
Phil opened 1Password. It wants a master password, and it has a password hint. It also has sections: logins, accounts, identities, secure notes, software licenses, wallet, etc.
He started with logins. There was a button for adding sample data to show you how this looks, and it shows what the data could look like for various accounts like tumblr, youtube, etc.
He opened MobileMe and put in his password. It asked about saving this me.com Login in 1Password. You do not have to have 1Password running to use it: it installs plugins to Safari, etc.
Okay, he went to me.com, and there is a 1P icon in Safari next to the forward/back buttons in the upper left corner. Firefox and me.com have the same thing with the 1P button. You can use it to log in. This works with Chrome.
There is a keychain on the Mac for this kind of thing, but 1Password is more powerful, and it switches browsers easily.
(Aside: You could have 1Password just on your computer, or on the cloud, it would take about 15 or 20 years to crack it.) Suppose you want to change your password. Where do you go to change it? In Yahoo, you have to figure out where to go to change it: he found that in Yahoo, account info. He told it to use the 1Password password: enter your current password, then in 1Password, generate password. shows strength.
He showed how to do a credit card purchase. He went to the Identities section of 1Password which has the name-date-email stuff you enter with credit card purchases: this makes it easier to buy online. (Aside comment: 1Password claims you never have to change your master password.) With the credit card, 1Password has a section called my wallet where you can store your licenses, credit card information, etc. (Amazon does store your password, let's hope they do not get hacked.)
1Password Secure Notes lets you keep any information in freeform text format while keeping it safely encrypted along with the rest of your 1Password data.
1Password is like a very advanced keychain, more powerful and easier to use.
A lot of sites have different ways to enter information (ID, username, etc.), but 1Password usually gets it right. Flash can screw it up. 1Password will work with about every site.
A lot of us have more than one computer: a Macintosh, and an iPad, and a Windows computer, etc. With DropBox (store your data in the cloud), you can get a free 2 gig account. You get a DropBox folder that syncs to all your devices. You move the keychain to Dropbox for 1Password, it puts the folder in your home folder. (1Password did try doing the cloud thing with MobileMe, etc. but DropBox works much better.)
1Password is designed with the idea that someone might get your keychain, but they still won't get your stuff.
Phil showed his iPhone, using a video camera. (Note from Dave: I have used a little webcam, Phil's camera had better resolution.) He entered a passcode (the 4 digit pin for phone), and 1Password showed login, wallet, notes, and passwords, and it asked for the master password. The phone has a 4 digit pin which is not so secure, so the 1Password gives a nice second level of security.
On Yahoo's login screen, 1Password fills in the blanks, but it will not press the sign-in button. (Phil had a little trouble, it needed the master password, he filled in info, oops! He tried again. Well, he got it eventually.) Any password you saved on computer, you now have access to on your phone. Phil got the computer stuff to his iPhone thru dropbox.
Phil showed 1Password on the iPad: it looks a little different. The master password can be different on your computer, iPad, and iPhone. He synced a Secure Note with DropBox, and he picked up that iPad note on his computer.
One guy put this on his iPhone, forgot his 4 digit pin. (Note from Dave: Um, well, you do have to remember SOME passwords!) Phil said delete the 1Password app and start over. The 4 digit pin is just to unlock the phone, you still have the 1Password master password.
Phil said Dropbox is a great way to back up data. You might not want your DropBox password to be too cryptic, or you might at least have it in more than one place. (Note from Dave: Please, yes, do not ask us how to remember your DropBox password!)
Dropbox was open for a short time, Phil heard it might have been a programming error; when DropBox saw that, they logged everyone out to be safe.
The iPad and iPhone have their own master passwords, but you do have to enter the computer master password the first time you use 1Password on them. On the iPhone, the low security is the 4 digit pin, the high security is the master password.
Phil likes that 1Password has thought this through. They always do new releases. They make it easy to have good passwords, the passwords are easily available on multiple devices, it is easy to logon to websites, easy to use credit cards online, and you are less likely to fall for phishing attempts.
He briefly talked about advanced topics like login and passwords on different pages, and bookmarklets used in Safari to grab iPassword passwords on the phone.
1Password has videos on their website to help you learn it.
Phil used Snow Leopard. The older version of 1Password supports Leopard and Tiger. 1Password is also on iOS, Android, and Windows. (Note from Dave: Well, that covers all my stuff!)
On the Mac, $40, we get a 25% discount at https://agilebits.com/store?d=MUG
For iOS, $12 for 1Password Pro (iPad, iPhone, iPod Touch), and $10 for 1Password (iPhone or iPad only).
Can a key logger program pick up 1Password passwords? Phil is not sure. He will look into that. Okay, he sent me (Dave) an email about this. Start email message from Phil:
During my presentation Monday there were a few questions I couldn't answer completely. I received the following from AgileBits support. Maybe you can include this in the newsletter.
About a keylogger capturing the Master Password:
"1Password protects against keyloggers gaining access to your accounts by not typing in the passwords for your sites. If there is a keylogger installed on your system, it could glean your master password, but the attacker would still need your data file in order to make the master password of any use. (This assumes your master password is a strong and unique password that you do not use elsewhere.) One key point is that if your system has been compromised with a keylogger, the damage is likely already done. Many logging utilities also log window and click positions as well, so it is possible for them to know your master password even if your password manager uses a virtual keyboard. If the keylogger is the most basic, in which it relies on the keyboard, it will not work on Mac. OS X have a security feature where if an app uses the "Secure Input Event" like we do for our master password field, the OS will step in to protect the keyboard from getting sniffed out by any other process except 1Password. Here's a technical note from Apple:"
I think this highlights my point about their design team being several steps ahead of us. So by buying into this system, you have an expert looking out for you.
And for the question about storing documents securely in 1Password as attachments to notes:
"Yes, the attachments are stored in an encrypted from in 1Password. The attachment size is around 20MB. We do not support syncing the attachments yet to the iOS devices. It is something we hope to implement in a future update but I do not have a timeframe on this. For more information on attachments:"
1Password has the licensing model where you can install it on as many Macs as you own.
Phil has used 1Password for about a year and a half. And he finds it is good. One reason to use 1Password is to see how good software can be. If you use other computers, you can use it with a USB stick or DropBox. For computers you use on the road, not thru phone, you might want a simpler password.
Licensing is as many macs as you own (1Password has a Windows and Macintosh bundle for $60). And you do need to buy the iOS versions of 1Password even if you bought the Mac version.
Dave Strom, SMUG Vice President