Ben Dodson

Freelance iOS, Apple Watch, and Apple TV Developer

Passwords and Encryption

I’d been thinking for a while that my password setup wasn’t particularly secure; a fairly basic 10 character password with a mixture of uppercase, lowercase, and some digits that I used on every website and rarely changed (maybe once a year). I’d been reading about 1Password but could never really be bothered to make the switch. I had some spare time over the Christmas holidays so I finally got around to changing over to a much more secure system. This entry is a roundup of the process I went through.

Using a password manager

The first thing to do was switch to a system of having a different password for every website. The reason for this is that a single breach of one account will lead to vulnerabilities in the others (and there are a lot of websites and apps out there that store your password in an unencrypted form). Each password should also be very secure.

To do this, you really need a password manager; an app that will store all of your passwords for you. After a bit of research, I found 1Password to be the most suitable for my needs. As well as storing passwords, it can also generate secure passwords (easily variable by length and number of digits and symbols) and store items such as license keys and credit card numbers. There is also a companion iOS app (very important) with cloud syncing and you can even open the database securely on other machines as the file itself has a web version of the app built in! The main thing though is that it is incredibly secure. I have a lot of trust for a company that is willing to publish exactly how they store passwords and can reliabily demonstrate how difficult it would be to crack (not impossible, but incredibly difficult).

I downloaded the 30 day trial of the Mac app and came across my first decision; what to use for a master password? The core database is secure from automated attacks so the weakest link is going to be the password I choose for it. Obviously I shouldn’t use a basic password as I had before but it needs to be something I can remember (but not be directly related to me - after all, you’re most likely to be hacked by people that know you). Enter an excellent password generation system called Diceware, a completely random way of creating a password. It works by giving you a list of words with a 5-digit code next to each one. You roll 5 six-sided dice and the result is your first word (i.e. if you rolled 1,6,3,2,2 then you’d look up 16322 in the Diceware wordlist and come up with ‘celia’. You repeat this process until you have a string of random words such that you get a password like ‘celia autumn well stern romeo veil’. As they are based on real words, you can remember them quite easily by linking them as a sentence or story. For additional security, you can mix it with your own system of punctuation or spacing so you end up with a possibility such as ‘Celia Autumn. well stern. Romeo:veil’ which would be a difficult password to crack but not too bad to remember. If you don’t like the idea of using a list such as Diceware, you could choose random words from a book with dice to choose the page number, line number, and word. For more ideas and an indepth look at generating a secure master password, read “Toward Better Master Passwords” from the AgileBits blog (I’d also recommend this xkcd comic on password strength).

With a master password chosen, I found it beneficial to type it out 50 times to get my fingers used to it. I had no problem remembering my password after that so I never had to write it down anywhere, something which may be a good idea for helping you to remember for the first few days but just seems a bit lax to me. Next, I went through the websites I used most often and updated their passwords with newly generated ones. I’m still stumbling across websites that I haven’t updated so I just make sure to create a new password for any website when I next use it.

Finally, I purchased the iOS app and set up syncing via Dropbox. This ensures that I can always access the core database i.e. from another machine. The iOS app works very well and whilst it can be a pain to have to type in my mammoth password and then copy / paste whenever I want to do something such as purchasing an app, I deem it a worthwhile inconvenience.

After 2 weeks of using 1Password, I’ve found it to be an incredibly useful solution. I assumed that the hassle of typing in my master password to get to my other passwords would be a hassle but overall I’m actually faster at accessing sites than before. This is mainly because I have different email addresses or usernames for each website or account. That information is now stored along with the password so I never enter the wrong details (or have to go through the time consuming ‘recover password’ options). I tried using the Safari extension for a while (which enables automatic form population) but ultimately found this to be distracting (prompting when I didn’t want it to) so uninstalled it.

Encrypting insecure apps

Whilst I was on a security warpath, I decided to try and do something about securing apps that have very poor or no built-in security. The main two offenders for me are Day One and Money both of which store their (sensitive) data in a completely accessible format. Whilst Day One does provide a password option, that is just for the app; you can read the XML files directly from the hard drive. As I store both of these databases in Dropbox (for easy syncing and backup), I wanted something a bit more secure.

That’s when I found Knox which happens to be made by AgileBits, the same people behind 1Password. Knox is an encryption utility that allows you to create secure ‘vaults’. These vaults are secured by password and when unlocked take the form of a mounted disk image. You can put anything you want in them, and when you eject them they become a single encrypted file.

In my setup, I created a new vault for each app, secured it with a ridiculously secure password (stored in 1Password), and then moved the database for each app into the mounted vault. Whenever I want to use the app, I unlock the appropriate vault and then launch the app from the vault itself. Once I’ve added my diary entry or transactions, I quit the app, and then close down Knox. The advantage to this is that if you open up either app without the vault unlocked, it can’t find the database so it creates a new one (meaning anyone trying to look at my transactions will just get a blank app).

The only issue I had with this set up is that I didn’t want to store the raw database files in iCloud or Dropbox (I do keep the Knox vault files in Dropbox though). This means that I lose the option to sync with a companion device so I can’t update Day One or Money via their companion iOS apps. This is more frustrating for Money (as I’m more likely to want to add a transaction at the point of purchase) but isn’t a dealbreaker for my usage. I’d rather have my transaction history secure and accessible on one machine than insecure and synced on all my devices.

Locking down my laptop

The next thing for me to do was to increase the security on my MacBook which I use as my main machine. OS X has a lot of built-in security options that aren’t enabled by default. The first one I enabled was ‘FileVault’ which automatically encrypts your hard drive. The issue with it is that if you forget your main OS X password then there is no recovery for the files on the machine unless you have a special code that you are given at the time of enabling. I stored this in 1Password for extra security but as everything important in my machine is backed up on Dropbox (and also via Time Machine which you can also encrypt) I don’t feel it’s a big issue for the extra security it affords.

The other setting I enabled was ‘Empty Trash Securely’ which you can enable in ‘Finder Preferences’. This basically performs a government style wipe on files as they are deleted from Trash meaning they are effectively shredded rather than just deleted. Emptying the Trash takes longer as a result but, again, it’s a worthwhile trade off.

Finally, 1Password obviously can’t store my MacBook login (as you can only access it when logged in unless you visually copied it from an iOS device each time) so I needed to choose a new secure password for that. In my opinion, the password should be different to the 1Password master password but just as secure so Diceware combined with personal alterations is a good choice.

Conclusion

This new set up is obviously much more secure than what I was doing previously but I was struck by one fairly big problem; password resets. For instance, my Amazon password is very secure (so secure I don’t even know what it is) but it can be reset by answering security questions which are usually of the order of date of birth and Mother’s maiden name. By their very nature, a security question is a very personal thing (“what was your first pets name?”) so anybody that knows me (or can do a basic Google search) would be able to reset my accounts. That is partly how Mat Honan of Wired was successfully hacked last August.

The best defence (in my opinion) against something like that is to fudge the security questions. If you accept the premise that your 1Password account is secure, then you don’t have need for the security questions (as you’ll never lose the password) so you should just fill them in with rubbish. Alternatively, create lies that you store in your 1Password account. If a website forces you to store something like “first pets name” then choose a random word from the Diceware list (i.e. ‘Celia’) and note that down against the account in 1Password. This is particularly useful for over-the-phone accounts (i.e. trying to reset iCloud) as anybody trying to breach your account will think they know the correct answer (my first pet was called ‘Chip’ to save you searching) but you’ve outsmarted them with a lie. When you need to verify yourself, you can simply look up the ‘correct’ answer from your secure 1Password database. As AgileBits point out ‘there are more ways to lie than to tell the truth’.

Nothing is ever going to be 100% secure, but these new changes should significantly reduce the chances of having my data or identity stolen. Hopefully the steps I’ve outlined above will make you think about how you are securing your information and help make you a bit more secure this year.

Freelance availability » « Dryathlon