Another reminder today that we as a culture (or whatever we are) don’t seem to value our security all that much (note that I said security, not privacy). I watched a couple dozen tweets roll by urging me to go see who’s stalking me on Twitter … I jumped over to find a page that wanted my Twitter username and password so it could show me the last 200 visitors to my Twitter page. First of all, how in the hell would it be able to tell me who the last 200 people who stumbled across my Twitter page were and why in the world would giving it my username AND password help? Scam.
This is just another example of how cavalier we all are on the social web. I’m sure many of you read about the security breach involving Google Docs and Twitter … an illustration that much of our information across the social web is only as secure as our password habits. I know two weeks I was using the same username and password combo at nearly all the social sites I routinely participate in. After reading the Twitter story I changed all that. Here’s a quick rundown of what I am doing … this is not de-facto secure, but I feel much better going forward.
I got a free Dropbox account (if you click that link it includes a promo code for us both to get a little extra storage). What Dropbox does is add a folder to your home directory in Mac OSX that is constantly watched and synced back up to the Dropbox server. There are two things I really appreciate about the service … first, it is really fast. Things sync much quicker than with my iDisk. Second since it is an actual directory here on my machine (or in my cases machines) my files are local and I don’t need to be connected to the web to grab my files. What Dropbox is giving me is a super fast way to keep the next ingredient to my solution working across multiple machines.
I downloaded and installed 1Password. 1Password is a client based password management tool that allows you to create, manage, and use passwords in a secure way. Once installed it adds a little icon to your browser that will auto fill usernames and passwords for you with a click. It also generates secure passwords for you on the fly so I can have different and random passwords for facebook, google, twitter, and you name it.
To put the two together you first have to switch to using an Agile Keychain in Mac OSX. This essentially creates a separate non-system level keychain bundle that can be stored elsewhere — in this case in your Dropbox folder. Then, once that is complete just follow these steps to point your 1Password client to that keychain. Once that is complete you can install 1Password on your other Macs, pointing to your existing keychain being synced by Dropbox so things stay in sync.
The life saver so far has been the iPhone App for 1Password. This has a two layer password scheme for exposing the password text … that is really useful for when you are using a lab machine or one other than your own and you can’t recall the randomly generated 30 character password.
Even if it isn’t an ideal solution, it feels a hell of a lot safer than trusting that no one could ever pull a password recovery scam on me and get access to everything I have across the social web. Your milage may very, but I recommend you come up with a solution that makes sense to you and if we are sharing documents on Google Docs, please work out something so our secrets aren’t compromised. And D’Arcy, I’ll be waiuting for you to follow through with your tweet …
http://accountr.darcynorman.net
Brilliant. I filled out the form. I feel so much more secure now … thanks to you, D’Arcy!
I’ve always used a tiered password system. Bank accounts get one password, email another, important services one more and then finally everything else gets a basic one.
Of course as your example shows above, changing to separate passwords for each account is difficult (and in the case of 1Password, expensive). Things will never be secure until the OpenID, other authentication movements and big companies) figure things out (Ahem Google).
For now though I’m using LastPass (which is free, cross-platform and cross-browser) to try and make things work a little better for myself.
Finally, Dropbox is magic. It means you never have to worry about where your files are… ever.