Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Private I: Choosing whether to sync your passwords

Glenn Fleishman | Dec. 5, 2014
Every password you create should be unique: every site, service, or system needs its own. Also, they should be long, not contain any words found in dictionaries, and contain punctuation, a clearly expressed thought, and your grandmother's famous corn-pudding recipe.

Apple generates almost memorable results: twelve characters in four groups (separated by hyphens) with a mix of upper- and lowercase letters and numerals. iCloud Keychain will also store and sync any passwords you enter in Web forms (with your permission), and other system passwords, including for Wi-Fi networks.

The password generation and storage only works within Safari, although third-party apps can use iCloud Keychain for storage and syncing. Several third-party options provide similar benefits and broader ones. I use 1Password; many of my colleagues turn to LastPass. These combinations of password generator and safe work across multiple platforms and offer multiple methods for sync. In iOS 8, using App Extensions, they can tie directly into Safari. 1Password has an API that many popular apps have tapped into, letting you access your stored passwords outside the 1Password app. Both also allow Touch ID for unlocking. (Transmit for iOS is a favorite, since it's a file-server connection app that can use 1Password when I'm setting up connections that I also use on the desktop.)

To sync or not to sync

So here's the thing: if you're going to all this trouble to create distinct passwords, isn't it a terrible, terrible idea to have them all in one place protected by a single password that you have to be able to remember? And if you're syncing your password cache via Dropbox, iCloud, or another cloud-storage system, aren't you exposing all those passwords to easy, mass theft? Not really, even though it might seem like a huge risk.

First, you have to consider physical access. iCloud Keychain and 1Password require that you gain local access to a device or computer. (Remote screen-sharing to a Mac is also a risk, depending on how or if you've set that up, too.)

Second, even with physical access (or Web-based access with LastPass, explained next), someone has to have your master password or other factors. Apple and third-party password apps offer all sorts of options for further securing access on mobile devices and computers. Even if someone gets hold of an archive for a third-party app that contains your passwords and can crank away automatically trying different passwords for hours or years, the more clever method by which 1Password, LastPass, and others hash your master password makes it computationally expensive for every single attempt.

Third, there are two different parts to gaining access to cloud-stored data. The first is account access; the second is decoding the data stored there — the same problem as in the second point above. Apple secures iCloud Keychain with additional protection on top of the now beefed-up security for iCloud storage in general. It's so secure that you can wind up accidentally locking yourself out and being unable to sync! I confess this almost happened to me after an iPhone upgrade in which I failed to record a PIN I used as a backup. (See, it happens to all of us!)


Previous Page  1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.