This is a staging forum for AgileBits, not an official support forum. Visit http://discussions.agilebits.com instead.

Why use 1Password instead of a free solution?

jwics
edited March 2012 in Mac
[b]I can't stand companies that charge for security.[/b][list]

[*]How can 1 password ever be secure???

[*]How can you trust a single organization to secure your online resources?

[/list][list=1]

[*]Never log on to a site that only offers plain text (HTTP). Always log on to a secure site (HTTPS)

[*]Use a [b]different password for each account[/b]

[*]Use extremely long, complex passwords ([b]64 characters or more[/b]). Make sure you can't remember your passwords.

[*]Use a password generator, e.g. [b]pwgen[/b] or[b] keypass[/b]. Those are free of charge and can be downloaded for any OS.

[*]Use special software to encrypt and store your passwords, e.g. [b]Truecrypt[/b]. You can store your passwords on a USB stick.

[*][b]Update[/b] your passwords regularly.

[/list]



This adivice is free of charge <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/emoticon-0115-inlove.gif' class='bbc_emoticon' alt='(inlove)' />

Comments

  • NovaScotian
    NovaScotian Senior Member
    And why do you feel obliged to tell us what most of us know? A market, as it is said, is a difference of opinion. Agilebits values its product by setting a price. We who buy it disagree with that value -- we think it's worth more than that and that we're getting a bargain.
  • charlie98
    charlie98 Member
    I have to wonder why anyone would store their password on a Truecrypt volume and/or USB stick while using a seriously long password that you can't remember. After you do this once it will occur to you what a brilliantly stupid idea that was. <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/emoticon-0136-giggle.gif' class='bbc_emoticon' alt='(giggle)' />
  • khad
    khad Social Choreographer
    edited March 2012
    Welcome to the forums, jwics!



    Great advice about using secure SSL connections rather than insecure ones. It isn't possible to use SSL everywhere, since not every site supports it, but if the option is available always use HTTPS.



    Using strong, unique passwords for every site is exactly what 1Password is designed to help folks do. Again, a great point! The longer the better as you say. Some sites do restrict password length and character set, so you might not always be able to use a 64 character password. However, 1Password makes it easy to generate and store a password as long and strong as the site will allow. In fact, 1Password even has a password generator built right into the browser extension, so you can generate secure passwords for websites as you go. There is no need to open another application and interrupt your browsing to get strong security.



    As for your suggestion to use an encrypted vault for password storage, I must say that it is better than a plain text file (or Excel as I've seen others use). However, it is not as secure as it could be.



    One of the great features of 1Password is that it [b]only decrypts the specific piece of information you need at any given moment[/b]. Your entire data file is never decrypted [i]all at once[/i]. This is a huge security benefit compared to using something like a an encrypted vault to store your passwords. Additionally, using 1Password's browser extensions increase security because you can fill passwords directly rather than copying them to your clipboard in the clear. But even if you do need to copy your password to the clipboard for some reason, 1Password will remove the password from the clipboard after a period of time that you specify. i don't know of any encrypted vault that will do that.



    Oh, and I must respectfully disagree with your suggestion to change passwords regularly. You might want to read this article:



    [url="http://www.pcmag.com/article2/0,2817,2362692,00.asp"]Changing Passwords Isn't Worth the Effort[/url]



    Or, better yet, [url="https://docs.google.com/viewer?url=http://research.microsoft.com/en-us/um/people/cormac/papers/2009/SoLongAndNoThanks.pdf"]the original research paper[/url] which Neil cites in it.



    In general, attackers use passwords as soon as they get them. They don't sit around waiting to use them. Unless you change your password precisely between the time the attacker gets it and before he uses it, it doesn't really do any good. And the odds of that are extremely slim.



    Advice to change passwords with any regularity is essentially a waste of time if you use strong, [i][b]unique[/b][/i] passwords for each site. If one site is compromised, none of the others will be. Change your password as quickly as possible at that time.



    Do you think reporting your credit card lost/stolen every month to get a new card number every 30 days will prevent a thief from obtaining and using your card number? Of course not. It is just more hassle for you, and the thief has about 29 days every month to still do some damage. <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/wink.png' class='bbc_emoticon' alt=';)' />



    None of what you wrote detracts at all from the security of 1Password, so I'm not sure how you are asserting that 1Password isn't secure — a rather bold claim. But if you have any evidence to back up your assertion or further questions for me, please let me know.



    It is always great to be thinking about security, and I love to discuss it as well!



    Cheers,