One objection to using a password utility is that you could someday find yourself without your Mac (or iPhone) and in need of one of your passwords. What then? Wouldn’t it be better—just in case—to memorize all your passwords or to use a pattern that enables you to reconstruct them when necessary?
After years of having to use many passwords every single day, I like the convenience of automatic password entry. Extensive research on security has convinced me that reusing passwords or using simple patterns (except for passwords that serve only to identify me, not to protect any private data) is foolish. For me, relying on my brain instead of a password manager doesn’t make sense. My suggestion is to use Apple’s built-in Keychain and Agile Web Solutions’ $40 1Password utility ( ), but also take a few extra steps to avoid getting stuck without a necessary password.
Keep a top-passwords list
Make a short list of the five to ten passwords that are most crucial to you—the ones you couldn’t possibly do without, even for a few days, and which you might need while traveling or if your computer breaks down. For example, my list would include the passwords for my OS X user account, my login and 1Password keychains, my bank account, my Apple MobileMe and Gmail accounts, and two or three others. My hundreds of other passwords, important as they may be, are less crucial. If I forgot one, I could probably recover or reset it—for example, by clicking on a Web site’s “Forgot my password” link and responding correctly to security questions.
Ideally, every one of these top passwords will be both highly secure and easily memorable—and unique. If they aren’t, this is the perfect time to change them. To address the risk that you might forget or confuse some of these passwords—perhaps in the future or under stress—write the list down and keep it in a safe but convenient place away from your computer, such as your wallet. (To thwart pickpockets, you might obfuscate the passwords, possibly by transposing the first and last character of each one.) You should also make sure someone you trust—for example, your spouse, a business partner, or your attorney—knows how to find this list. If anything happened to you, it might be necessary for a loved one or an associate to access your accounts.
Keep a copy online
I’m all in favor of regular backups, as well as MobileMe syncing, which can be configured to keep a copy of your keychains on Apple’s servers so you can sync them with your other Macs. However, even if you do either or both of these things, I recommend keeping another copy of your keychains or other password files in a secure location online. This could be your iDisk (for MobileMe members), a folder synchronized with online storage using a service such as Dropbox or SugarSync, or a Web-accessible online backup using a program like CrashPlan or Backblaze. If you do this, there’s a way to retrieve your passwords even if you’re away from home, if your computer is stolen, or if some other problem arises when you need them.
As long as you use the OS X keychain or 1Password files, your passwords are securely encrypted, so you can safely store them online without worrying that someone could get at them without your permission—as long as the password you used to secure your keychain is a good one! But there’s a catch: you can decrypt and view your passwords only on another Mac. If you think you might need to get at your passwords from a Windows PC, those files won’t do you much good.
Access passwords from anywhere
Unfortunately, Keychain Access offers no option for exporting your passwords in any other format. However, 1Password lets you export your data as an encrypted Web page. If you put this page in a location where you can access it online, you can get at all your passwords from anywhere in the world while still keeping them safely encrypted. To do this, open 1Password and choose File -> Export All -> Web Page. Select a name and a location, and click on Export. When prompted for an Access Code, enter one. (Note that this password will be used only to encrypt the Web page you’re now creating and that it can, and probably should, be different from your regular 1Password password.) Then click on Continue.
Put the resulting HTML file in your iDisk or another folder that’s synchronized with an online location. To access your passwords, view or download that HTML file, type your password in the Access Code field, and click on Unlock. As long as you have your short list well in hand (or in brain) and the rest of your passwords stored safely online, you can rest assured that you’ll always be able to get at all your passwords when the need arises.