Every password you create should be unique: every site, service, or system needs its own. Also, they should be long, not contain any words found in dictionaries, and contain punctuation, a clearly expressed thought, and your grandmother’s famous corn-pudding recipe.
Passwords are ridiculous, and you may be daunted because millions of them pour out of cracked databases and websites all the time. You may have become a fatalist, assuming that whatever and however you create and use passwords, they are likely to fail.
I’m here to tell you that you needn’t despair. It’s still worth putting the effort into unique, strong passwords that you don’t memorize—except one, and you can make it memorable without risking anything.
The cracks you hear about typically involve the leak of account names or emails paired with encrypted passwords, ones that are scrambled using a cryptographic “hashing” function that grinds the “plaintext” (your actual password) through a series of mathematical operations that produce a result that can’t be reversed to recover the original.
Not strong enough.
Common passwords can be tested against the hashed results, and, if the passwords lack an extra bit of entropy, called a salt, any successful test of a password against its hashed equivalent matches all accounts in the leaked information. This is why researchers know that “123456” is a common password, for instance.
In those leaks, so long as the passwords are encrypted at all, choosing a strong password will resist efforts to crack it. Choosing a different robust password for every use also means that a total failure at one site or service doesn’t provide access to every aspect of your identity everywhere.
As with many other aspects of online security, unless you’re targeted specifically—where a malicious party, a criminal, or a government puts determined effort to get your details—you can still mitigate your risk. You might be thinking ahead, though: if I make a bunch of passwords that are impossible to memorize, don’t I still need to secure them in a way that’s weak? I’ll get to that, I promise.
Stong passwords are generated, not dreamed up
It’s never been easier to set and store unique and strong passwords, making them easily available when you need them. Apple’s addition of iCloud Keychain in Mac OS X 10.9 Mavericks and iOS 7 in 2013 was a boost, though it’s not comprehensive. In Safari, iOS and OS X can suggest a long, strong password, and then store it locally, and optionally sync it to other devices that are logged into the same iCloud account. (Joe Kissell wrote a tutorial that’s still accurate in iOS 8 and Yosemite.)
Apple generates almost memorable results: twelve characters in four groups (separated by hyphens) with a mix of upper- and lowercase letters and numerals. iCloud Keychain will also store and sync any passwords you enter in Web forms (with your permission), and other system passwords, including for Wi-Fi networks.
Extensions in iOS 8 made 1Password even more convenient—now you can get to your password vault from other apps, including Safari.
The password generation and storage only works within Safari, although third-party apps can use iCloud Keychain for storage and syncing. Several third-party options provide similar benefits and broader ones. I use 1Password; many of my colleagues turn to LastPass. These combinations of password generator and safe work across multiple platforms and offer multiple methods for sync. In iOS 8, using App Extensions, they can tie directly into Safari. 1Password has an API that many popular apps have tapped into, letting you access your stored passwords outside the 1Password app. Both also allow Touch ID for unlocking. (Transmit for iOS is a favorite, since it’s a file-server connection app that can use 1Password when I’m setting up connections that I also use on the desktop.)
To sync or not to sync
So here’s the thing: if you’re going to all this trouble to create distinct passwords, isn’t it a terrible, terrible idea to have them all in one place protected by a single password that you have to be able to remember? And if you’re syncing your password cache via Dropbox, iCloud, or another cloud-storage system, aren’t you exposing all those passwords to easy, mass theft? Not really, even though it might seem like a huge risk.
First, you have to consider physical access. iCloud Keychain and 1Password require that you gain local access to a device or computer. (Remote screen-sharing to a Mac is also a risk, depending on how or if you’ve set that up, too.)
With two-factor authentication turned on, setting up iCloud Keychain on a new device requires your iCloud password plus approval from another device.
Second, even with physical access (or Web-based access with LastPass, explained next), someone has to have your master password or other factors. Apple and third-party password apps offer all sorts of options for further securing access on mobile devices and computers. Even if someone gets hold of an archive for a third-party app that contains your passwords and can crank away automatically trying different passwords for hours or years, the more clever method by which 1Password, LastPass, and others hash your master password makes it computationally expensive for every single attempt.
Third, there are two different parts to gaining access to cloud-stored data. The first is account access; the second is decoding the data stored there—the same problem as in the second point above. Apple secures iCloud Keychain with additional protection on top of the now beefed-up security for iCloud storage in general. It’s so secure that you can wind up accidentally locking yourself out and being unable to sync! I confess this almost happened to me after an iPhone upgrade in which I failed to record a PIN I used as a backup. (See, it happens to all of us!)
Layers of protection
1Password can sync through a couple methods, including locally via Wi-Fi, but when it stores its data on Dropbox, an attacker would need your Dropbox password (plus a second factor, if you enable that as I recommend), and then even with the 1Password package still needs your master password for that data store to be decrypted.
LastPass uses its own cloud-based storage for sync and browser access, which means someone needs to break through just the account layer, but the company offers a very solid array of methods to limit and validate credentials, including several multifactor options.
What this should make clear is that the weakest point in all of these systems is the one (or more) things that unlock your password store. With Apple, because it requires extra steps to validate devices that sync, you’re relying on all the safeguards they layer into and offer for OS X and iOS as well as for iCloud.
Both 1Password and LastPass let you set up Touch ID instead of using the master password on your iPhone.
With 1Password, LastPass, and others, you need to select a master password that’s strong, that you can remember, and that isn’t a hassle to enter on a mobile device routinely (unless you’re relying mostly on Touch ID). Security guru and cryptographer Bruce Schneier has good advice about picking this sort of password, and what to avoid.
I’m not a password Pollyanna: a website with bad security can leave its users’ passwords vulnerable at several points of entry. But I am a fan of compartmentalization. Rather than give up and use a weak password everywhere, opting into unique passwords that you’ll never memorize and one strong one that you clutch tightly to protect them minimizes the risk you face from other people’s bad decisions.
Glenn Fleishman is the editor and publisher of The Magazine, a regular contributor to Boing Boing and the Economist, and a senior contributor to Macworld.
Author: Glenn Fleishman, Senior Contributor
Glenn Fleishman’s most recent books include Take Control of iOS and iPadOS Privacy and Security, Take Control of Calendar and Reminders, and Take Control of Securing Your Mac. In his spare time, he writes about printing and type history. He’s a senior contributor to Macworld, where he writes Mac 911.