To celebrate the upcoming nerdery scheduled for June 10-14th somewhere near the House of Shields, the folks over at AgileBits are putting their products, which we recently recommended, on sale for a whopping 50% off.
Seriously, if you didn’t purchase 1Password due to it’s price tag before, you have half the reason to object to it that you did last week.
1Password for Mac ($24.99)
1Password for iOS ($8.99)
I recently had the opportunity to guest on another podcast — iPhreaks with Charles, Pete, Rod, Ben & Co. (actually there’s no company, I think that’s all of them). In the show, we talk about prototyping iOS apps and some of the tools available for designers and developers to use in the early stages of defining and building apps. I’ve spoken on this topic a couple times at CocoaConf but this was a nice opportunity to talk about it in a laid back conversational way. In the second half of the show we also get into some of the thought processes and methodology that can make prototyping cleaner and more effective.
Lastly, I somewhat repeatedly recommend Briefs 2 throughout the course of the conversation. Rob and the team over at MartianCraft did a bang up job on it and I can not recommend it enough.
One of Ben’s many faults is that he keeps his passwords in his system keychain, like an animal, a small creature of the forest, hiding nuts for winter. Today I’ll try to get him to start using 1Password or some other password-management app. This will make his life better by giving him secure passwords he can access from anywhere, easily transfer between Macs, and by giving him an easy place to safely and securely store other sensitive information — server info, financial data, etc. Ben, are you ready to switch?
I think I am. But I’m unsure of the day to day consequences of doing so. It seems scary to give my passwords to a service, no matter how into security they are, and the idea of not knowing my own passwords is unsettling. On the flip side, I don’t actually know all my passwords, leading to resetting passwords more often than I like.
Password security is a rather difficult thing. Eight characters was once the golden standard for strong passwords, then eight or more characters inclusive of a numeral, and more recently eight or more characters including a numeral, an uppercase character, two punctuation marks and your best friend’s three favorite emoji. This makes it really hard for users to memorize compliant passwords due to the limitations of human short-term memory to around four ‘chunks’ of information1.
Right. Maybe we should back up a bit and think about password security in general. In the past, I’ve had some good passwords that I remember, but it’s hard to have great passwords for every different service, so I end up either a) using passwords that aren’t secure or b) using the same password on multiple sites. Even after switching to 1Password, I have three or four secure passwords that I remember and know by heart, and use for my go-to services: Dropbox, iTunes, and 1Password. That’s a comprehensive list.
I have to say, the services I use on a weekly basis stretch beyond those mentioned. Passwords I use every single day are really only my computer’s password, Apple and Google. But there are probably 5-10 other services that I use several times per week.
I don’t mind remembering passwords for a few things, but I have trouble remembering 10 different secure passwords for 10 services I really want to use and really want to stay secure. For example…
Good point. Uh, I use Shmemail, Gwitter, and Blamazon.
That’s one problem 1Password and like services fix: they make it easier to use better passwords for those 10 important sites. The other problem that 1Password solves: there are 100 other sites that I have a login to that might not need to be incredibly secure, but I’d still rather not use a single password that I share with all of them — I want those sites to have their own passwords, and have those passwords be pretty good, but I have no intention of memorizing them. Keychain would work for this, but Keychain doesn’t sync to my iPhone or iPad.
But I’m still unsettled by the notion that I might not be able to access my password for a given service at some future moment in time when I’m on a device that isn’t my own. How does that pan out?
If I don’t have my iPhone, iPad, or Mac, I can’t log in to services that I don’t remember the password for unless I want to do a password reset. That’s still a problem, but it’s one I’m OK having. Do you have any potential qualms about using 1Password?
Sure. My biggest one is simply that I don’t like installing software on my computers. I’m a bit of a grumpy person about it. I’d rather use built in solutions when at all possible–it makes my life more simple and I have less “operator knowledge” to manage and keep up to date on, not to mention making it easier to set up a new Mac when I upgrade.
You can use OS X’s built in password creator to make secure passwords and store them in your system keychain pretty easily. But there are two problems that I can’t figure out how to solve using the built-in keychain: I don’t have access to my passwords when I’m on iOS, and I don’t get the advantages of auto-fill for services where I have multiple logins. Are those problems for you, and how do you manage them without a password manager?
They are. On iOS I find myself using a somewhat smaller subset of my service passwords. Generally the ones I access most often and am most likely to have memorized. I don’t use the same password for all of these or anything close to that. This is because passwords can be quite memorable while still being strong. It’s obvious that a password having the largest amount of entropy per character will be strongest, and that means a password utilizing a selection of all available characters in a random pattern will be most secure. However, all we really need to do is create a password good enough that it can’t be broken quickly — say in the next 10 years. There has been good research on this topic as far back as the dawn of consumer internet security awareness (we’ll call that circa 2000) and it has continued over the past decade. Thomas Baekdal wrote a phenomenal analysis of phrase based password security in 2007 which outlines the benefits, and strength, of using multi-word, dictionary-based phrases for passwords. If you only read one link from this article, make it that one. Unfortunately there are still many services that limit passwords’ character count2 making this type of password only useful in certain circumstances.
So, it seems like this is the right way to do things:
You’ve thrown the 1Password name around a lot, are there alternatives, or are they the only game in town?
1Password does have competitors, like LastPass or DataVault, but I wouldn’t recommend them. The LastPass Safari extension, for example, doesn’t have a “binary component”, so it won’t do nice things like log you out of LastPass automatically after you’ve been idle. That’s fine, but it suggests that they’re not a Mac-first company. And I’ve run into the 1Password guys a few times at conferences; they’re incredibly bright and admirably paranoid about password security.
If you’re counting, that’s one more smiley face in the 1Password column. Ok, so 1Password it is. I know I can handle this and probably should have done it long ago. Just let me cough of up the dosh for it…
… $68 for both Mac and iOS!? Too expensive. Should be 99¢. One ★.
In all seriousness though, not everyone ‘knows about computers’ like we do, and can see the value in a $70 solution. Is there a lower cost solution that is workable for the masses?
I’m not sure whether there’s any solution that’s perfect for everyone. I haven’t recommended 1Password to my Mom. I’m not sure she needs its features, and I don’t want to add complexity to her life. But it’s not too difficult a program to use.
But what do we suggest to our friends and family? Password issues are prolific across the internet and as both you and I know, most people use a single, very low strength password. Using a fairly expensive password management service isn’t going to fly for most regular consumers. So what will?
Using one good password would be a good step up. People might also consider having one password for random services, one (better) password for more important services, and one really good password that’s only for financial stuff. But that’s still not a better solution than using 1Password.
Agreed. My go to recommendation for the past few years has been this three password approach. But in a world where services are hacked more and more regularly, unless the user is very self disciplined about which password is used for which type of service, service to service escalation is very possible. With high security services often having more rigorous password requirements which, as we’ve discussed, make for poor password memorability, we go down the road of many password resets and simple to remember/simple to crack security questions. Thus, I am more and more convinced that this advice isn’t particularly sound. That’s assuming people actually adhere to it, and they don’t.
So it’s a password manager or bust. Get out your wallets, folks.
The magical number 4 in short-term memory: A reconsideration of mental storage capacity — Cowen 2000 ↩
Not to mention the fact that most sites which enforce a character limit on passwords have a strong likelihood of storing your passwords in clear text. ↩
We here at Nice Mohawk received a nice invitation to be on a podcast—Debug, hosted by the insouciant and thoughtful Guy English and the prolific yet friendly Rene Ritchie of iMore.com. We talk about mohawks, robots, the forthcoming Mac version of Ita, and indie developer life in Ohio.
Gus and Kirstin, over at Flying Meat, just released Acorn 4, which I used to refer to as a “lightweight image editor.” Had it been released a few days earlier, it would have definitely made our recent Things We Like post. That said, you can’t really call Acorn a lightweight editor any more. Straightforward and powerful is more like it.
We use Acorn a lot when developing apps. It’s a really great tool for post-processing an asset once we pull it out of a gargantuan mock-up PSD and want to down-sample it, prepare it to be stretchable or create variations on it. It’s also really nice for quick repetitive tasks. For instance, we used it a ton for compositing App Store screenshots (Ita has 25 separate screenshot assets1 for each supported language2) until we found an app that automatically adds perfect status bars to our screenshots (Status Magic, which we’ll talk about at excruciating length some other time).
Gus has a nice intro video for one of the headlining features, Layer Styles and Filters, which are now completely non-destructive, directly editable on the canvas and super great.
Go get it now — on sale for $29.99 for the month of May. Sweet!
Brooks B17 Standard Bicycle Saddle and incidental Brooks Proofide Leather Dressing — I recently replaced my old Bontrager saddle and am loving the difference. Just do make sure your saddle is adjusted and angled correctly. The late and irreplaceable Sheldon Brown has a ridiculously detailed writeup on comfortable saddles which is worth a read and talks about proper adjustment for both male and female anatomy (There’s a women’s variant of the B17 as well).
Briefs 2 — I’ve been using it in relation to a CocoaConf talk on prototyping I’ve given recently and I’m continually surprised by how much you can do with it. Stay tuned for its upcoming release!
Ben’s more-or-less $10 Amazon Grab Bag:
Story time: Because “You know about computers,” I’ve been fixing some weirdness on my friend’s Mac. (Pro tip: If you replace your hard drive and for some unknown reason have two different Time Machine backups, don’t restore from the two-year-old backup instead of your current backup.) When my friend dropped off the computer, he didn’t bring the keyboard, and the bluetooth pairing dialog in 10.8 is obscured by the Wi-Fi connection dialog, so my fancy bluetooth keyboard was useless. Which brings me to my like: the Griffin iMate ADB-to-USB Adaptor — available on Amazon and a bit cheaper on eBay. I connected my Apple Extended Keyboard II and it just worked.
Etymotic Research ETY-Plugs earplugs — These earplugs let you listen to loud music without making it sound muffled. Insanely great.
Day One — I’ve been using Day One for Mac and iOS off and on for a couple of years, and I’ve finally gotten the hang of it. I don’t use it for journaling so much as for taking notes of anything I want to remember. It’s as good as Drafts for making it really easy to make a new note, but unlike Drafts, I don’t have to send that note anywhere. It’s just all there. Sort of like an infinitely big, chronologically arranged Field Notes that syncs to my Mac. Over iCloud, no less! And the app’s sound effects are so good I’ve pulled them out and use them as text and voicemail tones.
Facebook Chat Heads — A great addition to Facebook on iOS. Drag your friends heads around like you’ve always wanted to!
BEN: I happen to strongly dislike these things. I don’t even really know what I want to call them. Facebook calls them ‘Chat Heads’ which seems to read poorly and Wired argues that they will be called ‘chatheads’ by the internet regardless of what Facebook wants.
BOB: That’s a dumb article, first because quoting your own copy editor is lazy, and second because grammar scolding is generally obnoxious and in this case absolutely wrong. Chat heads are great. I like to move them around.
BEN: How is it wrong? Enlighten me. I’m not a level 45 grammar wizard like you. Also, it wouldn’t be the first dumb article out of Wired.
BOB: Here’s an article by Grammar Girl about using nouns as adjectives. We do it all the time. Generally, correcting other people’s grammar is almost always pedantic, but in this case, when a company is actively coining a new term, it seems polite to let them coin it as they wish. “Think Different” is probably a more egregious example of bad grammar (in that it’s an example at all), but I’m happy with that slogan.
BEN: Right. Does the press let Apple get away with grammatical foibles? No way. Do they let Microsoft? Nope. Also, Facebook does have a bit of a double standard since their own name is the counterexample.
BOB: Let’s not let our standards be defined by the most ill-mannered among us. I guess you’re right, though — I’m happy to let the i in iPhone remain uncapitalized, but Yahoo’s execrable exclamation point seems ridiculous. I’d generally like to call things what their creators name them, except where good taste and common sense dictate otherwise; if Wired doesn’t like “chat heads,” sure, they can go ahead and call them what they want — but there’s no grammatical issue at stake. That’s a specious argument.
BEN: I think that’s a fair assessment. I still don’t like how they’re always occluding some piece of the interface. It’s also an element of the app I incessantly feel like I have to manage (which, if you convert “manage” to “play with”, was probably a design feature).
BOB: I’d probably hate chat heads if Facebook had a more austere interface, but it’s already so busy that I don’t mind a bit more busy-ness — particularly since this is the one place in Facebook where I really want a notification, where people are actually talking to me. I’d be more worried about confusion and clutter if Facebook weren’t just for dicking around.
