Entrust Passwords to 1Password 4!
Save 20% and learn both password theory and practice when you buy with Take Control of 1Password for only $16!
Save 20% and learn both password and privacy essentials when you buy with Take Control of Your Online Privacy for $20!
- PDF EPUB Mobi
- Apr 29, 2015
Improve your passwords without losing your cool, thanks to Joe Kissell’s expert advice. Start on the path to modern password security by watching Joe’s intro video and by checking out our Joe of Tech comic.
Read the book to understand the problems and apply a real-world strategy that includes choosing a password manager, auditing your existing passwords, and dealing with situations where automated tools can’t help.
Teach This Book! Once you’re satisfied with your own password strategy, you may want to help friends or colleagues improve theirs. To that end, Take Control of Your Passwords includes links to a downloadable one-page PDF handout and to a PDF-based slide deck that you can show on any computer or mobile device screen.
- More Info
“Awesome. You did an amazing job breaking it down. This should be mandatory reading.” —Rich Mogull, CEO at Securosis
This ebook helps you overcome frustrations that arise when attempting to design a strategy for dealing with the following password problems:
9-character passwords with upper- and lowercase letters, digits, and punctuation are NOT strong enough.
You CANNOT turn a so-so password into a great one by tacking a punctuation character and number on the end.
It is NOT safe to use the same password everywhere, even if it’s a great password.
A password is NOT immune to automated cracking because there’s a delay between login attempts.
Even if you’re an ordinary person without valuable data, your account may STILL be hacked, causing you problems.
You can NOT manually devise “random” passwords that will defeat potential attackers.
Just because a password doesn’t appear in a dictionary, that does NOT necessarily mean that it’s adequate.
It is NOT a smart idea to change your passwords every month.
Truthfully answering security questions like “What is your mother’s maiden name?” does NOT keep your data more secure.
Adding a character to a 10-character password does NOT make it 10 percent stronger.
Easy-to-remember passwords like “correct horse battery staple” will NOT solve all your password problems.
All password managers are NOT pretty much the same.
Your passwords will NOT be safest if you never write them down and keep them only in your head.
“Joe handles a confusing and scary subject more clearly and calmly than I would have thought possible. I’ll be recommending this book to just about everybody I know.” —William Porter, database developer, author, photographer
- What's New
Version 1.3 of this book makes several clarifications and adds details that bring it up to date as of early 2015. Some of the interesting changes are:
In the sidebar A Future without Passwords?, I added a topic about proximity-based logins and removed the mention of Passboard.
In the topic All about Entropy, I added a link to an article about common patterns people use when creating supposedly strong passwords, as well as a sidebar called Assessing Password Strength. I also explained why XKCD-style passwords (like
correct horse battery staple) may not be as safe as they appear.
Added a paragraph in Multi-factor Authentication that mentions Yahoo’s new password-by-SMS feature (which is not, in fact, multi-factor authentication at all).
Included a new sidebar, A Question of Trust, which discusses whether it’s reasonable to put one’s trust in a password manager. (Spoiler: yes, it’s reasonable.)
Updated the discussion of 1Password to describe some of its new capabilities in iOS 8.
Revised the information on LastPass to include the fact that a native Mac app is now available.
Revised the sidebar IDKEY to clarify that the product has been renamed (from myIDkey) and is still not shipping.
In Use Apple’s Two-step Verification, revised the description of where and when Apple prompts users for a security code.
- Reader Raves
"I've purchased several of [Joe's] books and found them more than helpful... you have kept me from committing technocide and offing my computers and iPhone. I am going to purchase more of your books as soon as I'm finished with this email." —Michael Israel, performance artist
"I've been reading your Take Control books for years, and this book is the best yet. Just the right amount of knowledge to inspire action. The way most people do this stuff is frightening. I, for one, am going to move my personal stuff to your new system." —Matt C.
"The author provides many useful tips to assist developing passwords and password management strategies. Do you know what a VIP list is relative to password security? I didn’t, but I do now, and I’m using it! — David M. Acklam, MyMac review
- Update Plans
April 30, 2015 – With this book just updated, we don’t have any particular plan for when we’ll update it next.
Posted by Adam Engst
While you won’t find any doughty Hobbits assailing Mount Doom in this trilogy, Joe Kissell and Chuck Joiner do spend 50 minutes describing what you will find in the latest releases of Joe’s three Take Control books about digital security and why he separated them into three separate titles: Take Control of Your Online Privacy (now in its second edition), Take Control of Your Passwords (now at version 1.3), and his latest addition to the collection, Take Control of Security for Mac Users. Fire up your firewall and give a listen to this MacVoices interview.
Posted by Michael E. Cohen (Permalink)
For anyone who is wondering, neither the Take Control Web site nor the eSellerate ecommerce site that we use for purchases were ever vulnerable to the Heartbleed bug, so you don’t need to worry about the security of your Take Control transactions or account information. There’s no reason to change your Take Control password either, although it’s always a good idea to do that if your current password is weak (under 13 characters, uses dictionary words, relies on any pattern, etc.).
Posted by Adam Engst (Permalink)
The startling and disheartening news about the recently discovered Heartbleed Internet security vulnerability no doubt has you wondering, “What should I do? What can I do to protect myself and my data?” The answer is, “Change your passwords for the affected sites. But not necessarily immediately, and not all at once.” Why not immediately? Because the vulnerability affects a wide range of servers across the entire Internet, and not all of those affected servers have been patched—changing your password on an unpatched server simply means that your new password may be purloined just as easily as your old one. Instead, you should avoid logging in to unpatched sites and servers until they are patched, and change your password at that point. The TidBITS article The Normal Person’s Guide to the Heartbleed Vulnerability provides several links to help you figure out which servers are vulnerable and which have been patched, and provides guidance about what you should do to protect yourself and when you should do it.
Eventually, of course, you will have a bunch of passwords to change.
If you use password-management software, such as LastPass or 1Password, that software can help you with that unwelcome but essential task. (AgileBits, the developer of 1Password, has posted an Updating Your Site’s Password guide to help you with your labors.) Browse safely, my friends.
Posted by Michael E. Cohen (Permalink)
Chuck Joiner and cartoon superhero Joe Kissell discuss Joe’s new book and the advice it offers for corralling the wild herds of passwords you’ve probably acquired over the years. Plus, you get to view Joe’s new stateside center of operations and its advanced technology (much of it cleverly disguised as shipping boxes). See the video here or listen to the audio here.
Posted by Michael E. Cohen (Permalink)
A previous book by Joe, Take Control of Passwords in Mac OS X, Second Edition, published in 2009, looked at passwords on just the Mac and with an emphasis on Apple’s then-current operating system 10.6 Snow Leopard, with coverage of 10.5 Leopard and notes on 10.4 Tiger. That ebook had a chapter about using Apple’s keychain software in those versions of Mac OS X, and several readers have written to us, seeking that older information. We didn’t respond by sending them the older ebook, because too much of the advice and contextual information in that ebook is obsolete or even flat-out wrong, given how surprisingly sophisticated password cracking tools have become—and how much has changed beyond Mac OS X, such as the end of Apple’s MobileMe online service.
Even so, we were able to extract some (but not all) of the information about using the keychain in Snow Leopard and Leopard (and, sort of, Tiger). So, if keychain assistance in those older “Big Cat” versions of Mac OS X is what you seek, help is at hand below.
But, first, a caveat from the newer Take Control of Your Passwords:
Mac users may be familiar with the Keychain, a system-wide password manager built into Mac OS X. The Keychain can store passwords for servers you connect to in the Finder, Web sites you visit in Safari (if you enable that feature), and other devices and services. You can also add secure notes manually. To view or edit the contents of your keychain, open the Keychain Access app, found in
The Keychain works well enough for what it does, and almost every Mac user will want to use it for at least a few basic passwords—such as those for Wi-Fi base stations, encrypted disk images, and local network file servers—that would require manual entry and retrieval with any other password manager. But because you can’t access your keychain on any other devices (not even your iPhone), and because Keychain Access is rather cumbersome to use even on your Mac, I don’t recommend using the Keychain as an all-purpose password manager. Because it serves an important purpose, however, I recommend using a strong password to secure your keychain. By default, your keychain uses the same login password as your Mac OS X user account, which means that as long as you’re logged in, your keychain is unlocked. If you prefer to use a different password for your keychain—so you can keep it locked until you need it—open Keychain Access, select your login keychain, and choose Edit > Change Password for Keychain “login”…. Enter your current password, enter and verify your new password, and click OK.
And now, on to the older text.
Since the days of Mac OS 9, Apple has provided a system-wide repository for each user that stores all of that person’s usernames and the passwords associated with them; this repository is called a keychain. The idea is that instead of having to remember (and manually enter) dozens or hundreds of usernames and passwords individually, you let the keychain remember (and enter) them for you. The keychain itself is encrypted and protected by a password. By entering just that one password, you unlock all the passwords inside the keychain; the system then hands them to applications, network servers, or other resources as necessary. Not all applications that use passwords are designed to support the keychain, but most do.
All chained up: Although I use the word keychain in the singular (as does Mac OS X in most cases), you can have more than one keychain.
Whenever someone creates a user account, Mac OS X creates a keychain named “login” for that account. (In some earlier versions of Mac OS X, this keychain was given a name matching the user’s short name—for example, johnsmith. If you had such a keychain in the past and either updated Mac OS X or copied your user data from one machine to another, your current keychain may still have that name.) Normally, this is your default keychain, and the only one you’ll interact with regularly.
Here’s an example of how a keychain can work: Suppose you have two Macs networked together, and one of them has File Sharing turned on. When you go to the other Mac, the first Mac appears in the Finder’s sidebar under “Shared.” You select its icon and click Connect. An authentication dialog appears.
When you check Remember This Password in My Keychain and click Connect, Mac OS X adds the username and password to your default keychain.
After selecting Registered User and entering a valid username and password for the computer to which you’re connecting, you check Remember This Password in My Keychain and click Connect. Behind the scenes, Mac OS X makes a new keychain entry containing the address of the Mac you’re connecting to and the username and password you need to connect to that Mac. Assuming your keychain is unlocked, the next time the authentication dialog appears for this server, it’s already filled in; you need only click Connect. (Had you not checked Remember This Password in My Keychain earlier, you would have been presented with blank Name and Password fields to fill in manually.)
By default, your keychain password is the same as your login password. Upon login, if your keychain is named “login” (or has the same name as your username) and your login password is the same as your keychain password, your keychain is unlocked automatically. Of course, by default, Mac OS X also logs you in automatically when you turn on your computer. In other words, unless you change those default settings, your keychain is unlocked every time you turn on your computer—not a terribly secure situation! Therefore, unless you use your computer only in a setting where other people can’t physically access it, I recommend changing your keychain password so that it’s different from your login password (described below) and turning off automatic login.
You can turn off automatic login in the Accounts preference pane: click the lock and authenticate with an administrator password; then click Login Options and choose Disabled from the Automatic Login pop-up menu (in Leopard or Snow Leopard) or uncheck Automatically Log In As (in Tiger). Or, open the Security preference pane (and then, in Leopard or Snow Leopard, go to the General view) and check Disable Automatic Login.
View Your Passwords
Over time, as you fill out forms on Web pages, connect to file servers and wireless networks, and use software that requires access to your keychain, you’ll accumulate many passwords. You may occasionally need to know a password (as opposed to having it entered for you), so the Keychain Access utility lets you view your passwords.
The passwords (along with certificates, secure notes, and other key-chain items) appear in a list. As with most lists, you can click a column heading to sort by that heading; click a second time to reverse the sort order. If you’re unable to locate a certain password by name, you can use either or both of two shortcuts:
- Click an item in the Category list on the left to show only items in that category. (Note that Passwords has three subcategories.)
- Enter part of a domain name, username, or application name in the Spotlight search field in the upper right of the window to look for matching items. (Spotlight can see the items’ names and account information, but not your passwords themselves.)
Once you’ve located the item that you’re looking for, double-click it to open it in a new window.
To see the password associated with the item, check the Show Password checkbox. In the access confirmation dialog that appears, enter your keychain password and click either Always Allow (to prevent this dialog from appearing again for this particular item) or Allow (to display the password but require entry of your keychain password if this item is opened again in the future).
If you’ve canceled an account or for some other reason no longer want your keychain to remember a password, you can delete the password. Simply select it and either press Delete or choose Edit > Delete. Confirm the deletion by clicking the Delete button.
Another reason for deleting passwords is duplicates. For example, suppose you fill out a Web form with a username and password and ask Safari to remember them in your keychain; then the Web site displays an error message and you realize you entered the wrong username. You try again, and this time you succeed. Now your keychain has two separate entries, one for each username you entered! If, while scanning your keychain, you notice such duplicates, feel free to delete the wrong one (usually the one with the earlier modification date). On the other hand, having extra entries does no harm, because by default Mac OS X uses the most recent entry for any given URL.
Change Your Keychain Password
If you want to use a different password for your keychain than for login (or simply want to change it periodically on principle), you can do so easily. Select the keychain in Keychain Access and choose Edit > Change Password for Keychain “keychain-name”. Enter the current password, enter and verify a new password, and click the OK button.
Make Keychain “keychain-name” Default.
Use the Keychain Menu
Keychain Access contains one last option I want to tell you about: the Keychain menu. With this menu enabled, you see a lock icon in your menu bar. Clicking this icon displays a menu that lets you lock or unlock keychains quickly, among other tasks.
To enable the Keychain menu, choose Keychain Access > Preferences, click General, and check the Show Status in Menu Bar checkbox.
Posted by Michael E. Cohen (Permalink)