|Home Catalog FAQ||Log In|
Entrust Passwords to 1Password 4!
Save 20% and learn both password theory and practice when you buy with Take Control of 1Password for only $16!
Save 20% and learn both password and privacy essentials when you buy with Take Control of Your Online Privacy for $16!
Save 30% when you build your own bundle of three or more books, including Take Control of...
(30% discount overrides other coupons and is calculated on the first screen of our cart.)
Take Control of Your Passwords
Overcome password frustration with Joe Kissell's expert advice!
Improve your passwords without losing your cool, thanks to Joe Kissell’s expert advice. Start on the path to modern password security by watching Joe’s intro video and by checking out our “Joe of Tech” comic in the Contents & Intro tab below (scroll down!).
Read the book to understand the problems and apply a real-world strategy that includes choosing a password manager, auditing your existing passwords, and dealing with situations where automated tools can’t help.
Teach This Book! Once you're satisfied with your own password strategy, you may want to help friends or colleagues improve theirs. To that end, Take Control of Your Passwords includes links to a downloadable one-page PDF handout and to a PDF-based slide deck that you can show on any computer or mobile device screen.
“Awesome. You did an amazing job breaking it down. This should be mandatory reading.” —Rich Mogull, CEO at Securosis
This ebook helps you overcome frustrations that arise when attempting to design a strategy for dealing with the following password problems:
9-character passwords with upper- and lowercase letters, digits, and punctuation are NOT strong enough.
You CANNOT turn a so-so password into a great one by tacking a punctuation character and number on the end.
It is NOT safe to use the same password everywhere, even if it’s a great password.
A password is NOT immune to automated cracking because there’s a delay between login attempts.
Even if you’re an ordinary person without valuable data, your account may STILL be hacked, causing you problems.
You can NOT manually devise “random” passwords that will defeat potential attackers.
Just because a password doesn’t appear in a dictionary, that does NOT necessarily mean that it’s adequate.
It is NOT a smart idea to change your passwords every month.
Truthfully answering security questions like “What is your mother’s maiden name?” does NOT keep your data more secure.
Adding a character to a 10-character password does NOT make it 10 percent stronger.
Easy-to-remember passwords like “correct horse battery staple” will NOT solve all your password problems.
All password managers are NOT pretty much the same.
Your passwords will NOT be safest if you never write them down and keep them only in your head.
“Joe handles a confusing and scary subject more clearly and calmly than I would have thought possible. I’ll be recommending this book to just about everybody I know.” —William Porter, database developer, author, photographer
If you find this book helpful, we encourage you to write to us about your experiences—for example, how you overcame bad password habits or solved a challenging password problem. (If you want to include a photo of yourself, perhaps with an “uncle” you've helped out with advice from the book, feel free!)
We'll post the most interesting and creative responses on our Web site, and once a month (for the first several months following the book's initial publication) Joe will pick his favorite story and send the lucky reader a batch of his famous homemade chocolate chip cookies. (No kidding!) Photos and testimonials about the cookies are also welcome, of course!
iPad & Kindle
About the Author
Joe Kissell has written numerous books about the Macintosh, including many popular Take Control ebooks. He's also Senior Editor of TidBITS and a Senior Contributor to Macworld, and previously spent ten years in the Mac software industry.
Table of Contents
Read Me First
Passwords are an irritating fact of modern life. It’s tricky to create and remember good ones, but dangerous to use simple ones (or reuse a password in multiple places). This book helps you overcome these problems with a sensible, stress-free strategy for password security. It was written by Joe Kissell, edited by Kelly Turner, and published by TidBITS Publishing Inc.
Before we get started, check out the comic that our friends Nitrozac and Snaggy at the Joy of Tech made for us…it’s the Joe of Tech!
Think of a card, any card. Now, keep that card in mind and think of another. Repeat until you’ve picked 12 cards—but make sure your selection includes all four suits, at least one ace and one face card, and no two instances of the same card. Remember the whole set, because I’m going to ask you again tomorrow…
I’m joking, of course. But have you ever noticed that when magicians pull someone out of an audience to help with a trick, they never make such complicated requests? It’s not reasonable to ask someone to create a meaningless string of numbers and letters, remember it indefinitely, and produce it on demand.
But Web sites, banks, and network administrators make exactly that request of us almost daily. Want to buy something online? Sure, but you need more than a credit card—you need a password too. Sync this data with the cloud, sign up for that free service, manage your utilities or PTA schedule online…no problem, but you must have a password for that. “Make sure it’s between 10 and 14 characters, contains upper- and lowercase letters, at least one digit, at least one punctuation character, and doesn’t have any repeated strings. Oh yeah, and don’t even think about using a word that might be found in a dictionary or reusing a password you used anywhere else.”
Are you kidding me? This is madness. Coming up with unique, random passwords all the time, remembering them, and producing them reliably is not the sort of task the human brain is cut out for.
Faced with this difficult and increasingly absurd task, people naturally tend to look for shortcuts their brains can handle. They pick easy passwords, like their kids’ names or patterns of keys on the keyboard. Even if they go to the effort of creating something more complex, they use the same password everywhere, because then they have only one thing to remember instead of hundreds.
Speaking as a fellow human being, I don’t blame anyone for taking the easy way out. You might try to come up with clever, random-looking passwords the first few times, but once your list of password-protected accounts grows into the dozens, and then the hundreds, it’s not plausible to keep following the rules.
However, speaking as a technologist who has spent lots of time researching and thinking about security, I’m terrified for people who do this. I know how easy it is to guess, crack, or otherwise uncover someone’s passwords, because I’ve done it myself. And people with far greater skills and resources than mine spend all day, every day doing the same thing—not for legitimate security research but to steal money and secrets, to cause mischief, or to show off.
Every couple of months I read about another high-profile case in which millions of passwords are leaked, hacked, or stolen. And then I take a look at that list of now-public passwords and shake my head when I see that thousands of folks thought
password was a pretty good password! I understand why they did it—they were only trying to manage an unmanageable problem—but I feel sorry for them, as their problems didn’t end with the site that was hacked. Because these people invariably use the same password on lots of sites, many of them had money and identities stolen, private email messages read, or hate mail sent in their name. It’s a big, scary deal.
Back in 2006, I wrote a book for Mac users called Take Control of Passwords in Mac OS X. In that book, I attempted to explain all the ways passwords are used on a Mac and give advice about the best ways to manage them. I offered the best guidance I could at the time, based on the available facts. But when I look back at that book now, I get an uneasy feeling because anyone who took my advice then might now be living with a false sense of security. The technologies and tools for guessing passwords and breaking encryption have taken massive leaps forward in recent years, with no signs of slowing down. What was safe then may be ridiculously insecure today.
On the bright side, the apps and techniques available to us good guys have improved too. While I can’t solve all the world’s password problems, with a combination of technology and common sense, I can probably help you solve about 98 percent of your password problems.
My goal in this book is to lay out a simple strategy that will keep you as secure as possible with a minimum of effort. Sometimes, I admit, there’s a trade-off between security and convenience. You have to choose which is more upsetting: adding another lock to your door or risking a break-in because the neighborhood’s gotten worse. But you might be surprised to discover that in many cases, you can significantly increase your security without extra effort. Remember how I said that generating and remembering random passwords is not something the human brain is good at? That’s true, but I’ll bet nearly every human reading this book has a computer as well as a smartphone or tablet, and those devices are fantastic at generating and remembering passwords—if you use the right apps, in the right ways, at the right times. (And yes, I’ll also talk about the situations in which your gadgets can’t help you. Don’t worry; those problems have solutions too.)
If all this talk of hacking and identity theft sounds scary, I’m sorry. I don’t mean to frighten you. Much. But I do want you to have a clear understanding of the threats out there so you’re motivated to adopt better password practices. It won’t take long, it won’t cost much, and it won’t be difficult. Once you’ve done it, you can go back to not being scared, just like me. In fact, that’s the whole point of my recommendations—I want you to be relaxed and confident, knowing that your passwords are solid and that you have an easy, reliable way to create and enter passwords whenever they’re needed.
This book is no rehash of Take Control of Passwords in Mac OS X, although I’ve borrowed a few sections that are still useful. Instead, I’m looking at the problem of passwords in a broad, platform-agnostic way. Whether you use a Mac or a PC, an iOS or an Android device, something else entirely, or—more likely—a combination, you’ll find guidance to help you take control of your passwords. By the end of this book, I hope you’ll thoroughly understand the vulnerabilities and threats associated with passwords, ways to minimize your risks, and how to use passwords safely without losing your sanity. No one can give you an ironclad promise of perfect, unbreakable security, but with the advice in this book, I can get you pretty darn close.
To get the most out of this book, I strongly suggest reading it in linear order because each chapter builds on the material that comes before it. Whatever else you do, don’t skip the chapter Apply Joe’s Password Strategy, because using just a piece of my strategy (such as a password manager app) may solve only part of the problem while making other parts worse!
Version 1.1 is a fairly minor update intended mainly to address questions prompted by the book’s initial release and to add extra detail in a few key areas. The major changes are these:
There are lots of great ways to read our ebooks on these devices. For more details, please read our latest Device Advice.
Feel free to ask us if you have a question about this title!
How could we not publish such kind words? If you'd like to send us your comments (good or bad, though we hope they're all good), just click the Feedback link on the cover of your copy of the ebook. Be sure to let us know if we can publish your comment. Thanks!
"I've purchased several of [Joe's] books and found them more than helpful... you have kept me from committing technocide and offing my computers and iPhone. I am going to purchase more of your books as soon as I'm finished with this email." —Michael Israel, performance artist
"I've been reading your Take Control books for years, and this book is the best yet. Just the right amount of knowledge to inspire action. The way most people do this stuff is frightening. I, for one, am going to move my personal stuff to your new system." —Matt C.
"The author provides many useful tips to assist developing passwords and password management strategies. Do you know what a VIP list is relative to password security? I didn’t, but I do now, and I’m using it! — David M. Acklam, MyMac review
August 20, 2013 -- Because Apple plans to add an iCloud Keychain to OS X 10.9 Mavericks and iOS 7, and because a few other password-related changes appear to be rolling down the pipe, we are preparing an update this ebook. We aren't yet sure of the release date, but we are mindful that it would be nice to release this ebook shortly after Mavericks and/or iOS 7 are available, and it is somewhat high on our priority list. We'll post more details here as our plans firm up. The new version of the ebook will be free to everyone who already has purchased the ebook. The more people who buy the ebook, the more incentive we have to prioritize updates.
September 15, 2013 --
On p. 32, the book mentions an excellent open-source tool called zxcvbn that can tell you a password's entropy. Recently, for unknown reasons, the tool disappeared from the URL given in the book. So, I've made it available on the Take Control Web site here: zxcvbn password checker. Enjoy!
August 18, 2013 --
On page 18, in the discussion of how much faster brute-force cracking has become since 2006 (when I estimated it would take 21 years to crack an eight-character password by brute force, and centuries to crack a nine-character password), I say:
As of late 2012, nine-character passwords containing upper- and lowercase letters, digits, and symbols can be cracked by brute force in—are you ready?—five and a half hours.
Based on the Ars Technica article I reference there, I should have said that eight-character passwords (not nine) can be cracked in five and a half hours. According to my calculations, at the same rate, a nine-character password would take at most 475 hours, or just under 20 days, to crack. That’s much better than five and a half hours, to be sure, but still several orders of magnitude shorter than the “centuries” I thought such a password would be secure just a few years ago. I’ll correct this error in the next update to the book—but for all I know, password cracking may have become so much faster in the last few months that my initial statement was accurate after all!
March 4, 2013 --
A reader named Michael I. wrote in with this question for Joe: "Enjoyed your book on passwords, but it seems that 1Password on an iPhone has a four-digit password... isn't that easily broken? Or is there something special about it being on an iPhone?"
Here's Joe's reply: "Very old versions of 1Password for iPhone let you choose, for each password, whether to protect them with a four-digit code or a full password. The current version always uses a full password, for everything. However, you can optionally set it so that if you leave the app and come back during a certain period of time, you can do a "quick" unlock with just a four-digit code. You might want to check to see that you have the latest version of 1Password, which requires iOS 6: https://itunes.apple.com/us/app/1password/id568903335?mt=8."
And Michael wrote back, "Interesting... I always update my apps and recently did update the version of 1Password I have from the App Store updates section. Because it does not perform as you wrote, I did a search and see there is a completely new version—I've just upgraded. I'm guessing there are other people who don't realize they are not using the latest version."
February 28, 2013 --
Chuck Joiner and cartoon superhero Joe Kissell discuss Joe's new book and the advice it offers for corralling the wild herds of passwords you've probably acquired over the years. Plus, you get to view Joe's new stateside center of operations and its advanced technology (much of it cleverly disguised as shipping boxes). See the video here or listen to the audio here.
—Michael E. Cohen
February 27, 2013 --
Take Control of Your Passwords covers passwords in a general way, and from the perspective of the digital environment of 2013, in which lots of people use mobile devices or multiple computers, and when iOS 6 and 10.8 Mountain Lion are Apple's current operating systems. But if you are using an older version of Mac OS X, such as Snow Leopard, here is useful and still applicable information about using the Keychain, Mac OS X's system-wide password manager, taken from Joe's earlier Take Control of Passwords in Mac OS X, Second Edition.
—Michael E. Cohen
Visit our catalog to see all the other books we publish!
Teach classes? Check out our discounted class copy pricing!