Steve’s parents are VERY security conscious and like all of us struggle with multiple passwords. Ken and I have spent a great deal of time discussing what makes a good password, and he trusts my advice on how to strengthen his own. I’ve showed him Steve Gibson’s Password Haystack where you can learn what the effect of adding more characters and more types of characters can do to affect how long it takes it to get cracked. I like this tool because it helped me illustrate how a password generated by the first letter of every word of a phrase isn’t all that hard to crack since it was only 8 characters long. Even substituting a number for one of the letters didn’t take more than moments to crack in an offline scenario with a good compute server. With Password Haystacks I was able to show him how padding his password with some meaningless special characters (even repeating characters) took it in to the hundreds of centuries to crack if he doubled it in length. He was delighted that there was an easy solution to making it secure.
However, Steve’s parents are so security conscious that they don’t yet trust the idea of a password manager. Having all that information in one place is a concern and so far I’m just barely getting a crack into them that their own ability to create and safely secure a good set of random passwords is much worse than the possibility of something like LastPass or 1Password even being able to be cracked.
I think I’m getting close to talking them into this but then I got to thinking – how well will they adapt to the less than perfect experience you get with these password managers? Today we switched AppleTVs around in our house so when we went to HBO Go to play Game of Thrones it asked for an authorization code. Oh criminy. That meant grabbing a computer, going to hbogo.com/authorize, selecting Verizon FiOS as my ISP and then entering my username and password. It worked flawlessly with LastPass as my browser plugin!
But then I went to my credit union and they expect the user name on one page and after you click go only then do you get to enter your password, so LastPass gets confused (oddly it doesn’t enter the user name but does enter the password). Some sites use a popup that evidently is completely invisible to LastPass and it doesn’t enter anything at all. I know, all I have to do is click on the LastPass icon in the browser toolbar, search for the site and select password, but it’s an extra step beyond the magic it can sometimes do.
Now picture this in Steve’s dad’s hands. Ken is quite clever and is a fabulous resource on investment advice, but he is completely stymied when things don’t act predictably on the computer. For example, last weekend after we left from visiting he sent me a very concerned email that he had a very large popup that was from Apple and was demanding that he upgrade to Mavericks.
I took me while to figure out what it was – I’d opened the App Store on his Mac right before I left to see if his machine was eligible to upgrade to Mavericks and I forgot to close it. This kind of irregularity throws him for a loop. Things must behave consistently or he gets very upset. Now Steve’s mom is much more adaptable and tolerant of inconsistent behavior, but on the other hand I’m not as close to convincing her that a password manager will be much more secure than what she’s doing now.
I have very little experience with 1Password – I tested it a few years ago and didn’t find a compelling reason to change from LastPass but I know a lot of you really like it. After Dorothy, aka Maclurker did an exhaustive analysis of the two applications feature by feature and eventually had to toss a coin to decide which to use, I knew they were both awesome options.
I decided to run a poll over on podfeet.com (now that I have all this empty real estate in the sidebars to use for temporary exercises). I asked the question:
If the user is REALLY non-technical but very security conscious, uses a Mac and an iPad, which would be easier for him/her to use – LastPass or 1Password?
The results after about a week came back 68% in favor of 1Password, 16% in favor of LastPass and 16% saying that both are equally easy/hard for this type of user.
I posted about the poll in Twitter, Facebook and our Google Plus Community (podfeet.com/googleplus), and as is usually the case, the most interesting conversation ended up in Google Plus. Jim Sewell suggested that the results will be weighted towards 1Password due to the culture of 1Password users involved in Macs and Podcasts, so a higher percentage will be using 1P. Kim Landwehr finds using 1Password across Mac/iPad/Android problematic because it keeps creating duplicates, like four different Facebook logins. I was bummed to hear from Allister Jenks that 1Password also gets confused by websites who present their login pages in nonstandard ways. I was really hoping it was a LastPass problem but it looks like it’s a standardization problem. Allister did note that it seems to be getting better at recognizing password fields, and I think LastPass is getting better too. John Ormsby noted I might have asked the wrong question. He suggested that I could have started the question with, “for people who’ve tried both…” and maybe that would have given me purer results. I wonder how many people have tried both?
I think 1Password is prettier than LastPass so maybe that would help the barrier to entry by a more novice user? Then again, if he gets stuck, I REALLY need to be the one to get him out of a jam and so I’d better be REALLY versant in the tool. That would mean I’d need to switch to 1Password to get good at it before letting him loose in the tool.
I’d really appreciate any thoughts on this as I get my nerve up to help Steve’s parents get more secure. I might have to make a lot of Clarify tutorials and maybe even some screencasts to help them get started!