I know you all are looking for an update, but I still haven’t quite convinced my in-laws to use a password manager. I thought I had them close when my father-in-law read a Consumer Reports article about security that talked about how great LastPass is, but he wrote a message this week that they just can’t stand the idea of putting their passwords in the cloud. He also responded to some other information we gave him.
Let me set this up first. I gave a presentation recently on how to prepare your digital life in case something happens to you, a portion of which is about password managers. During my presentation I mentioned that my father-in-law is great about backing up his computer using a USB drive that he keeps in a fire safe. A guy from the user group where I was presenting pointed out that fire safes are meant to protect paper in the event of a fire, and all of us learned from Ray Bradbury that paper doesn’t burn till Farenheit 451. He pointed out that fire safes won’t let the interior temperature get to 451…but they will let the interior temperature rise well above the temp at which a USB drive will melt.
I told my father-in-law about this and he suggested instead of a cloud-based password manager, what if he kept his passwords at the bank in a safe deposit box. I pointed out that he would still need to keep a copy at home, again unprotected.
This pushed me to change my tactic and try to convince them to use 1Password. The advantage for him will be that he can store it locally, and back it up to a thumb drive he can keep in his safe deposit box. That way he’s got an encrypted vault for his passwords at home, AND the protection of an offsite backup. With most people I wouldn’t believe them that they would regularly update the thumb drive, but Steve’s dad is the most disciplined person I’ve ever met. If he says he’ll do it monthly, you can bet it will be on the nose monthly.
Now for the next piece of the puzzle, I’m a LastPass user, but if I’m going to guide him, I have to learn 1Password. I think it would really help me overall with the podcast if I know both LastPass and 1Password anyway. Plus I’ve been rather annoyed with LastPass lately – for some reason the browser plugin keeps forgetting to log me out, even though I have it set to log out after 15 minutes of inactivity. This is a very bad thing to have happen on a laptop – if I don’t notice I could end up with all of my passwords unprotected. I did everything they told me to do the first time and after 2 weeks of working with them, we got it started working again. But then a month later it has started leaving me logged in again. I’m getting less than enamored with LastPass. So another reason to give 1Password a whirl.
Years ago I bought 1Password in a bundle back on version 3. I installed it again and fired it up. So far so good. If I’m going to use it though, I need to import my LastPass passwords, right? I exported from LastPass to a .csv file (comma separated values) and in 1Password imported the file. It did that annoying thing we used to have to deal with a hundred years ago where you had to match column names in a database to transfer in. I spent probably 20 minutes trying to get them all right – and when it came in, it was a disaster, nothing looked right of my 492 passwords and software licenses.
I started hunting around and discovered that in version 4, AgileBits, makers of 1Password had written a translator. With Timothy Gregoire’s help from Twitter, he suggested I download the trial version of 1P version 4 to test it out. Great news – the passwords all came in beautifully! Unfortunately the more than 100 software licenses I had so painstakingly entered into LastPass were all messed up. Basically all of the information for each was piled into one field, and none of them were shown as being in the category Software License. I tweeted this out, and the 1P Twitter account suggested I open a ticket with their support team. While I was waiting, I took a look at the LastPass .csv file and noticed that the problem was actually with that file – everything about the license was all glopped into a single cell.
I wrote to 1P and they got back to me pretty quickly, but I wasn’t thrilled with their answer. The woman who wrote back (Laura) pointed to a discussion forum post where a user had put up a link to a script they had written that would convert the LastPass output into something 1Password could read. I had seen that forum post in my own searching, but there was no way I was going to run that. Think about it. You’re taking the database of every password you have to everything that’s important to you that’s tied to your credit cards…and you’re going to run it through a script by “some guy on a discussion forum”???
I asked Laura whether anyone from the dev team had vetted that script to see if it was trustworthy. I asked if they’d confirmed that the script didn’t package up all of the passwords and ftp them up to the guy’s server. She wrote back “Unfortunately we cannot test this script as control of it is not in our hands. I’m so sorry that we don’t yet have a better alternative ourselves.” Can you believe that? She pointed me to the script, and then said they wouldn’t vett it? She wrote back again saying that she hadn’t recommended it…but of course she’d done exactly that. She did point out that the user who posted it is a long time user and has been made a forum moderator though. Great. A rep from a company dedicated to our security gives an answer like that. I can only hope that she’s new.
I got Bart to get on Skype with me after that and he agreed to read the script to make sure it was safe. In about 10 minutes he was able to tell me that the script was just fine. He also explained that he was relatively certain that I’d need his help to run it – that it was probably calling some libraries that I wouldn’t have loaded. Sure enough, he taught me how to go to something called cpan and it would get the Perl libraries I needed. Yeah, like I could have done that on my own!
The best news is that after we ran the script, I found out I’d been missing a lot more than the 125 software licenses, I’d missed 45 notes, 1 database, 2 wireless items, 2 membership items, 1 server and 2 passports! When I went into 1Password, there they all were in their full glory. I’ll still have a few things to clean up but 1Password has a fighting chance now.
I have to give the best news. Remember I said I bought 1Password 3 via a bundle? I entered my license number into their upgrade pricing tool, and they let me upgrade to version 4 for only $25, or I could get a 5-pack family license for only $35! I figured I might as well go for the family pack just in case for only $10 more.
I hope to do some comparative analysis of the differences in 1Password and LastPass in the coming weeks so I can help other people make their decision with more information. I know they’re both great products but it will be interesting to learn what each does better than the other. Stay tuned!