I’ve been thinking a lot about how much using a password manager has made my online life easier and less frustrating, and of course more secure. I have a lot of friends who don’t use password managers and I hear them complaining, watch them pull out ragged paper lists, and I know they’re not using good passwords. I got it in my head that it would be fun to invite a bunch of my girlfriends over to something I would call Password Playdate. I’d name it that to make them think it would be fun. I would also have to supply wine to get them to come. My idea was to try and convince them to use a password manager, and maybe even to teach them how to set it up right then and there.
I’ve been noodling the idea for a couple of months now but haven’t taken action on it. When I was in India, I got an email from a guy representing a local user group asking if I’d come talk to them again. In a weak moment (probably from lack of gin) I said yes. He left the field open to me so I decided it was time to figure out how to actually create Password Playdate.
I gave the presentation just this past week and I bring it up because it was an interesting journey trying to figure out how to do this well. I wanted to tap into their emotions about passwords and how much they hate them. Then I wanted to help them understand how password hacking works, explaining dictionary tables of known words with their equivalent hashes being compared to stolen databases of hashed passwords. I knew that would be a rough patch, but I had some ideas on how to explain it. That whole bit was to help them understand how bad their passwords actually are. To prove to them that they’re bad, I’d tell them about how I got hacked years ago when Gawker Media lost some data. Now I figured I’d have set the stage.
Let’s assume that I’ve got their attention, and I’ve motivated them. How do I demonstrate setting up and using a password manager without showing them my own data? I also wanted to be fair and explain that there are options, the front runners being LastPass and 1Password, but would I have time to demonstrate both? I happen to run both in parallel because Steve still uses LastPass and we share some passwords, but it seemed that demonstrating both might introduce a whole new level of confusion.
I’m more comfortable in 1Password so I thought I’d start there, plus I knew that 1Password has a demo vault you can set up that’s full of fake data. That’s good because you can show all of the kinds of data that you can keep in your password manager; not only logins but license codes, credit cards, identities, drivers licenses, etc. I figured that would be a great place to show the “reveal” button since it wouldn’t be my real data.
But I also wanted to show how easy and happy my life is USING 1Password. I didn’t think they’d believe me unless I could demonstrate going to a website and not ever seeing or even knowing what my password was.
I decided to noodle it with a friend of mine that I hadn’t bothered in ages, so I got Jonathan Cost of thinkmac.net on Skype with me to do a screenshare to noodle out the problem with me. Sometimes you just need another (smart) person to listen to you to figure things out. That’s probably one of the biggest things I miss about not working. I was surrounded by brilliant people. I could go bother Nancy or Niraj or Kieran or Ryan or Keith and they’d listen to me and help me think through the hard stuff. I have to be more resourceful now because they’re not right down the hall any more. Now Steve IS down the hall so after I worked with Jonathan and he helped me get a strategy in place, I ran it by Steve to see if it worked and got great advice from him too.
I decided to break this into four parts. I’d start with Keynote charts to set the stage of anxiety and fear, then do a demo from my normal Mac user account. I realized after noodling with Jonathan that I COULD use my normal user account without danger as long as I used the browser extension and never clicked on reveal. I logged out of Google and Amazon before I got started so I had both of those tabs ready. Then live in front of the audience, I could log into the browser extension because the default for 1Password is to NOT show your password as you type. That was a cool discovery. Then I went to my Google and Amazon tabs and tapped the extension to log in and all of my private information stayed private.
Ok, next thing to tackle was to convince them to use the cloud to store their data. I explained how even though the cloud is scary what we’re looking for is improving your odds. I figured I could get them all to agree that the chances that they had bad passwords today was 100%, and the chances that they’d reused a password was ALSO 100%, and that the chances of their encrypted password file being hacked was a number way way way smaller than 100%.
But to bring that point home, I needed to give them a motivation to put their encrypted password vault into the cloud. So that meant showing them how it worked on iOS. I remembered a trick I heard about from Don McAllister that you can plug in your iOS device, launch QuickTime, choose file, new movie recording and then you’d be able to change the camera input to the iOS device itself, and Bob’s your uncle, your iOS device shows up on screen. Using THAT trick I could log into 1Password using TouchID and then copy a password say to Facebook.com and log in without ever showing off my passwords.
Ok, now I’ve got that bit figured out but it really helps to see how to start with passwords. For this Jonathan and I figured out it would be better if I could go to a new, clean user account and install 1Password and run it for the first time. But how do I practice if I have to be running it for the first time? After a LOT of trial and error I was able to track down all of the plist files that Agilebits creatively tucks away in the corners of user-level Library, delete each of those, empty the trash, then remember that the mini-agent was still running, then clear them again and empty the trash and 1Password would then act like a new install.
In the new installation then I could show them how to create a new, last password they’d ever have to remember. Yeah, I heard it when I said it too – “This is the last suit you’ll ever wear.” This is where I got tangled again on how to do this linearly: I want to demonstrate the tool, but I also wanted to show them how to create a good password. Do I interrupt the flow and go over to Bart’s fabulous xkpasswd.net to demonstrate how easy it is to get a good password, and hammer home how whatever they’re thinking of is a bad idea? Once there, would’t I be tempted to go to Steve Gibson’s Password Haystack tool to do more demonstrations of how to improve your password? But if I don’t go down that rathole, I might still lose them on the motivation. Are you getting why this was so hard?
Setting that question aside, I knew I could show them the demo vault and how the reveal thing works and show off all of the other cool features of 1Password. I noodled this whole thing with Pat Dengler of Dengler Consulting and she suggested I switch to a blank vault and try creating a few logins at some rewards program sites like CVS and Sports Chalet. If I did that, I didn’t want to start getting spammed on my real email account so I created a demo email address at podfeet.com. Brilliant, now we’re getting somewhere.
Now let’s just pretend I haven’t lost them yet. My next phase was to suggest to them that they’re all feeling this would be WAY too hard. I created some charts suggesting that they start slow. I suggested they just GET a password manager, and get one last good gnarly password (I told them it should be upper and lower case letters, numbers, symbols, special characters, and maybe a goat if they could fit it in there). Then I would suggest they simply log into the tool and as they went about their normal day to allow the tool to collect their passwords. After a few weeks, then I would suggest they run the security check in their tool of choice to see how awful their passwords really are. I could even tell them how bad mine actually were!
Then I thought I could steal again from Bart and tell them to protect crown jewels first – fix the passwords on their bank accounts, credit cards and health insurance. Then they could just fix a few a week. I stole from Katie Floyd of Mac Power Users when she talks about going paperless – she says, “stop digging the hole”. By that she means at least from today forward, do things the way you WANT to do them. Maybe you go back and fix the past but at least make good passwords going forward. I figured this would be a good point to tell them how to use 1Password’s built-in password creation tool. To be honest I hadn’t used it before working on this because I always use the Service Bart taught us to build a while back that taps into the math behind his xkpasswd tool.
If I hadn’t lost them by then, I knew there were a couple more critical things to tell them. Number one was to give their one password to someone else for safe keeping in case they forgot it. I could tell them how Steve and I do it – we have each other’s password in each other’s vault. The chances that we both lose our minds on the same day is pretty slim, right? I could also suggest a safe deposit box as a great place to store that one last password they’d ever need.
Well guess what? It worked. I did the presentation pretty much exactly as I’ve described here, including going down the rathole of explaining Steve Gibson’s password haystack and Bart’s xkpasswd tool. The only place I truly lost most of them was in trying to explain how passwords are hacked. I used an analogy of a potato being mashed and how you can’t unmash the potato, but if you could mash enough potatoes till you found the identical mash you’d know you had the right potato. I know, as I’m saying it now I realize what a bad analogy that is!
Steve jumped in and tried to help me clarify things but I think I’d already lost them by that time. I’ll probably do a question in Google Plus on this asking if anyone has come up with an easy way to explain how a hashed dictionary file is compared to a hashed username and password database to find matches and ultimately the person’s username/password combo.
The good news is that at the end I think I had them back on track and when I asked how many of them truly thought they would go forward with this and about half of them said they would! My favorite person in the audience though was a woman who sat right in front, asked gobs of very intelligent and insightful questions and at the end she shook her head and said, “Nope. Can’t get over the idea of securing everything with one password.” I liked her because she was honest about it and was examining carefully what the pros and cons were. I’m pretty sure she’ll eventually come over because she clearly understood the problem.
My Keynote charts are mostly pictures that I talked to but I put a link to download a zip file of them in the shownotes if you’d like to take a look. It might be helpful to look at the speaker notes too.