When I was writing “Take Control of Passwords in Mac OS X,” I thought long and hard about what sorts of strategies I could recommend for creating strong yet memorable passwords. Security experts will tell you that, all things being equal, longer passwords are safer than shorter ones; random passwords are better than those that contain words or follow other patterns; good passwords should include a mix of lowercase and uppercase letters, numbers, and special characters; and you should not reuse a password in more than one context. From a security point of view, that’s all true, but all those practices also make passwords harder to create and harder to remember. So I outlined some ways to lighten one’s password workload without seriously compromising security, but I also recommended that readers save themselves some mental effort and simply let their computers do all that work for them. And, of all the tools available for doing this sort of thing on the Mac, I mentioned that my current favorite is 1Passwd from Agile Web Solutions. For anyone who has struggled with passwords, 1Passwd is the best $30 you can spend. (It’s only $25 if you use the coupon at the back of “Take Control of Passwords in Mac OS X,” which is of course the best $10 you can spend!)
The first time I heard about 1Passwd, though, I was completely mystified as to why anyone would need it. It was described as a password manager that stores items in the Mac OS X Keychain and fills forms (particularly user names and passwords) in Web browsers automatically. And I was thinking: Safari can do that. Almost every browser can do something like that. Why exactly do I need something else to do the same thing? But I decided to try it anyway, and I’m glad I did. It’s become indispensable to me in a subtle but important way, and it performs a whole list of password management tricks that make my day-to-day Web browsing much easier.
Plug It In — 1Passwd consists of an application in which you can browse and edit passwords and adjust settings, and a set of browser-specific plug-ins. For Firefox and Flock, the plug-in is a conventional extension; for other browsers, 1Passwd relies on SIMBL-based Input Manager plug-ins (see “Are Input Managers the Work of the Devil?,” 2006-02-20). If you object to the use of Input Managers on philosophical grounds, turn away now. However, I think the utility, in this case, outweighs the potential risk – and it’s a method that enables 1Passwd to do its magic not only in Safari, Firefox, and Flock but also Camino, OmniWeb, NetNewsWire, and DEVONagent.
The browser plug-ins enable 1Passwd to record user names, passwords, and other form data when you enter them (either automatically or on request); fill in form data when needed (only at your request); and generate strong new passwords. It can even generate, fill in, and store a new password with as few as two clicks. Like Safari, 1Passwd uses the Keychain to store its data, but it uses its own keychain – not your default keychain – giving you an extra layer of security, at least if you choose a different password for your 1Passwd keychain.
Here’s a typical example of how I might use 1Passwd: A site asks me to come up with a user name and password. I type in my standard user name and then choose Generate Strong Password from the 1Passwd pop-up menu. In the dialog that appears, I can select password length and how many numbers and special characters to include. 1Passwd immediately displays the password it has generated; changing any setting produces a new password choice. Usually I leave those sliders set at my default preferences and simply click Fill. 1Passwd then enters the newly generated password in the appropriate field (repeating it in a confirmation field, if necessary) and saves all the data from that form (including my user name) in its keychain. My work is done: I never had to give any thought to creating a password, and I don’t have to remember it, either. The next time I return to that login page, I can choose a menu command or press a keystroke to fill in the form and log me in.
One problem is any domain for which you have multiple sets of user names and passwords. In my case, google.com is such a domain: I have one user name/password combination for Gmail, another for AdSense, and a third for Google Docs & Spreadsheets. If I were to let Safari (or any other browser) remember my passwords, it would be unable to distinguish between different URLs in the google.com domain. So, if I’ve saved three sets of credentials and I go to log in to, say, Gmail, Safari may not fill in my Gmail user name and password – instead, it’ll use whichever set of credentials I saved most recently.
1Passwd solves this problem by enabling you to save, and restore, any number of forms for a given domain – you can choose the one you want to use, when it’s time to fill out a form, using a pop-up menu or keyboard shortcuts. This means that, by default, form fields won’t be pre-filled when the form loads (though you can re-enable this feature in Safari or OmniWeb if you prefer), but in exchange for perhaps one additional click or keystroke, you avoid the hassle of having to enter your credentials manually if your browser chooses the wrong ones. You can also store multiple identities – sets of information about yourself, including address, phone number, and even credit card information – and fill in data from any identity when a site asks you for your information (even when a password is not actually required).
A second problem I’ve frequently encountered is that passwords saved in one browser aren’t available in another. For example, I always have both Firefox and Safari running – I generally prefer Safari, but there are certain sites I can access only using a Mozilla-based browser, and I’m also fond of several useful Firefox extensions. So, if I happen to log in to a certain site in Firefox, and allow it to save my user name and password, they’re stored in Firefox’s internal list. When I later visit the same site in Safari, it knows nothing about my credentials, which I then have to type in manually (or, if I’ve forgotten them, go fishing for them in Firefox’s preferences window).
Because 1Passwd uses a single keychain, accessible via all supported Web browsers, one need store a given set of credentials only once. It can then be accessed as easily in one browser as in another. It can even import your existing passwords from just about any browser, so cross-browser compatibility issues disappear almost instantly.
Further Tricks — Another thing I’ve appreciated about 1Passwd is that it can often fill in passwords even on pages where autofill is otherwise disabled. Bank Web sites, in particular, typically disable the use of autofill as a security measure, the rationale being that if your computer falls into the wrong hands, an unscrupulous person could log into your bank account and do considerable damage without ever knowing your user name or password. Because I can (and do) take other security measures to prevent that problem, I bristle at the inconvenience of having to remember, and manually type, my passwords for such sites. In general, 1Passwd can transparently handle sites where conventional autofill is disabled, though I do have an account at one bank where the password mechanism is so hyper-secure (and so novel) that not even 1Passwd can penetrate it.
1Passwd claims to have an “anti-phishing” feature, which prevents you from entering your credentials on an illegitimate site pretending to be your bank, PayPal, eBay, or some other such institution frequently appearing in spam email. In reality, all this means is that if you click a link in an email message that purports to take you to your bank site, and 1Passwd sees that the domain name in the URL doesn’t match the one in its keychain for your bank, your credentials won’t appear as an autofill option. So 1Passwd doesn’t explicitly alert you in any way that a site may be fraudulent, nor does it prevent you from manually typing in your login information, but it does at least provide a minimal level of protection.
Among the numerous other interesting features in 1Passwd is the capability to lock just your 1Passwd keychain when you quit the 1Passwd application; you can also (as for any keychain) set it to lock automatically after a user-defined period of inactivity or when your computer sleeps, as well as sync it using .Mac. Agile also offers an optional ($13) application you can buy to read (but not edit or add) passwords from your 1Passwd keychain on your Palm or Treo.
What’s Not to Like — As much as I like 1Passwd – and I truly do like it a great deal – it has a few irritating rough edges. One is the way it handles multiple identities: it seems like the wrong way to remember the wrong combination of data. For instance, suppose I want to use a single set of personal data – name, address, phone number, email address – on many different Web sites, but I want to store details about six different credit cards. In 1Passwd, that means creating six different identities, which will all be the same except for the page of credit card information. Not that this is hard – yes, there’s a Duplicate button – but credit card information strikes me as the sort of thing that should be handled separately from other data. For that matter, the same could be true of other items: my name will always be the same, but I might use different email addresses on different forms. I’d like to see some mechanism for storing any given piece of data in just one place, which would entail slicing up the Identity feature in a different way. (Even so, I consider the Identity part of 1Passwd a relatively minor feature; you can ignore it completely and still get tremendous value from letting it handle user names and passwords.)
Speaking of credit cards, 1Passwd often has trouble filling in credit card data in forms it has never seen before. I suspect the reason for this is that it’s looking for form fields with specific names, and Web sites vary too much for 1Passwd to be able to perceive a match in many cases. You can still copy and paste your card number from 1Passwd, but that’s barely easier than manually entering the data manually.
Although 1Passwd can store multiple sets of credentials per domain, what I’d really like to see is an even finer level of granularity in the use of autofill. For example, even though the URL for Gmail and the URL for AdSense both start with “http://www.google.com/”, what comes after that is sufficiently different in the two cases that 1Passwd should be able to determine which user name and password I want on a given occasion, rather than making me choose one or the other from a menu manually. I’d also like to see customizable keyboard shortcuts for absolutely everything (shortcuts are present, but limited, currently) and a way to access its password generator within the 1Passwd application itself (since sometimes I want to create new passwords for uses other than Web pages). And finally, I’d prefer that the documentation be provided locally; the other day, when I chose Help > 1Passwd Help, Safari attempted to open the help pages on 1Passwd’s Web site, but as the site wasn’t responding at that moment for whatever reason, I was unable to get a quick answer to my question.
Nevertheless, I can’t pretend that these are anything other than quibbles. 1Passwd is a fine example of intelligent and helpful programming at a reasonable price, and I recommend it heartily. The program is a 4.7 MB download; until it’s registered, it functions as a free demonstration version that limits users to a single identity and 12 stored Web forms.