As a rather “casual” paranoid person security is always something I obsess about to the point I have to take a break from obsessing about it because it just eats me alive. I feel like once you start focusing about security there are so many rabbit holes left open that you never stop closing them.
Whether that’s good or bad, it’s not really a healthy obsession.
I spent two (maybe three) weeks with LastPass and 1Password. Troy Hunt, a security-minded individual I follow and the owner and creator of HaveIBeenPwned has said it best: A secure password is the best you can’t remember. At first I had some real issues with that thinking, I’m used to memorizing long, unique passwords, and I also realized that there were issues with what I was doing. Password entropy being an important subject on all of this, and sadly still a subject that it’s hard to explain to people outside the field. I think xkdc explains it best
Another issue is password reuse, something I ended up doing because when you have accounts on over 40+ sites it’s impossible to remember all the unique passwords. I’m guilty, but at the same time I never reused a password on important sites (banks, paypal, etc).
Whether the comics comes off as arrogant or presumptuous it doesn’t eliminate the fact that having a good bits of entropy and avoiding password reuse are one of the most important issues. Password managers like 1Password gives you the ability to just “set it and forget it”. You’ll have a secret key and a master password, when combined it will derive a key to unlock your vault.
I started my journey with LastPass and it was an incredibly rough one to the point I was blatantly ignored when asking for a refund.
LastPass is great if your only focus is to just generate passwords and save them in your vault. Where LastPass falls, besides being plagued with security issues (you can make time for yourself to read their wikipedia entry), is that it immensely sucks in the storage area. I couldn’t for the life of me store a simple document of 2MB. It was nigh impossible, you just kept getting “Sorry, request taking longer than normal” to the point of needing to upload again.
I got fed up. I wanted to store my important documents in case I needed them “on demand”. I contacted support, requesting a refund and they proceeded to ignore my request to troubleshoot the issue. I actually played along because I didn’t have anything to lose but time… turns out uninstalling and installing the client doesn’t fix the issue. So I placed the request of refund AGAIN to be asked to record a video on how I’m doing the things. I refused to do so because I’m not comfortable of doing so.
In the end, I told them they can keep the money and shared that I had a very bad experience with them.
In waves of frustrations I discovered 1Password. I learned that 1Password had a very strong commitment to security and they were sponsoring Troy Hunt (which is how I discovered it).
The first things I noticed of using 1Password were the following:
- The user interface is fast unlike LastPass
- I could upload any big file with no timeouts or problems
- The integration with OSX is lovely
- iPad and Android support is superb
- Had an additional secret key it generated per vault + your master password
Using 1Password has been a delight. I redid all my reused passwords from different sites that weren’t of importance, maintaining a healthy level of entropy in each generation.
1Password also features Watchtower which is an additional service that you aren’t forced to use. It checks how many times you have reused a password, match your password against Troy Hunt’s HaveIBeenPwned, match your email against Troy Hunt’s service. I think my favorite is matching your password against HaveIBeenPwned because THEN you know if your password has been truly been leaked and brute forced/cracked.
Between HaveIBeenPwned and 1Password? Honestly, I feel secure and confident that my accounts aren’t going to be compromised. But, the thing with security is that you never have that certainty that you are secure. It’s a process of continuous improvement and continuous monitoring.
Beyond 1Password? I have been using multi-factor authentication as an additional layer and I’m currently researching Yubikeys to leverage an additional security layer on top of the services I use.
If you have any questions let me know, the comment section is below and if you want to contact me directly check my Contact page.