On Ars Technica’s most excellent comprehensive review of password security

Dan Goodin at Ars Technica published an excellent article reviewing password security and explaining why people need randomly generated and unique passwords for every site and service. That is a message you hear from us frequently.

One thing that is clear from Goodin’s review is that many of the underlying issues are more complicated than most people might think. There is a lot of stuff to learn and study to really get a handle on things. Some are technical (salts, hashing, rainbow tables) and others are human (people are actually terrible at constructing “random” passwords no matter how clever they think their scheme is).

I love studying this stuff, and I also love explaining these things to people. Indeed, I suffer from a pathological compulsion to explain things (though my family says that it is they who suffer from my compulsion). But we here at AgileBits also know that most sane people don’t want to have to learn all of the behind-the-scenes details just to be able to log on to websites securely, so we take a mixed approach. We design 1Password so that doing the easy thing is also doing the secure thing.

We also work to provide the behind-the-scenes details here on the blog for those who are interested. We love this stuff. It’s cool, and we like to share it. So the remainder of this post is an annotated list of some of our articles that cover the various topics that Dan wrote about. Often we go into more detail, or talk about things from a 1Password perspective.

Friends don’t let friends reuse passwords
Reusing the same password on multiple sites is probably more of a danger than actually having a less than perfectly strong password for the site. Indeed, I don’t think a week goes by when we don’t talk about password reuse. The particular article I single out here illustrates that real harm to real people can happen with password reuse. And of course it links to tips about how you can best use 1Password to have unique passwords for each site.
Toward better master passwords
Sure you are now using 1Password’s Strong Password Generator when you sign up for a new service or change a password on your site. After all, the only strong password is one that is randomly generated. But what do you do about setting your 1Password Master Password? You need to remember it, but it also should be strong (and thus randomly generated). This article helps you create a strong random password that will withstand the most sophisticated attacks even if your 1Password data falls into the wrong hands.
1Password is ready for John the Ripper
Dan Goodin’s article talked about password cracking tools, computer programs that guess enormous numbers of passwords. We look at how your 1Password Master Password would hold up against John the Ripper (it holds up very well, but you do need a good Master Password).
Tips, tips, and more tips
Once you get the hang of 1Password, there are a number of neat tricks and shortcuts that you can use to make life even more convenient. There are 1Click Bookmarks that can be used in almost any Mac app, some tips just for 1Password for Windows, some shortcuts for getting the most out of 1Password on iOS, quick ways to add software licenses on the Mac, and more. There are a lot of time saving tips in there, but learning multiple shortcuts at one time can be overwhelming. So come back to these, one by one, when you are ready.
Peanut Butter Keeps Dogs Friendly, too and A salt-free diet is bad for your security
Passwords, whether we are talking about your 1Password Master Password or a password on a website, need to be handled very carefully by systems. What the system stores should work to make it very very hard for someone who gets a hold of the data to be able to make use it. The first article describes PBKDF2, the password based key derivation function used by 1Password and other high security tools. The second article discusses how websites may or may not be doing a good job with when they manage your passwords.
Convenience is Security
When security tools go against the grain of how people work, the result is often poor security and unpleasantness. We bring top-notch security to people by paying attention to how people work. Our design goal has always been to make it easier for people to behave securely than to behave insecurely.