4. Easily Manage Your Hundreds of Passwords

I didn’t intend to write this article today… In fact, I’m right in the middle of three others that I want to finish. However, it just leaped at me from the front page of today’s Washington Post Business page, and I couldn’t resist. In an article called Access Denied, the writer bemoans the many passwords and PINs and such that the modern, web-connected human must juggle in daily life. People today have so many passwords to remember, they simply can’t, and this undermines the very security the passwords are set up to ensure, since companies will typically allow a shortcut to someone who claims to have forgotten a password—for a bank account, for example.

The Post article requires a registration, but even if it didn’t, it’s worth quoting a few paragraphs from it before proceeding:

Between work and personal e-mail, multiple banking and retirement accounts, two association memberships, photo sites, Web communities, and retailers like Amazon.com and eBay.com, C. David Gammel maintains 130 online accounts, each requiring a user name and password.

Gammel tracks his sundry log-in information in a file on his computer, but on at least two occasions he’s confused or mistyped his password, and been locked out of his SunTrust bank accounts, forcing him to call the bank or look for an open branch to regain access.

“It’s frustrating — if understandable,” said Gammel, a consultant in Silver Spring. He has also been denied access on a news site when he couldn’t remember his log-in information, he said. “I bail on them if I’m having a difficult time,” he said.

Password peeves come as a cost of doing business online using multiple computer applications. A typical professional relies on a dozen or more programs or Web sites to manage his life at home and work, and many of those require user authentication for access.

But the increased reliance on technology and the commensurate accumulation of passwords has reintroduced human fallibility into the security equation. Consumers’ memories are straining under the pressure of remembering so many passwords. And when they fail to, companies increasingly are having to rely on the judgments of their employees to decide how to field calls from forgetful customers.

The average number of passwords used at work is between six and 12, and is increasing at about 20 percent a year, according to RSA Security Inc., a software and security consulting firm. To make matters more complex, Web sites and workplaces often ask users to change passwords at regular intervals, or require a mix of lower-case and capitalized letters, numbers, and special characters such as “#” or “$” — a practice that makes it harder for a hacker to guess at a person’s password.

But the abundance of frequently changing passwords — and the confusing jumble of permutations and combinations most computer users create — are not only inconvenient, they often undermine the very security goal they were meant to achieve.

At two-thirds of companies, workers kept passwords by writing them on a piece of paper kept in the office, according a study released last week by RSA. Another 59 percent stowed them in files on their computer, and 40 percent wrote them on sticky notes pasted around their computer monitor, allowing any passerby to see.

My first thought was, “Hmmm… These guys obviously use Windows. Probably never heard that life is not this way on a modern Mac.” Now, before you Windows bigots get your backs up and start thinking to yourself, “Oh, right. This guy is biased, always proselytizing for the cult of Mac, acting smug and superior”, just consider the possibility that Apple has figured this one out better than Microsoft, and that a reasonable solution actually does exist to ease the password burden.

My wife is always amazed when I whip out Keychain Access and look up a password to some long-forgotten website where I’d shopped once upon a time. Or if I forget my login to Wachovia, I just do a quick search in Keychain Access for the password. Again, in the interests of time, I’m going to skip a third-party description of what a Keychain is, and give it to you straight from the horse’s mouth (in this case, from Apple’s “Help” documentation on Keychain Access):

About keychains
You can use keychains to reduce the number of passwords you have to keep track of. A keychain can store all your passwords for applications, servers, and websites; cryptographic keys and X509 certificates; or even sensitive information unrelated to your computer, such as credit card numbers or personal identification numbers (PINs) for bank accounts.

When you connect to a network server, open an email account, or access any password-protected item that is keychain-aware, your keychain can provide the password so you don’t have to type it.

You start with a single keychain, which is created automatically the first time you log in to your Mac OS X user account. Your default keychain has the same password as your login password. This keychain is unlocked automatically when you log in to Mac OS X and is referred to in Keychain Access menus as the “login” keychain.

You can create different keychains to store passwords for different purposes (for example, one for work and one for online shopping) or make a copy of a keychain so you can take it with you to other computers.

Keychains can be accessible to just a single user or shared with the other users of the computer.

Now, I’ve done some research on this topic, folks, and as far as I can determine, Windows has no concept analogous to Apple’s Keychain. If someone knows otherwise, please enlighten me. You can write your own blog about how the Washington Post writer was being ignorant and not using his computer to his best advantage.

As that writer points out, you can buy third-party Windows software and services that attempt to do what Keychains do, but there are several pretty important ways that this solution is inferior to Apple’s:

1. They cost money.
2. They require learning yet another password.
3. If you forget that other password, you’re f**ked.
4. If you use one of the web-based services, your passwords are floating out there in someone else’s data server, vulnerable to breakins. Especially if they’re being stored on a, god-forbid, Windows server.
5. They require setup.
6. They might break if basic Windows APIs for password or security change in the future.
7. They rely on companies that might go out of business, possibly taking all of your passwords with them.

Apple’s Keychain technology has gotten much better as Mac OS X has matured. In the first round or two—up until Jaguar (10.2)—it seemed to me that Keychains were vulnerable to getting mixed up. Not in a security-problem way, but just that you couldn’t always rely on Keychain Access to find a lost password. However, that was years ago now, and Keychain today is a marvel of efficiency and ingenuity. It’s saved me dozens of times from having to get a new password—which usually means having to change the password again—or, worse yet, having to call up a company, sit on hold forever, and convince the bored answering-service attendee to give me a new password.

As the Post article points out, this is a frequent possibility given the number of times we have to log in to websites and applications nowadays. Keychains and Keychain Access are simply wonderful tools that Mac users have at their disposal to ease one of the burdens of modern life.

I’ll leave it to the curious reader to discover an in-depth discussion of how Keychains work in a Mac user’s daily life. Very briefly, most Mac programs that set passwords give the user the option of storing that password in their Keychain. Safari and other WebKit-based web browsers have a preference setting that lets users store their login information to websites in their Keychain. One of the reasons I don’t use Firefox regularly is that it doesn’t have this option. I just really like having all my passwords consolidated in an easy-to-search, secure archive. Not only that, Safari can be configured to automatically fill in usernames and passwords for any items you’ve stored in the Keychain… something Firefox, unfortunately, just can’t do. (Note: Safari won’t do this for passwords stored on secured websites, but you can still look the password up in your Keychain if you don’t remember it.)

When I forget a password, I launch Keychain Access, which is a surprisingly sophisticated application that I use in a very simple way. Namely, I enter a search term in the search field, which invokes a live search on the Keychain database and displays matching results below. Each result shows the username associated with the website or application, so it’s easy to find which Key I’m looking for. Double-clicking on the Key brings up a dialog panel that gives me some management capability on the particular key. I’m sure this is cool and significant, but I go straight for the “Show password” checkbox.

If I’m trying to access a password in a Keychain other than the one I logged into the Mac with, clicking on the “Show password” checkbox will require that I authenticate to see the password. If I don’t have rights on that Keychain, I’m blocked. But normally, the Key I’m looking for is one associated with my own user account, so when I click on the checkbox, my password displays in the little text field there.

That’s all there is to it.

Actually, I hardly ever see the Keychain Access interface in the screenshots I just showed you, lovely though they may be. That’s because I’m a Quicksilver user. Quicksilver can do just about anything, you know… including quickly looking up lost passwords. Just a couple of keystrokes here, a couple of flicks of the arrow key, and voila! Here’s a short movie to show you what I mean:

Miraculous? Hardly. Obvious? Definitely. Convenient? LOL

A reason to switch from Windows? Nah. I wouldn’t call Keychains a Windows killer, unless they happened to be your last straw.

I’m keeping this short because I’ve learned from previous writeups that the old adage, “You can lead a horse to water, but you can’t make him drink”, is definitely true for stubborn Windows devotees. They will always think of some reason why this or that feature of Mac OS X is unimportant to them, and why they should continue acting as if Macs don’t really exist. This article is not intended to benefit those guys (and gals). It’s simply intended to point out that password management doesn’t have to suck.

If you were looking for a last straw to consider ditching Microsoft Windows, Keychains just might be it. In any case, they’re definitely another small thing Macs can do that Windows PCs can’t.