Once you commit to it, using a password manager is liberating. Having unique and strong passwords for all your logins creates warm fuzzy feeling inside. You feel like you are in control of your digital life.
This is only possible because there’s a trust relationship between you and your password manager. And your passphrase is the link in between.
Any serious password manager will derive encryption keys from your master passphrase. This means that your passphrase is the only way to access your data. If your password manager can recover your data without your passphrase or some secret only you know, then they can access your data without your consent.
But this presents a challenge to that warm fuzzy feeling. Forgetting your passphrase means loosing access to your data. The passphrase is both the basis for trusting the security of your data and also something you must remember… and remembering a long passphrase can be hard. So hard that most of us avoid changing it.
That’s why with Secrets 2.4 for Mac you can create a Recovery Key.1 A Recovery Key is a 128 bit random value that can also be used to unlock your secrets. You can use this key if you ever forget your master passphrase. And because it’s not tied to your passphrase, you can change it reassured by the fact you can recover your data in case you forget it.
To create a Recovery Key, simply go to File -> Recovery Key -> Create… and follow the steps2. You will be asked to print your key. It will look something like this:
The included QR Code allows you to use your Mac’s camera to scan the key instead of typing all those characters.
You should print the recovery key and test it by selecting File -> Recovery Key -> Test… Finally, store it some place safe.
You can also entrust a copy of your Recovery Key to someone you trust in the event something happens to you. This isn’t something most of us ever think about. But our digital selves grow bigger everyday. And in the event that, for some drastic reason, you are unable to access your passwords… your next of kin will be able to with as little friction as possible.
This feature will eventually make its way to Secrets for iOS.
Recovery keys are per device and are not synced via iCloud. You can only use a recovery key on the device that created it.
The great team at Panic just launched Transmit 5, a great update to an already awesome file transfer app for Mac. The news prompted this post about a little-known feature built into Secrets for Mac.
Since the first version of Secrets if you hover over a service associated with a Login you can quickly connect to that service by clicking the button. For example, if you have https://www.icloud.com associated with your Apple ID Login clicking that button will open that page on Safari.
This feature works out of the box for http and https services using Safari or Chrome, and ssh, sftp, ftp, telnet using Terminal. But if you have Transmit installed on your Mac, Secrets will prefer to use it for all service types it supports, includings services such as Amazon S3 and WebDav!
This site, for instance, is hosted on Amazon s3. I have a Login item in Secrets with the credentials for accessing the S3 bucket and an associated service with the URL s3://s3.amazonaws.com/outercorner.com. Everytime I need to update the site, I can just click the button and it will open a Transmit window already connected to the bucket.
Go ahead, give it a try. This integration works with both Transmit 5 and Transmit 4.
When you first run Secrets the main window will open with an item list on the left and a detail pane one the right. This layout is very common on the Mac, Apple’s Mail and Contacts applications use it also. You select an item on the left to view its details on the right. For the majority of users it’s a well-known concept.
This layout works very well when you need to view or edit your item’s details. However, when designing Secrets, it was clear that most of the time the interaction with the application would be a quick and simple information retrieval, such as getting a password, a credit card number or filling a login in the web browser. In this scenario, a smaller window focused on searching would be a better fit.
That’s why you can hide the detail pane since the very first version of Secrets. You can try this yourself by selecting View and then Hide Detail Pane in Secrets’ menubar, or by using the keyboard shortcut ⇧⌘D.
You may be wondering how do you retrieve a password or credit card number if the detail is closed… Well, you just select the item you want and press ⌘C to copy the most relevant information for that item type to the clipboard. For Logins this will be the password, for Credit Cards the card number and for Bank Accounts the account number. Also, if you use the alternate ⌥⌘C keyboard shortcut you’ll copy the username for Logins and the PIN for credit cards.
This collapsed mode also works great for when your filling logins in Safari. And if you have a small screen on your Mac you can make use of the Split View feature introduced in El Capitain to have Secrets and Safari open side by side in fullscreen.
If need to access some other information or edit an item you can open the detail pane again, obviously, or simply double click the item to show the item’s details without expanding the detail pane.
In the past week Secrets was featured in both the Mac and iOS App Stores on the “New Apps We Love” category. This exposure resulted in fantastic new customers with interesting questions and comments. Some of these new customers are also new to the concept of managing passwords and want to know more on how to fully take advantage of a password manager such as Secrets.
To understand the benefits of using a password manager one must understand the dangers of not having a good password discipline.
When presented with the challenge to memorize passwords for various sites users will, understandably, either reuse a known and memorable password or have minor variations of it.
Today we have logins for everything, from our personal e-mail to our child’s day care. According to BuzzFeed the average person has 27 discrete online logins. Memorizing 27 different passwords is simply not feasible for most of us.
So what’s wrong with reusing the same password? Every year many sites are compromised and login information is leaked. Recently it was reported that a breach on Yahoo leaked about half a billion logins. And this happens all the time.
If your username, e-mail and password is exposed in one of these leaks, a malicious person can simply try using this information on other sites and gain access to your account. E-mail hosting services such as Gmail, Yahoo, Hotmail etc are probably one of the first sites they would try. If an attacker gains access to your e-mail he most likely gains access to all other sites you use by simply using the “Reset password” functionality available on most sites.
With this information an attacker can try to gain access to your bank account, discover your credit card details or simply use your name to send spam.
If you have some technical experience you probably know that most sites don’t store your password just like you type it in the password field. If done correctly the site will store the result of passing your password through a one-way function. A one-way function makes it easy for the site to verify that the password you entered matches the password you chose when setting up an account, but makes it hard to retrieve original password given the result of the one-way function.
The sole reason for sites to do this is to mitigate the consequences of a data breach such as the ones mentioned above.
However, even though a one-way function makes it hard to determine the original password given its result, an attacker can quickly try to apply the same one-way function to many common passwords and simply verify if the result is the same they got from some data breach. This is called a brute-force attack.
The lower the complexity the easier it will be for an attacker to retrieve your password. And now you know the reason some sites ask you to pick combination of uppercase/lowercase letters, numbers and symbols. These sites are simply trying to force you to pick a strong password.
Out of curiosity here’s a list of the most commonly used passwords. Just note that if your password isn’t listed that doesn’t mean you have a strong password.
One of the goals of using a password manager such as Secrets is to facilitate having a good password discipline.
By using a password manager you can store different passwords for every site avoiding the need to remember them. And if you don’t have to remember passwords there’s nothing stoping you from using strong passwords on every site. And Secrets will generate strong passwords for you, so you don’t even have to worry about that.
The only password you need to remember is the password to unlock your secrets and this password never leaves your device.
Already roaming the Mac and iOS App Stores is Secrets version 2.2 adding support for all things Touch.
On the Mac side, Secrets will now make use of both the Touchbar and Touch ID present on your new MacBook Pro. On iOS we’ve added 3D Touch features such as Quick Actions and Peek & Pop.
Replacing the physical function keys with a dynamic buttons underneath a multitouch surface, the Touchbar is a brand new user input method on the Mac… and we’re very excited about its potential.
When deciding which controls to place on the Touchbar the goal was to provide quick and commonly used actions that would keep your hands on the keyboard instead of forcing you to use the mouse/trackpad.
Switching item categories, creating a new item or adjusting the password generator options, etc can all be done with just a few taps on the Touchbar.
We think there’s a lot of potential in this new form of user input and we’re looking forward to see what the developer community will come up with. If you have any ideas or suggestions please let us know via Twitter or e-mail.
The availability of Touch ID on the Mac has been arguably overshadowed by the shiny new Touchbar. For us however, it was just as important!
Having experienced the joy of using Touch ID on iOS to unlock Secrets we couldn’t get it working fast enough. So as of version 2.2.0 you can opt-in to saving your passphrase on the Secure Element included on your Mac and have it be protected by Touch ID.
Word of warning: If you enable Touch ID on both Mac and iOS, make sure you don’t forget you passphrase 😉.
While all this was happening in Mac land, the iOS version got a little jealous. To make a mends, we took this opportunity to add the long due support for 3D Touch.
Press on the home screen icon to reveal a series of quick actions. In the item list press on any item to take peek at its contents and optionally copy item data by swiping up. When filtering item categories you can also press on single category to force all other to be deselected.