In the past week Secrets was featured in both the Mac and iOS App Stores on the “New Apps We Love” category. This exposure resulted in fantastic new customers with interesting questions and comments. Some of these new customers are also new to the concept of managing passwords and want to know more on how to fully take advantage of a password manager such as Secrets.
To understand the benefits of using a password manager one must understand the dangers of not having a good password discipline.
When presented with the challenge to memorize passwords for various sites users will, understandably, either reuse a known and memorable password or have minor variations of it.
Today we have logins for everything, from our personal e-mail to our child’s day care. According to BuzzFeed the average person has 27 discrete online logins. Memorizing 27 different passwords is simply not feasible for most of us.
So what’s wrong with reusing the same password? Every year many sites are compromised and login information is leaked. Recently it was reported that a breach on Yahoo leaked about half a billion logins. And this happens all the time.
If your username, e-mail and password is exposed in one of these leaks, a malicious person can simply try using this information on other sites and gain access to your account. E-mail hosting services such as Gmail, Yahoo, Hotmail etc are probably one of the first sites they would try. If an attacker gains access to your e-mail he most likely gains access to all other sites you use by simply using the “Reset password” functionality available on most sites.
With this information an attacker can try to gain access to your bank account, discover your credit card details or simply use your name to send spam.
If you have some technical experience you probably know that most sites don’t store your password just like you type it in the password field. If done correctly the site will store the result of passing your password through a one-way function. A one-way function makes it easy for the site to verify that the password you entered matches the password you chose when setting up an account, but makes it hard to retrieve original password given the result of the one-way function.
The sole reason for sites to do this is to mitigate the consequences of a data breach such as the ones mentioned above.
However, even though a one-way function makes it hard to determine the original password given its result, an attacker can quickly try to apply the same one-way function to many common passwords and simply verify if the result is the same they got from some data breach. This is called a brute-force attack.
The lower the complexity the easier it will be for an attacker to retrieve your password. And now you know the reason some sites ask you to pick combination of uppercase/lowercase letters, numbers and symbols. These sites are simply trying to force you to pick a strong password.
Out of curiosity here’s a list of the most commonly used passwords. Just note that if your password isn’t listed that doesn’t mean you have a strong password.
One of the goals of using a password manager such as Secrets is to facilitate having a good password discipline.
By using a password manager you can store different passwords for every site avoiding the need to remember them. And if you don’t have to remember passwords there’s nothing stoping you from using strong passwords on every site. And Secrets will generate strong passwords for you, so you don’t even have to worry about that.
The only password you need to remember is the password to unlock your secrets and this password never leaves your device.
Already roaming the Mac and iOS App Stores is Secrets version 2.2 adding support for all things Touch.
On the Mac side, Secrets will now make use of both the Touchbar and Touch ID present on your new MacBook Pro. On iOS we’ve added 3D Touch features such as Quick Actions and Peek & Pop.
Replacing the physical function keys with a dynamic buttons underneath a multitouch surface, the Touchbar is a brand new user input method on the Mac… and we’re very excited about its potential.
When deciding which controls to place on the Touchbar the goal was to provide quick and commonly used actions that would keep your hands on the keyboard instead of forcing you to use the mouse/trackpad.
Switching item categories, creating a new item or adjusting the password generator options, etc can all be done with just a few taps on the Touchbar.
We think there’s a lot of potential in this new form of user input and we’re looking forward to see what the developer community will come up with. If you have any ideas or suggestions please let us know via Twitter or e-mail.
The availability of Touch ID on the Mac has been arguably overshadowed by the shiny new Touchbar. For us however, it was just as important!
Having experienced the joy of using Touch ID on iOS to unlock Secrets we couldn’t get it working fast enough. So as of version 2.2.0 you can opt-in to saving your passphrase on the Secure Element included on your Mac and have it be protected by Touch ID.
Word of warning: If you enable Touch ID on both Mac and iOS, make sure you don’t forget you passphrase 😉.
While all this was happening in Mac land, the iOS version got a little jealous. To make a mends, we took this opportunity to add the long due support for 3D Touch.
Press on the home screen icon to reveal a series of quick actions. In the item list press on any item to take peek at its contents and optionally copy item data by swiping up. When filtering item categories you can also press on single category to force all other to be deselected.
Since launching Secrets 6 months ago we knew we had to offer some type of trial for prospective users, and understandably this was often requested. At the time our priority was to release our Minimum Viable Product (MVP).
For the past 6 months we have been squashing bugs, implementing features that didn’t make our MVP and applying polish throughout. At the same time, we’ve been studying various options to provide some sort of trials for users wanting to test Secrets before buying.
Finally, we’ve settled on a simple Freemium model. You can download both Secrets for Mac and iOS for free and use all features with up to 10 items. That’s it. To remove the 10 item limit you just need to make a one-time in-app purchase.
To mark this change in the business model we’re bumping Secrets version to 2.0.
If you’re an existing user you won’t have to purchase anything else… obviously. And by the way thank you for your business! 🙂
If you’re not an existing user, now is the time. Download Secrets for Mac and iOS today.
When developing Secrets we purposely avoided using browser extensions to do login filling on websites. The reasons are manyfold:
our users should not have have to type their passphrase anywhere except on the Secrets application (specially not in the browser);
only the Secrets application should handle your data and should always serve as gateway for it;
establishing communication between the browser extension and Secrets also presented some security concerns;
users would have to manually install the extension.
As such we used a much simpler and safer approach. We used Apple Events to communicate with both Safari and Chrome directly from Secrets, bypassing the need for a browser extension and all the issues that come with it.
So, what changed?
Just a few weeks after we launched Apple released macOS 10.11.5 and with it they disabled our integration by default. Our users had to manually enable a setting in Safari to bring back the functionality… Also, our Apple Events-based solution prevented us from filling logins on websites contained inside iframes, such as www.icloud.com.
To solve 1. and 2. we developed a very simple extension that tries to mimic our old behavior. Succinctly, the extension just announces to Secrets if there are login forms available to fill and checks if it should fill any of them. All the heavy lifting is still done on the main application just like before. This also meant that the logging in flow would stay the same for all existing users.
Finally, the extension enabled us to access the dreaded iframes we couldn’t access before. So filling in www.icloud.com works now!
So go ahead and update and let us know if you run into any issues.
One important feature that got left out of our initial release was the ability to generate one-time passwords.
A one-time password (OTP) is a password valid for a single use against some sort of authentication mechanism. Nowadays, the most common of these are time-based one-time passwords (TOTP) that are usually a string of numeric characters valid as an authentication token for a brief period of time (usually 30 seconds).
Companies such as Apple, Google, Facebook and Dropbox employ TOTPs as the second factor in the now popular two-factor authentication (2FA). This provides an extra layer of security in case your password gets compromised.
With version 1.2.0 now available on both the Mac and iOS App Stores, you can enable 2FA in the aforementioned sites and generate authentication codes using Secrets on your Mac or Secrets Touch on your iOS device. For many other services that support 2FA head to twofactorauth.org for a handy searchable database.
This new version also includes many bug fixes and enhancements, so please update even if you’re not planing on using one-time passwords.