Web Security and 1Passwd
Reviewed by Linda Cameron, editor of The Finder. Reprinted with permission.
Do you worry about how secure you are using the Internet? I know people
who still don’t shop or do banking online because they are afraid their
information could be hijacked and possibly used to steal their identity or get
access to their bank account. Mac users are somewhat more secure, but we
shouldn’t take it for granted that those things can never happen to us, because
they can. The best defense is to know as much as you can about what can happen
and then stay vigilante and take precautions.
Recognize
a secure web page
Safari and most Mac web browsers
are compatible with secure websites, such as those that use 128-bit encryption.
Learn how to recognize a secure connection, and how to avoid a fake.
|
A secure web page shows a locked Padlock icon on the
upper right. |
Websites that
deal in personal or financial information typically offer secure connections.
With a secure connection, your data is encrypted so that it cannot be easily
read by anyone who might intercept it between your computer and the website
(similar to using an ATM machine).
You should not enter any sensitive information on a form if
you are not sure it is secure. If a legitimate organization requests sensitive
information on an insecure form, you should consider contacting them via
telephone instead.
To see this Verisign certificate, click the
Padlock icon on your web page.
When you are
entering sensitive information on a web page, the URL should start out with
“https:” rather than “http:” —the “s” is for “secure”.
You should
also see a Padlock icon on a secure web page up in the right corner. Click the
padlock to open a small window that shows the Secure Server Certificate. If
that site happened to be a phony site made to look like one of the legitimate
ones you do business with (such as your bank), you would be warned. If a web
page has the “https:” and the padlock icon and you trust the
organization that created the website, then go ahead and use it. If you are not
comfortable, then maybe you should do your business over the phone.
Phishing
scams
One way a scammer gets your information is by “phishing”. It is sounds
like fishing and is similar. The usual way phishing works is -you get an Email
from what appears to be your bank, or some other institution. I would say most
of us have received a lot of phishing Emails already from financial
organizations that we have nothing to do with, so we delete it as spam.
Occasionally, some of those phishing Emails will appear to be from a bank we
actually do business with or an organization—such as a PayPal or eBay.
That is when you could get in trouble, if you assume they are legitimate. Often
the phishing Email will have links for you to click on where you are supposed
to login to your account. If it is indeed a phishing scam, and you go and type
in your account info and password, they “gotcha”. Depending on the type of
business you do, they could steal money from you or mess up your good ratings
on eBay by using your identity to rip others off. You definitely want to be
careful with PayPal because you could give someone access to your checking
account.
One rule is to NEVER click on a link in an Email unless you are sure who
sent it to you. However, if you do click on a phishing link, the only way it
can work is for you to type in the information. If you save your passwords in
Keychain and let Safari autofill the blank fields then it won’t work because
Safari knows it isn’t the real web page that you saved that information
originally.
Keylogging
Keylogging is another sneaky way your passwords and
sensitive data can be stolen. There are applications that can be installed on
PCs and Macs which will log all keystrokes no matter what applications you are
using. I have such applications on my Mac. One of them is called Ghostwriter
and is a component of Spell Catcher. My purpose for using that application is
in case I am working on something and the program crashes, I could retrieve
most of the text I had typed. Sometimes, businesses will install Keylogging
applications on their computers to monitor what their employees are doing.
Parents may want to keep an eye on what their children are up to on the
computer, for their protection. I have even heard of keylogging being used to
find out if a spouse is being faithful.
What you don’t want is someone who has access to your computer secretly
installing such an application and later on, retrieving the information to
collect passwords and personal data.
If you use Safari as your web browser and let Keychain store your login
and passwords, you are somewhat protected from keylogging attempts. When you go
to a web page where you have to register with a login and password, you get a
window asking if you want Keychain to remember that information. Clicking “yes”
lets Safari automatically enter the text rather than you having to type it out
each time. Keylogging only works on things you actually type out, not
auto-filled forms. Keychain is a really nice application included with our Mac
OSX software. We only need to put one password in to open it and then we have
access to all our passwords. Unfortunately, Keychain only works with Safari.
Many of us use other web browsers also.
A trojan horse over the internet is another way to get a Keylogging
application installed. Some websites have flashy ads that entice you or your
children to click on them. Clicking on the wrong link on a web page could
download and install software while the person who is at the computer may think
it is something else—like a free game. On a Mac, using Safari, we have to
click to allowany downloaded application to continue before it is installed.
That gives us some protection, but if we think we are downloading a game and it
is really something nefarious, we could be in trouble.
Low
tech danger
It is tempting to keep
a notebook near your computer where you can write down all the logins and
passwords you use, but then if someone broke into your house and stole your
computer and could easily find the notebook containing all your passwords, that
would be really nice for them and bad for you. Having a notebook like that
might not be a bad idea, but the important thing is to keep it in a safe place.
1Passwd
offers extra protection
I recently found out about a web browser plugin called 1Passwd. It works
with all the most popular web browsers for the Mac. It is a password manager
which lets you easily login to all your web accounts with one click of the
mouse.
When first
installed, 1Passwd (pronounced onepassword, I believe) asks you to choose one
password which will be used to unlock all your passwords which 1Passwd stores.
Do not forget this password because all the passwords and login names you use
at different websites will be stored in 1Passwd from now on. It is similar to
Keychain, but 1Passwd automatically works in all your web browsers, not just
Safari.
Once installed,
1Passwd puts a small icon in the toolbar of all your web browsers. I was able
to import my passwords from Keychain, saving me the hassle of having to
manually enter all the logins and passwords. Now with 1Passwd, when I go to a
web page requiring a login, the login information is empty on the page, but I
can click on the 1Passwd icon and it will autofill the info into the fields and
log me in. Using 1Passwd to fill in all my logins and passwords, I can never be
tricked by a “phish” because 1Passwd will only work with the legitimate web
site that you first registered at and saved.
Keychain’s
AutoFill only works in Safari and can only be used for one identity and can
only put in information you have stored in Keychain and Address Book. 1Passwd
can store information for multiple identities, it can store credit card
numbers, and other sensitive information that you might use online but don’t
want anyone else having access to. You could even store safe combinations and
information that you don’t need online, but want to have stored in a safe
place.
One click of the mouse and your
login and password are entered.
1Passwd is an
application but it is also a Keychain. |
1Passwd can also generate really strong passwords for you to use on web
pages. You don’t have to remember those passwords—you only need to know
the one password you set up. That is beneficial to prevent someone from
guessing your password. 1Passwd is an application and a browser plugin. If for
some reason a future update disabled the browser plugin, the application can
still be opened up and you can view all the information inside. So far in the
month or two I have been using 1Passwd, there have been several updates to
1Passwd.
Some
of my financial institutions online will lock me out if I put in the wrong
password more than three times. That happened to me on two or three websites.
When you first enter a login and password on a web page that 1Passwd doesn’t
know, a window pops up asking if you want to store it in 1Passwd (just like
Safari and Keychain does). If you click YES, and you have entered wrong
information, then it can get confusing. I had to go into 1Passwd and delete
some of the saved logins or edit them to contain the correct information. A
couple of my financial institutions’ websites that I got locked out of—I
had to call the website’s customer support numbers to refresh the information
so I could get it working again. Once my login is working properly with
1Passwd, it is very smooth and easy.
1Passwd requires
only one password to unlock all your passwords.
If you
use FireFox rather than Safari as your main browser, you may already have many
login/ passwords stored in FireFox. 1Passwd can import those also. In my case,
I use Safari as my main browser and having 1Passwd installed makes it easier to
use other browsers because my login/ password information is in 1Passwd and
available within all those browsers. In fact, that is what I like best about
1Passwd. (If it could turn off annoying ads in the web pages, it would
be fantastic!)
All
the data you have in 1Passwd is in Apple’s Keychain. If you are backing up your
Keychain regularly, it should also backup your 1Passwd information too. I use
Dot Mac to backup my Keychain and other things regularly to my iDisk. That way,
if I am away from my computer (like out of town) but I want to access any of my
browser bookmarks or Address Book, I can, using another computer. I notice also
that in 1Passwd, you can export all your data as a text document. If you do,
then it could be opened in any word processor and everything is right there to
see, so I am not sure that is a good idea unless you just want to print it out
and keep it in a safe place.
At
first, I noticed that 1Passwd was always allowing me to automatically fill in
the login and passwords even when I rebooted and started using the web. That
concerned me because I figured if someone else had access to my computer, they
would have really easy access to all my accounts too. I posted a question on
the 1Passwd forum asking “Shouldn’t 1Passwd require you to enter your password
before you can have access?” A few people responded offering suggestions like
turning on the Account login requirement on the Mac in System Preferences. Then
a week or so later, a new 1Passwd updater came out and the next thing I knew,
it was asking me for my “one password” to start using it. 1Passwd now locks
automatically after about 10 minutes of inactivity although you could change
that setting. This seems much more secure to me and I am glad they changed the
default settings.
Using
1Passwd doesn’t require much of a learning curve. It is mostly automatic. I
shop online all the time. I do online banking and bill payments and even
investment transactions. So far, I have never had a problem with security, but
all along, I have kept myself aware of possible threats. I have received plenty
of phishing attempts which I now just delete. I used to forward them to the
legitimate sites, but there are so many scams, I don’t think it does any good.
If you are still confused about 1passwd and how it works, I would suggest you
browse on over to http://1passwd.com/home/show_movie and watch the QuickTime
video.
One
thing I would like to see in 1Passwd is a keystroke shortcut I could use to
automatically fill in the passwords and login names. I am used to using
keyboard shortcuts rather than having to mouse up to the menu to do things. It
is just quicker.
1Passwd costs about $30 and is
well worth it. |