JonHoyle.com Mirror of MacCompanion
http://www.maccompanion.com/macc/archives/September2007/Software/Web%20Securityand1Passwd.htm

macCompanion MyAppleSpace Forum Archives Products Services About Us FAQs

Resources

                                           

Consultants

Developers

Devotees

Downloads

"Foreign" Macs

Forums

Hearsay

Link Lists

Mac 3D

Macazines

Mac Jobs

MUG Shots

News

Radio

Reviews

Think Different

Training

 

Web Security and 1Passwd

Reviewed by Linda Cameron, editor of The Finder. Reprinted with permission.

 

 

 

 

Agile Web Solutions

16715-12 Yonge St, Suite 192


Newmarket, Ontario, L3X 1X4

http://1passwd.com/

Demo Video: http://1passwd.com/home/show_movie <

$30 USD

Requirements: Mac OS X 10.4 or later.

Strengths: One-click password entry.

Weaknesses: None found.

Switchers Blog: http://switchersblog.com/

 

 

 

 

 

Do you worry about how secure you are using the Internet? I know people who still don’t shop or do banking online because they are afraid their information could be hijacked and possibly used to steal their identity or get access to their bank account. Mac users are somewhat more secure, but we shouldn’t take it for granted that those things can never happen to us, because they can. The best defense is to know as much as you can about what can happen and then stay vigilante and take precautions.

 

Recognize a secure web page

Safari and most Mac web browsers are compatible with secure websites, such as those that use 128-bit encryption. Learn how to recognize a secure connection, and how to avoid a fake.

 

A secure web page shows a locked Padlock icon on the upper right.

 

Websites that deal in personal or financial information typically offer secure connections. With a secure connection, your data is encrypted so that it cannot be easily read by anyone who might intercept it between your computer and the website (similar to using an ATM machine).

You should not enter any sensitive information on a form if you are not sure it is secure. If a legitimate organization requests sensitive information on an insecure form, you should consider contacting them via telephone instead.

To see this Verisign certificate, click the

Padlock icon on your web page.

 

When you are entering sensitive information on a web page, the URL should start out with “https:” rather than “http:” —the “s” is for “secure”.

You should also see a Padlock icon on a secure web page up in the right corner. Click the padlock to open a small window that shows the Secure Server Certificate. If that site happened to be a phony site made to look like one of the legitimate ones you do business with (such as your bank), you would be warned. If a web page has the “https:” and the padlock icon and you trust the organization that created the website, then go ahead and use it. If you are not comfortable, then maybe you should do your business over the phone.

 

Phishing scams

One way a scammer gets your information is by “phishing”. It is sounds like fishing and is similar. The usual way phishing works is -you get an Email from what appears to be your bank, or some other institution. I would say most of us have received a lot of phishing Emails already from financial organizations that we have nothing to do with, so we delete it as spam. Occasionally, some of those phishing Emails will appear to be from a bank we actually do business with or an organization—such as a PayPal or eBay. That is when you could get in trouble, if you assume they are legitimate. Often the phishing Email will have links for you to click on where you are supposed to login to your account. If it is indeed a phishing scam, and you go and type in your account info and password, they “gotcha”. Depending on the type of business you do, they could steal money from you or mess up your good ratings on eBay by using your identity to rip others off. You definitely want to be careful with PayPal because you could give someone access to your checking account.

One rule is to NEVER click on a link in an Email unless you are sure who sent it to you. However, if you do click on a phishing link, the only way it can work is for you to type in the information. If you save your passwords in Keychain and let Safari autofill the blank fields then it won’t work because Safari knows it isn’t the real web page that you saved that information originally.

 

Keylogging

Keylogging is another sneaky way your passwords and sensitive data can be stolen. There are applications that can be installed on PCs and Macs which will log all keystrokes no matter what applications you are using. I have such applications on my Mac. One of them is called Ghostwriter and is a component of Spell Catcher. My purpose for using that application is in case I am working on something and the program crashes, I could retrieve most of the text I had typed. Sometimes, businesses will install Keylogging applications on their computers to monitor what their employees are doing. Parents may want to keep an eye on what their children are up to on the computer, for their protection. I have even heard of keylogging being used to find out if a spouse is being faithful.

 

What you don’t want is someone who has access to your computer secretly installing such an application and later on, retrieving the information to collect passwords and personal data.

 

If you use Safari as your web browser and let Keychain store your login and passwords, you are somewhat protected from keylogging attempts. When you go to a web page where you have to register with a login and password, you get a window asking if you want Keychain to remember that information. Clicking “yes” lets Safari automatically enter the text rather than you having to type it out each time. Keylogging only works on things you actually type out, not auto-filled forms. Keychain is a really nice application included with our Mac OSX software. We only need to put one password in to open it and then we have access to all our passwords. Unfortunately, Keychain only works with Safari. Many of us use other web browsers also.

 

A trojan horse over the internet is another way to get a Keylogging application installed. Some websites have flashy ads that entice you or your children to click on them. Clicking on the wrong link on a web page could download and install software while the person who is at the computer may think it is something else—like a free game. On a Mac, using Safari, we have to click to allowany downloaded application to continue before it is installed. That gives us some protection, but if we think we are downloading a game and it is really something nefarious, we could be in trouble.

 

Low tech danger

It is tempting to keep a notebook near your computer where you can write down all the logins and passwords you use, but then if someone broke into your house and stole your computer and could easily find the notebook containing all your passwords, that would be really nice for them and bad for you. Having a notebook like that might not be a bad idea, but the important thing is to keep it in a safe place.

 

1Passwd offers extra protection

I recently found out about a web browser plugin called 1Passwd. It works with all the most popular web browsers for the Mac. It is a password manager which lets you easily login to all your web accounts with one click of the mouse.

 

When first installed, 1Passwd (pronounced onepassword, I believe) asks you to choose one password which will be used to unlock all your passwords which 1Passwd stores. Do not forget this password because all the passwords and login names you use at different websites will be stored in 1Passwd from now on. It is similar to Keychain, but 1Passwd automatically works in all your web browsers, not just Safari.

 

Once installed, 1Passwd puts a small icon in the toolbar of all your web browsers. I was able to import my passwords from Keychain, saving me the hassle of having to manually enter all the logins and passwords. Now with 1Passwd, when I go to a web page requiring a login, the login information is empty on the page, but I can click on the 1Passwd icon and it will autofill the info into the fields and log me in. Using 1Passwd to fill in all my logins and passwords, I can never be tricked by a “phish” because 1Passwd will only work with the legitimate web site that you first registered at and saved.

 

Keychain’s AutoFill only works in Safari and can only be used for one identity and can only put in information you have stored in Keychain and Address Book. 1Passwd can store information for multiple identities, it can store credit card numbers, and other sensitive information that you might use online but don’t want anyone else having access to. You could even store safe combinations and information that you don’t need online, but want to have stored in a safe place.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

One click of the mouse and your login and password are entered.

 

1Passwd is an application but it is also a Keychain.

 

1Passwd can also generate really strong passwords for you to use on web pages. You don’t have to remember those passwords—you only need to know the one password you set up. That is beneficial to prevent someone from guessing your password. 1Passwd is an application and a browser plugin. If for some reason a future update disabled the browser plugin, the application can still be opened up and you can view all the information inside. So far in the month or two I have been using 1Passwd, there have been several updates to 1Passwd.

 

Some of my financial institutions online will lock me out if I put in the wrong password more than three times. That happened to me on two or three websites. When you first enter a login and password on a web page that 1Passwd doesn’t know, a window pops up asking if you want to store it in 1Passwd (just like Safari and Keychain does). If you click YES, and you have entered wrong information, then it can get confusing. I had to go into 1Passwd and delete some of the saved logins or edit them to contain the correct information. A couple of my financial institutions’ websites that I got locked out of—I had to call the website’s customer support numbers to refresh the information so I could get it working again. Once my login is working properly with 1Passwd, it is very smooth and easy.

 

1Passwd requires only one password to unlock all your passwords.

 

If you use FireFox rather than Safari as your main browser, you may already have many login/ passwords stored in FireFox. 1Passwd can import those also. In my case, I use Safari as my main browser and having 1Passwd installed makes it easier to use other browsers because my login/ password information is in 1Passwd and available within all those browsers. In fact, that is what I like best about 1Passwd. (If it could turn off annoying ads in the web pages, it would be fantastic!)

 

All the data you have in 1Passwd is in Apple’s Keychain. If you are backing up your Keychain regularly, it should also backup your 1Passwd information too. I use Dot Mac to backup my Keychain and other things regularly to my iDisk. That way, if I am away from my computer (like out of town) but I want to access any of my browser bookmarks or Address Book, I can, using another computer. I notice also that in 1Passwd, you can export all your data as a text document. If you do, then it could be opened in any word processor and everything is right there to see, so I am not sure that is a good idea unless you just want to print it out and keep it in a safe place.

 

At first, I noticed that 1Passwd was always allowing me to automatically fill in the login and passwords even when I rebooted and started using the web. That concerned me because I figured if someone else had access to my computer, they would have really easy access to all my accounts too. I posted a question on the 1Passwd forum asking “Shouldn’t 1Passwd require you to enter your password before you can have access?” A few people responded offering suggestions like turning on the Account login requirement on the Mac in System Preferences. Then a week or so later, a new 1Passwd updater came out and the next thing I knew, it was asking me for my “one password” to start using it. 1Passwd now locks automatically after about 10 minutes of inactivity although you could change that setting. This seems much more secure to me and I am glad they changed the default settings.

 

Using 1Passwd doesn’t require much of a learning curve. It is mostly automatic. I shop online all the time. I do online banking and bill payments and even investment transactions. So far, I have never had a problem with security, but all along, I have kept myself aware of possible threats. I have received plenty of phishing attempts which I now just delete. I used to forward them to the legitimate sites, but there are so many scams, I don’t think it does any good. If you are still confused about 1passwd and how it works, I would suggest you browse on over to http://1passwd.com/home/show_movie and watch the QuickTime video.

 

One thing I would like to see in 1Passwd is a keystroke shortcut I could use to automatically fill in the passwords and login names. I am used to using keyboard shortcuts rather than having to mouse up to the menu to do things. It is just quicker.

 

1Passwd costs about $30 and is well worth it.