Archive Reviews

Review: 1passwd - Mac Password Manager & Form Filler

1Passwd to rule them all I’m terrible with passwords, despite sometimes using the Apple Keychain application to store the passwords on my mac. I still tend to stick to one of my ‘pool’ passwords. Don’t we all do that? Pet’s name, pet’s maiden name, pet’s married name and so on and so on. You get the picture. It’s a bad habit, as they are not particularly cryptic and if people got to know me fairly well, they could make a damn good stab at what they might be. It seems lately there hasn’t been a week go by without an article about security flaws in most of the popular browsers. So now my bad habit has escalated to even more obscure passwords and I’d gotten into the habit of not even storing them on my mac - they’re all up here (taps noggin!) for safekeeping. Or not as the case may be. More often than not, I forget the password and end up back at the new password request page. Very frustrating! Funnily enough, I actually won a copy of 1Passwd a few months ago on Mac Heist. To be honest I hadn’t touched it since. That was until the 1Passwd review assignment arrived in my inbox. The timing was perfect, as I had been frequenting the new password request pages on an almost weekly basis. Plus, I was starting to run out of my pet’s extended family for password inspiration. As the name suggests the concept behind the 1Passwd Manager + Autofill is that you only ever need to remember one password.

The hidden Apple password manager

As you may or may not be aware the Mac already has a password manager out of the box. It lives in your Utilities folder and it’s called Keychain. What 1Passwd does is take the keychain technology and improves on it. What 1Passwd does is “Pimp your Keychain”. click to enlargeclick to enlarge 1Passwd uses the OS X keychain to store all your 1Passwd details in a separate keychain file. The OS X keychain encrypts your password at 3DES level encryption used for ‘SECRET’ level classified information of the American government level of encryption. But only the password. With 1Passwd it uses the keychain technology to encrypt the password and user name at that level. After you have done this once, 1Passwd will keep your keychain unlocked until told differently, you quit the browser or the time out feature is activated. One important feature to point out about the browser integration is that all of the password details can be shared across browsers in the same session. So, for instance, you could be checking your GMail in Firefox, checking your bank in Safari and ordering an item on Amazon in Camino. All of the passwords are updated on the fly and are available instantly to all other browsers. Very cool! click to enlargeclick to enlarge We have talked about existing passwords, adding them is also a simple procedure. Find your website, enter the details but before you submit the password click on the save menu in the drop down menu and 1Passwd will ask you a brief description of the web form you want to save. That’s it, next time you visit, 1Passwd will remember the website and offer you a login and password. If you visit a new website and you are asked for a new password, well now you can do it in a flash with the 1Passwd password generator menu. From the drop down menu you can specify password length, minimum numbers and minimum symbols. click to enlargeclick to enlarge

Automatic Form Filler

We are a one Mac house unfortunately. But, occasionally I do grant permission for other users to use my pride and joy (but only occassionally!). With the Automatic Form Filler built in to 1Passwd you can generate multiple identities on your mac. Categories include Name, address, web site, email and even credit card details. click to enlargeclick to enlarge So those annoying address forms are a thing of the past. Just one click on the Use Identity drop down menu, select the identity and the form is completed in a fraction of a second.

Gone Phishing

Now, I want to try an experiment. Put one finger to your iSight camera and then place your other hand on your forehead. Now I am going to try and read your inbox. Seriously, you won’t feel a thing! Now let me see… last week… hold it steady… hold it steady… concentrate… last week you received an email from eBay telling you to update your account details. Am I right? If I am, I just successfully read your inbox, if I was wrong I will now predict the future and reveal to you that you will be getting an email from them next week. “You think that’s big – this one time I almost caught an email phisher, must have been this big!”“You think that’s big – this one time I almost caught an email phisher, must have been this big!” How did I do that? O.K. enough, and by the way you can remove your hands and fingers. Well statistically the chances are very high that you have received an email from eBay, requesting this information even if you don’t have an account. Only problem is, I am almost certain it wasn’t sent from eBay. It was a phishing attack. A what? Phishing - the latest technique to try and steal your important information and thus cause mayhem to your life. In a nutshell the way it works is like this. You get a bogus email from some undesirable that looks like an authentic email from eBay, Bank, PayPal to name but a few. You then click on the link in the email but instead of taking you to the official site it takes you to some obscure web address. You innocently enter your login and password details, and bang, the deed is done. They now have your personal login details! You just got phished, hook, line and sinker! With 1Passwd what it does is very clever. You see it’s all to do with that filtering of passwords I mentioned earlier. 1Passwd will only offer you a web form if the web address matches what has been stored previously. This is where the (phishers?) come unstuck. You see they have no control over the web domain you see in your browser. If you have ever taken the time to open up and look at a phishing email. Click on the link and you will notice some obscure web address in the browser. Because 1Passwd remembers that my eBay login for example, matches ebay.com it filters my passwords and displays only a match of the two items. I think this feature is an ingenious feature and something that makes 1Passwd so much more than just a password manager. It’s also watching your back for phishing attacks.

Further protection

Yet another scam to try and prise valuable information from your computer and cause havoc with your online personal data are keyloggers. Keyloggers are little applications that you inadvertently download or perhaps receive by email that hide themselves on your hard disk and log keystrokes. That’s their sole purpose to record keystrokes. That could be anything as harmless as an email to a family member or something as serious as your bank login details. So how does 1Paswwd stop this? Once again the guys as 1Passwd have come up trumps. Everything you do with 1Passwd is menu based. So for instance you visit PayPal, you go to the browser and click and hold the restore menu and the details are entered. No keystrokes are used, therefore no keystrokes logged, it really is that simple. But it got me thinking. If keyloggers record keystrokes what’s to stop them recording my Master Password? I pondered this fact for a few days. In the end I fired an email over to the developer. And this is their reply…
“I believe that you are correct. It is possible to record the master password using keylogger (esp. hardware-based since the master password is always entered via NSSecureTextField which provides certain level of protection against software keyloggers). As Bruce Schneier mentioned in his book, there is nothing that can be is absolutely, 100% secure and we will always be making the trade-offs: http://www.schneier.com/book-beyondfear.html 1Passwd adds an extra layer of protection by encrypting all online passwords and entering them automatically. This protection can still be broken if someone gets access to both 1Passwd.keychain file AND the master password. It is possible but it is more difficult compared to getting access to your online accounts by simply recording the text you type.”

Other cool features…

  • Integrated with Safari, OmniWeb, DEVONagent, Firefox, Camino, and Flock.
  • Take your passwords with you on your Palm / Treo.
  • Intelligent settings make you secure by default.
  • .Mac integration allows passwords to be synced across machines.
  • OS X Keychain integration provides maximum security.
  • Easily import from Safari, Firefox, Web Confidential, and RoboForm.
  • Generate and enter strong passwords with a single click.

Overall thoughts

My browser of choice is Firefox, but 1Passwd also integrates seamlessly with Safari, OmniWeb, DEVONagent, Camino, and Flock. The only negative comment I have is that the 1Passwd broswer bar is a feature only available in Firefox. That suits me fine, but it might bug users of other browsers. If you use one the aforementioned browsers you will have to use the 1P button that sits amongst the naviagtion buttons. It does all the same things. but I find the drop down menu so much more convenient. I really can’t think of any major cons for this application. I did have some odd behaviour with the auto form fill feature. I am British and when specifying a British address we don’t normally specify a city, we don’t have States and across the pond zip codes are called post codes. So I did get a few duplications of data on some forms. I raised this point with the developers Agile Web Solutions and they told me that they are constantly improving the form-filling algorithms and that I should see much better results in 1Passwd 2.4 scheduled for release in April. Despite the glitches with the address field this app does so much effectively that I was willing to put up with it. Summing up my overall thoughts I was trying to figure out who would get the most out of this application. To be honest I think most consumers would find a use for it. Take for instance my in-laws they are recent switchers to the mac computer. This internet business is all new to them and as they take their first tentative steps onto the World Wide Web I think this product would provide an excellent extra level of security to them. Then take someone like me. I have somewhere in the region of 30-40 different web forms to manage. The thing I found the most amazing is the amount of time saved by not typing in my details, trying to remember details or visiting the new password request pages. So I guess that covers a wide spectrum of users. Finally, I just wanted to tell you a little about the 1Passwd website and developer. There is a vast amount of content, tutorials, help guides and video walk-throughs all designed to get you up and running in no time at all. I contacted them several times during the writing of this review and could not fault the prompt, courteous service I received. They are also actively developing the product, in the time I have had the product it has already been revised once. I also know for a fact there are two major upgrades due in the next few months. I highly recommend this application. Conclusion: 4.75 out of 5