Passwords are rarely fun these days: what started out as quirky words to remember are now long and complex chains of letters, numbers, symbols and word combinations.
The news that passwords of even up to 55 letters may now be cracked using the popular cracker ocl-Hashcat-plus has made choosing complex and multiple passwords even more important. And password crackers have started to implement not just lists of common words, but now common phrases.
So it’s important to choose a good password: ideally one that’s a memorable phrase of random words up separated by symbols and letters: ‘orange&chicken^speaker*catflap’) but also a different one for different sites and services. To this end websites are increasingly demanding more complex passwords, and insisting that you change them on a regular basis. Twitter, for example, recently put out this call for people to use more and smarter passwords.
This is patently ridiculous. Nobody can remember all these different passwords. This is where Mac OS X’s iCloud Keychain steps in: Keychain is already present in Mac OS X and is the place where Safari stores passwords along with other vital information. Mac OS X Keychain is protected by a single password that should be different to the main Mac OS X admin password.
Mac OS X Mavericks: iCloud Keychain to the rescue
In Mac OS X Mavericks:iCloud Keychain still stores your passwords using 256-bit AES encryption, but it now keeps them up-to-date on each of your devices (both Mac OS X and iOS). It also automatically fills them in whenever you need them and the Password Generator suggests unique passwords that should be hard to guess.
The idea is that you can have the one Keychain password on your machine, and that is used to generate and remember different passwords that you use online. This is similar to services provided by tools such as 1Password, although baked right inside Mac OS X and iOS.
See: 1Password review
Because you are using many different passwords online you minimise the risk and worry of losing one password. It also minimises the risk of falling prey to a ‘phishing’ attack (typically when somebody sends you an email that pretends to be from eBay, Amazon or your bank). Because iCloud Keychain checks the actual address against the one of your real bank or web service it doesn’t fall for these types of attack.
One obvious flaw in this plan is if a person manages to crack your single password in iCloud Keychain, they have access to all your other passwords. However the password in keychain is itself behind Mac OS Xs admin password and both are incredibly tough to crack, much tougher than hacking into web services. Somebody would really want to be inside your personal computer to do that, whereas most attacks are aimed at the population in general to find out who’s not using a secure enough password.
As with 1Password iCloud Keychain is designed to work with credit card information, with Apple promising “checking out is a snap”. So this could make purchasing things online much easier (whether you see that as a good thing or not is debatable).
We’ve been big fans of services like 1Password in the past, believing they offer a more secure environment than just trying to remember passwords inside you head. It’ll be worth seeing how iCloud Keychain stands up to 1Password, and whether people trust their passwords and credit card information to a service built into Mac OS X.