I’m a little ashamed that I’m writing this post. Writing it now, that is, as opposed to a couple of years ago. As is the case for most people who work with something web related, I have a lot of accounts on websites and internet services.
Between social media, email accounts, WordPress installations, databases, FTP accounts, communities, apps and storage solutions, I have amassed hundreds upon hundreds accounts on Internet services. Up until last week, I used the same four or five passwords on pretty much all of them. The password that I used most frequently had been in active use for more than twelve years.
If there are any security conscious people reading this, you’re probably clawing your eyes out right now. Believe me, I know. This is something that has been eating at me for a long time. Stories about companies losing control over their users personal data and login information have become more and more frequent over the past few years: Sony, Adobe, LinkedIn, Last.fm, and so on. Every time a new story breaks, I’ve told myself the same thing: It’s time to get your shit together. Any day now, one of the services you’ve got an account on will get hacked and the password you use for pretty much everything will be floating around the internet. You can count yourself lucky that you’ve made it this far, but that luck is bound to run out.
As a would-be power user, I’ve known the solution to this problem for a long time: 1Password. 1Password is, at the most basic level, a utility for generating and keeping track of super-strong, unique passwords for all your accounts. When you register a new account on a website, service or app, 1Password generates a random, long and very strong password that is unique for that account. It then stores that password within the app. The next time you need to log in to that service, you select that service in 1Password and the app automatically enters your username and password in the login field. The only password you’ll ever need to remember is the master password, which is entered every time you start the app (or if the app has been left idle for a certain amount of time).
There are many benefits to this. Having super-strong passwords means that they will take a very long time for a computer to decrypt, and even if they are decrypted, you’ll have a unique password for every single account you have. Twitter has been hacked? That sucks, of course, but your email, bank account and everything else is still secure, because none those accounts have the same password as the password you use for your Twitter account. Change your Twitter password and you’re all set.
In short, 1Password is a pretty great app, both in concept and in execution. So why has it taken me years to get onboard? The answer to that is twofold. First, unlike a lot of people, I’ve never been burned by internet security. My Twitter has never been hacked, I’ve never been subject to nasty code injections on my websites and my email has never returned a positive in one of those forms that checks whether your account information has been compromised in a personal data leak. In short, I’ve been unreasonably lucky. If any of my websites or emails had been hacked, I probably would’ve become a 1Password user a lot sooner.
Second, getting started with 1Password is a hassle. It’s not a fault of the app itself, but rather an unavoidable consequence of changing habits that you’ve built up since middle school. If you’ve typed a password over and over, thousands of times, it becomes as natural to you as writing your signature. You’ll need to change a few habits to become a 1Password user, and it’ll take some time to get used to. That’s not the biggest time commitment of getting started with 1Password, however.
The first thing you need to do when you get 1Password is to change your password on every account you have and store the new password within 1Password. If you’re anything like me, that isn’t a small task. I have amassed hundred upon hundred of internet accounts, and going through all of them one-by-one and resetting each and every password didn’t appeal me one bit. I dreaded it. I knew it would be a pain in the ass.
As it turned out, it was. It took me three to four hours to go through that process with 129 accounts, and I know that I have at least as many accounts that I haven’t gotten to yet. Resetting the password of a single account can be a hassle. Doing it over 100 times in a single afternoon is agony. I was mentally exhausted by the end of it.
But I only had to through it once, and once it was over, I had 1Password up and running on all of my devices and most of my accounts, including the most important ones: e-mail, WordPress accounts, databases, backup solutions, and so on. Was it worth it? Of course it was.
What could’ve been
Just a few days after I got 1Password and reset all of my passwords, I got an email from the security plugin on a website that I had worked on. The email stated that someone had repeatedly tried to login to my admin account on the site with the incorrect password, and had been locked out from making further attempts for a limited amount of time. As soon as the lockout ended, I got another email saying that it had happened again. Another 20 minutes after that, another email. And another one. And another one. Someone was systematically trying to hack their way into the website administration panel.
Just a few days before that, that account used the same password as I used pretty much everywhere else on the web. If the hacking attempt had occurred then, and the security plugin hadn’t been in place, the culprit probably would have figured out my password within a couple of days. With that password, he or she could have accessed my e-mail account, and with that, gotten access to pretty much everything I have online – including my Backblaze backup, which contains a up-to-date copy of my hard drive. And then I would’ve been properly screwed.
Thanks to 1Password, that scenario is no longer possible. All of my internet accounts now have a unique, super-strong password. If one of my accounts gets hacked on the service-end, all of the other accounts remain safe. I just generate a new password for the hacked account and move on. Recalling which password belongs to which account is also a thing of the past. Now, I only need to remember a single password: the master password. In short, passwords are no longer something that I need to worry about.
1Password has given me convenience, security and peace of mind. That’s a pretty good deal for 40 USD.