Password Safe on the Mac
I’ve been using a Mac at work for a short while now and am much, much, much happier for it. As my coworker Mr. Ladwig says, I swear a lot less at the computer now. But there are a few Windows apps I’ve missed. Small things that aren’t quite worth firing up Parallels for, or that it wouldn’t make sense to anyway. TortoiseSVN is one, although I can work around that with the command line and Eclipse (and wait for Versions to be released). I miss TrueCrypt, which I used for anything that mattered, but FileVault and OS X encrypted disk images meet my needs, though I do look forward to an OS X version of TrueCrypt. If I had ever been more willing to dive deeply into the Windows world instead of just tolerating it, no doubt I would sorely miss PowerShell. But I don’t.
I can cope without all of that. What I really, truly miss is a good password manager. Namely Password Safe. With Password Safe, I never need to know any of my passwords. And I don’t. Password Safe can generate and store strong passwords and never display them to me. (Under the same principle, for some web sites I use a modded version of a password generator bookmarklet that you might find useful. It’s not perfect but for many things it’s good enough.) Passwords are stored in a believably cryptographically strong manner. After I copy a password to the clipboard to paste elsewhere, the password can be cleared from the clipboard by minimizing or closing Password Safe. Yes, keeping sensitive data in a shared clipboard makes me nervous. It minimizes and locks itself after a configurable period of time.
It works well and I trust it.
OS X has Keychain, a password store with strong crypto. It’s nicely integrated into the OS and made available to applications. Subversion finally uses Keychain to store passwords on OS X (instead of leaving them in cleartext, which you’ll find on Unix systems. Grrrr…). I can use Keychain to manage my passwords, but it badly needs some user interface work. Yes, it can generate passwords using several different algorithms, but I rarely succeed in creating a new password. There’s no clean way to copy the password to the clipboard, and when I do it visibly exposes the password in cleartext. Then I can’t clear it from the clipboard.
Keychain just needs a little UI love.
Last night on Twitter I was bemoaning the situation. Stephen Collins immediate responded, pointing out that there’s a Java version.
What? I didn’t see that in the list of related projects! Oh, that’s because it’s not there. It’s down under news from 16 January 2007. Of course.
But it’s there, and it works. Not surprisingly for something that’s at version 0.6, it’s not as polished as the native Win32 version. And maybe it needs a little Filthy Rich Clients love. But so far it’s a far sight better for what I want than Keychain is.
I should probably try Password Gorilla, too, which I’d conveniently overlooked. It reads and writes Password Safe 3 databases.
Thanks, @trib.
31 Aug 2007 Sam
Have you considered an online password manager? Since it runs in the browser, it doesn’t suffer from cross-platform problems and the encrypted data is stored online, so you can access it via web from anywhere really.
Just to clear up: all the encryption/decryption happen in the browser and only encrypted data ever gets sent over the wire. The technique is called “Host-proof Hosting”.
I’m a PassPack founder, so I’m biased towards my own product, but there are others out there too (just make sure they use Host-Proof Hosting - not all do).
PassPack doesn’t have the clear clipboard feature you mentioned, but it does have an auto-login tool which makes copying the password unnecessary in most cases.
Cheers,
Tara
http://www.passpack.com
Sorry, I forgot the link for Host-Proof Hosting:
http://ajaxpatterns.org/Host-Proof_Hosting#Solution
I haven’t considered an online password manager, no. And although I’ll give PassPack a shot because I’m curious, I have to say that I’m unlikely to rely on it for anything important because I know enough about web application security to, well, not trust web applications.
Fair enough. Let me know your thoughts.
1passwd
Thanks, Jim. I looked at 1passwd a while back and was impressed. Nice overlay on the Keychain. I wasn’t quite ready to drop $30 on it, though. That pushes past a comfortable price point for small Mac utilities, which for me caps out at about $20. But I had forgotten about it, so thanks for the reminder. Do you use it at all?
It is what I use. I got it on MacZot for a lot less when it was a zot. It has a very complete feature set for managing passwords and secure notes. It supports forms and those old-school login dialogs that you still see in some cases (I can’t even remember what they’re called!). It supports a wide array of browsers on the Mac and is actively developed.
They offer a 30-day money back guarantee and have a limited trial version you can download. I started with the trial, liked it and bought. I didn’t have to test the money back guarantee!
Password Safe for Windows is totally addictive. I’m a web developer with enough of a background in security to appreciate how hard good passwords are to maintain.
I use Password Gorilla on my non-Windows machine, and it is functional but has a terrible UI in many small ways. You use the control key instead of the Apple key in ways that don’t match the Apple CUA mode. Opening a dialog which is already open but in the background leaves that dialog in the background so you have to hunt for it. Etc.
There is a “port” of password safe to the mac going on. I’m working on it as we speak. It will be compatible with the windows version of password safe files of course, but will also take advantage of osx (and iPhone). It’s a part time thing, so I doubt I’ll have the beta ready until dec 08. Cheers.
Cool news, Zed. Looking forward to it.