I did some research yesterday on website password managers for Mac OS X. A good place to start is Alex King's blog; he has written two thought-provoking articles about why you shouldn't use the same password for everything, and how software can help your password / login workflow ([Passwords](alexking1), [More on Passwords](alexking2)). [alexking1]: http://alexking.org/blog/2007/02/02/passwords [alexking2]: http://alexking.org/blog/2007/02/05/more-on-passwords
Really, it should just be common sense to not use the same password for everything; after all, you have no idea how a particular website is going to store your super-secret password. What if your password is stored in plain-text on a server with a gaping security hole? What if the website likes to email you a password reminder -- in plain text -- every month? I've seen sites that do all sorts of bad things, and if you use the same password at an insecure site as you do at your bank's website, you're asking for trouble. And even if you use different passwords, you need a secure way to store them all. The worst I've seen is someone who kept all of their passwords and financial account numbers in an Excel document on their notebook computer's desktop. I suspect that sort of thing isn't as rare as it might seem to be.
Some people use variations of the same password for all of their websites. I typically use variations on three or four base passwords. I have to track literally dozens, if not hundreds, of website passwords, and it is simply impossible to remember so many. If I can help it, I don't write the passwords down anywhere. Instead, I write down "helper" words that I associate with the base passwords, which I've memorized. So instead of writing a password as "omgLOL", I might write "stupid teens", which would trigger me to remember the actual password. Finally, I encrypt the data so that no one can even see my helper words.
I've been using one of my favorite applications, Evernote, to store all of my accounts, passwords, and more (manuals, tips, photos of restaurants, notes, etc.). Evernote syncs its database between all of my computers, evernote.com, and the Evernote iPhone app. It supports encryption, shared notebooks, OCR of text in images, and more. I love Evernote.
Still, I have to look up passwords to various websites many times each day, and Evernote doesn't help there (other than by offering a keyboard shortcut to launch the app and search, which is great). Alex uses PwdHash, a plugin and service written by Stanford crypto guys. For each website with a password field detected, it hashes the domain name with a master password you provide. All you have to do is enter "@@masterpassword" in a password field, and it does the rest, ensuring that each site's password is unique. However, it becomes complicated when domain names change within the same web service (e.g. mybank.com and mybankonline.com), and it also fails when services disallow specific characters or symbols in a password. If you need to look up a password manually, you can go to PwdHash.com to generate hashed password using your master password and a domain name.
PwdHash looked like an interesting option, but when I tried to go to PwdHash.com last night, the site was down. I've read that you can just grab the source from that page and stick it somewhere else (like on your own website), but it didn't inspire confidence to have the site down.
[1Password](1password) has gotten great reviews, especially from Windows-to-Mac switchers who were Roboform users. I've been trying this out, and it seems to be a great solution. It requires that I manually create passwords for each website, but it does a great job of integrating with web browsers (using browser plugins). It also features a fantastic automatic form filler, so I can enter my home address, work address, credit card numbers, etc. and just select which one to use when I encounter forms on any website. It also has an iPhone app that can be synchronized with the desktop client.
Synchronization is accomplished using various third-party file sharing services. I was already a die-hard user of [DropBox](dropbox), so it was easy to simply store my encrypted 1Password database on a shared DropBox folder to accomplish multi-machine sync.
[1password]: http://agilewebsolutions.com/products/1Password [dropbpx]: https://www.getdropbox.com
A Twitter person asked why I don't use [KeePassX](keepassx). It's free, but it doesn't look to be as fully-featured as 1Password is.
That's it for now. I'll report back once I've used 1Password for a longer period of time. Remember -- change your passwords!!