Tuesday, March 22, 2016

Managing Explorer credentials with iOS 9.3 Notes.app and Android alternatives

An updated chapter from my smartphone book, revised with yesterday’s release of iOS 9.3 Notes.app:

An Explorer starts out with a smartphone unlock password (or PIN) and at least one username and password for their Apple iCloud account or their Google account. We call these usernames, passwords and other account information. “credentials”. Over time an Explorer will need credentials for everything from bank accounts to utility bills to social networks. Even if a Guide is conservative about adding new Explorer services it’s not hard to end up with 50 or more sets of credentials to manage.

For each Explorer credential a Guide needs to know the “username” (sometimes it’s your Explorer’s email address), password, site name, and site address. Unfortunately for many sites today you’ll also need to write down what “secret question” responses you provided when registering. This is even more important if you are very careful about security, and treat each secret question response as yet another unique password.

You could make this easier by reusing the same password for every site. Many people do that, but when hackers steal credentials from any site they try them on every site. You really don’t want to use the same password for a local newspaper and for a Guide’s bank account.

Guides need to create “strong” passwords for Explorer email accounts, bank accounts, Amazon accounts and the like. One way to create a strong password is to combine two randomly selected words form a dictionary, capitalize one or two letters, and mix in some numbers and a symbol like $#&:;. Avoid letters and numbers that can be confused with one another, like l and I or O and 0.

There’s no way any of us can keep secure credential information in in our heads. We have to write it down, and, because you really don’t want to lose password information, you need to have two copies.

The two copies also need to be in different places. Why two places? Well, imagine that you’re storing your passwords on your phone. One day you need to unlock your phone, but you don’t remember the phone password. If the passwords are only on your phone you won’t be able to get to them. Even if your phone is backed up the backup won’t help you, because you won’t be able to restore it without the phone password.

There are two approaches to credential management that work on both Apple iPhones and on Android smartphones. One approach is to write them by hand on paper and make a copy of the paper. This approach is approved by security experts, but it’s tedious to keep the list updated and to carry a copy in your wallet. (A Guide can do similar things with a document on a secure computer, but that’s beyond the scope of this book.)

A second, more complicated, approach is to use secure password management smartphone software, like 1Password.app. You can optionally have 1Password data stored “in the cloud” and available through a web browser; most security experts avoid that however. I strongly recommend you print out your 1Password credentials periodically, if you’re phone is lost or destroyed you don’t want to rely on Apple’s backup software. Make sure you print out your 1Password password too!

1Password is too complex for most Guides and Explorers though. What about just keeping credentials in a Note on your smartphone?

If a Guide is using and Android smartphone this can be a risky option. As of early 2015 many lower cost Android smartphones are not truly secure. Google’s Note application, Keep.app, doesn’t support Note encryption. So on an Android device I’d recommend using 1Password.app or one of its competitors — unless you are confident the Android device uses strong encryption and it is secured with a strong password.

If a Guide is using an iPhone with iOS 9.3 or later Apple’s Notes.app is a good, simple way to store an Explorer’s credentials. The iPhone itself has quite good security, and you can create an additional Notes.app password and use it to lock one or more individual Notes. iPhones that support TouchID (fingerprint unlock) make it easy to access locked notes. Just be sure to add the Notes.app password to your document and to print out the Note when it changes.

This approach is simple and secure, and it’s safe as long as a Guide keeps printed copies. It’s easy to accidentally delete critical information when editing a Note, and of course phones get lost and broken. Paper backups are reliable.

There’s another advantage to the use of secure Notes on an iPhone; many Explorers will learn this technique and in time independently maintain their own credentials. In this case the Guide’s role is to be sure that there’s a printed backup!

No comments: