Security Software

In another thread there was a brief discussion about programs which encrypt credit card numbers, passwords, license numbers and other sensible information. Actually, there are a quite a lot of them: SplashID, 1Passw and Secret Book, which were already mentioned in the above mentioned thread, but also Safe Sphere, Password Wallet and dozens of others.

I have tried a handful of them, and like Amber, I think I prefer SecretBook. It’s simple, it has a clean UI, and the implementation of certain features is certainly elegant. The font size, however, is rather small and can’t be enlarged.
The UI of SplashID is much too crowded (I would almost say too childish) to my taste. 1Passw is nice too (beautiful UI), but it has some features which for my simple needs are rather redundant, and which occupy a central place in the UI (multiple identities, password history).
Safe Sphere is impressive but also very intimidating, both in its outlook and in its way of working, and will be much too detailed for most people.

But these are rather superficial observations. Are there other Scrivenistas who have more mature experiences to share?

Personally I can’t be bothered even trying any of the other stuff that’s out there because I’m perfectly happy with Keychain Access. I have my login keychain and my secure keychain that handles all my needs. Anything else I’ll just drop into an encrypted disk image.

I’ve heard this argument before, but in my experience I’ve had three problems with just using Keychain. The first is that it isn’t easy to back it all up and store your passwords on a server in a dated file. If you hold the sole copy for top-level passwords to entire servers, it is crucial that you safeguard them in more than one location. Paying $100 a year for .mac, so I can synch between computers, is not appealing, and it still doesn’t completely address the need. Tangent to this is portability. If I have to move platforms and stop using a Mac (or work in a multi-platform environment), how can I get my Keychain passwords out into a format that can be transferred? Same argument for Encrypted DMGs. SecretBook exports a plain-text CSV document, which you can then encrypt using GPG, SSL tools, or any other widely portable encryption tools.

Second: Keychain is very difficult to use, compared to dedicated programs when it comes to storing non-Keychainable information. It’s not a horror story, but it is really, really not slick at all. I’d say a good 70% of the 500 passwords I have are non-Keychainable. Also, since many of these alternatives have a freeform database approach, you can store non-password secure data much more easily, and in a formal way. So I can store my password, secret question and answer, multiple URLs, or whatever else, all in one entry.

Third is security. It may not make much of a difference for most users, but like I said above, if you are responsible for machines that companies depend upon; servers loaded with valuable IP; and machines which store thousands of customer’s credit card numbers, and other such personal data–it is really a dumb idea to protect your passwords using your computer’s login credentials. That kind of information should really be guarded using long strings of random characters, not easy to remember passwords you type in several times a day, a database that can be accessed by notoriously insecure environments such as web browsing. You say you have a separate secure Keychain, and that is a good step to take, but I’d still take portability and a better UI for that kind of stuff.

Thanks, Amber, for your clear and convincing explanation. I too find Keychain difficult to use and not versatile enough. In the meantime I took the plunge and bought SecretBook. It works indeed like a charm: simple, well-organized, and flexible!

For those interested, 1Passwd is available today (Thurs, 2007-07-26) at a 34% discount, for $19.67, at MacZot.