Checking for password duplication in Keychain Access and 1Password
Following this week's LinkedIn password disaster, Mac users are naturally worried about their passwords and not just for their LinkedIn accounts. What if you used a password in another place? It could happen! There are ways to investigate your passwords in Mac OS X's Keychain Access utility and with popular third-party password management tools. However, some of this investigating can be difficult.
In his blog, Daniel Jalkut, founder of Red Sweater Software, expressed this very concern about the reuse of passwords for different sites. This was a serious question and vulnerability.
I did what you did, or should have done: raced to LinkedIn and changed the password. But that doesn’t protect me from the real danger. LinkedIn isn’t anywhere near the most important site in the huge list of services I use or have used. What if I committed the foolish move of using the same password on LinkedIn as I did on another, more important site? Now a hacker with possession of my username and password for LinkedIn can make some very good guesses about my username and password on other sites.
Fortunately, I don’t tend to use the same password twice. But an event like this leaves me very curious to confirm that. I store all my internet passwords in Apple’s Keychain, which does a good job of keeping them from prying eyes. A little too good of a job, as it turns out. There’s no straight-forward way to ask Keychain Access on the Mac to find all the services that you used a specific password with. So if my LinkedIn password was “bugagoo,” to find out which other services I might have used that password for, I have to open each password item in the keychain and authorize Keychain Access to show me the password. 2,000 times, in my case.
In the post, Jalkut ran down how to use several scripting tools he wrote to expose and search the Keychain. The package includes Usable Keychain Scripting, a scripting extension that lets AppleScript "efficiently query the keychain for information;" PasswordSearcher, an AppleScript that asks the keychain for all Internet password items that match a given password, and the displays the account names; and DangerousAllowClicker, which "runs in circles until you cancel it, approving security clearances."
Jalkut made these scripting tools available in the post. But be forewarned that the use of these tools aren't for the novice Mac user.
If you use Agilebits' 1Password for the Mac, then it's easy to search for password duplication. 1Password can reveal all the passwords it has generated. However, if you enter your own passwords, the process is a bit more complicated. First, I exported my stored passwords and accounts to a text file — there are checkboxes for all the fields in a record. Then I used a text editor, in my case, Bare Bones Software's TextWrangler, to search for the password string. Easy.
The best thing is to never use a password twice. I use a formula with two bilingual puns and a specific element from the site to make my passwords. This makes them easy to remember and longer than the usual password.
Recently, I started testing my passwords with the Passfault demonstration page. This site tells you how strong your password is, and if it passes the test, it presents the time in years that would be needed to crack the password. I noticed that my current passwords weren't strong enough.
However, I found that by adding a fourth, easy-to-remember element to my 3-part formula, I was able to get most of my passwords into the five-figure century range. One password that I tested could be made into 189 quintillion passwords, which means that it would take 62,547 centuries to crack. That won't be cracked any time soon.
Perhaps use this LinkedIn password failure as an opportunity to improve your passwords.