Tuesday, March 22, 2016

Using iOS 9.3 Notes.app to safely store passwords and other credentials

I wrote this as part of a book project aimed at caregivers for special needs teens and adults, but the recommendations work for most non-geek users. The trick is printing copies of the Note; it’s too easy for an errant edit to delete credentials. Of course one could also store PDF copies on an appropriately secure encrypted drive or drive image, but that’s way outside the scope of these recommendations …

Managing Explorer credentials with iOS 9.3 Notes.app and Android alternatives

Guides need to create “strong” passwords for Explorer email accounts, bank accounts, Amazon accounts and the like. One way to create a strong password is to combine two randomly selected words form a dictionary, capitalize one or two letters, and mix in some numbers and a symbol like $#&:;. Avoid letters and numbers that can be confused with one another, like l and I or O and 0.

There’s no way any of us can keep secure credential information in in our heads. We have to write it down, and, because you really don’t want to lose password information, you need to have two copies.

The two copies also need to be in different places. Why two places? Well, imagine that you’re storing your passwords on your phone. One day you need to unlock your phone, but you don’t remember the phone password. If the passwords are only on your phone you won’t be able to get to them. Even if your phone is backed up the backup won’t help you, because you won’t be able to restore it without the phone password.

…1Password is too complex for most Guides and Explorers though. What about just keeping credentials in a Note on your smartphone?

If a Guide is using and Android smartphone this can be a risky option. As of early 2015 many lower cost Android smartphones are not truly secure. Google’s Note application, Keep.app, doesn’t support Note encryption. So on an Android device I’d recommend using 1Password.app or one of its competitors — unless you are confident the Android device uses strong encryption and it is secured with a strong password.

If a Guide is using an iPhone with iOS 9.3 or later Apple’s Notes.app is a good, simple way to store an Explorer’s credentials. The iPhone itself has quite good security, and you can create an additional Notes.app password and use it to lock one or more individual Notes. iPhones that support TouchID (fingerprint unlock) make it easy to access locked notes. Just be sure to add the Notes.app password to your document and to print out the Note when it changes.

This approach is simple and secure, and it’s safe as long as a Guide keeps printed copies. It’s easy to accidentally delete critical information when editing a Note, and of course phones get lost and broken. Paper backups are reliable.

There’s an additional important advantage of printed backups. When someone becomes disabled or dead their family will really appreciate the printed copy.

No comments: