The start of a new year is the season of resolutions. I propose that you make a resolution to organize your passwords. Build a list of your accounts and their passwords. Also, make sure those passwords are strong. In a previous tech tip I talked about how to test your passwords’ strength and how to select strong passwords. I’ll reiterate some of that tech tip’s suggestions and add some recommendations on creating and maintaining your password list.

You often hear the recommendation that you should use a long, complex and unique password for each system and change each of these passwords every month. From a security viewpoint, I agree with this recommendation completely, but I don’t think it is at all practical or realistic for most people. Instead, I think it’s more reasonable to make this recommendation: Use very long passwords and maintain a written list.

Some day in the future we might login to our accounts using a thumb print or an iris scan. When this day comes then security will be easy. We simply press our thumb on a device or look into a camera and wait for a few seconds. Gone will be the days of remembering a myriad of passwords, typing in passwords and resetting forgotten passwords! However, our current reality is that we all have many, many password-protected accounts. So what’s the best way to handle this?

In this current paradigm, security and convenience are inversely related. The more secure things are, the less convenient they are. Or, stating the converse, the more convenient things are the less secure they are. Let me illustrate this. It’s very convenient for you to use one password on many or all of your accounts, but this is very insecure. If one account is compromised then they are all effectively compromised. If one account is compromised you obviously have to select a new password for that account and really, you should change the password for all of the accounts for which you use that same password. What a headache. How inconvenient!

Thus, I recommend a more balanced approach. Use at least a handful of passwords, select long passwords and maintain a password list. One of the easiest ways to make a password secure is to make it long. If your password is currently cactus. Simply change your password to cactuscactuscactus. (It would be better if you made it complex like this: c@ctuSc@ctuSc@ctuS, but I won’t push my luck.) However, even if you do your best to pledge to use a really long or complex password, your efforts could be thwarted by systems that put a cap on the maximum length of a password or don’t allow the use of punctuation marks in a password. Thus, you’ll end up with a greater variety of versions of your passwords than you’d like. Thus, it’s important to maintain a password list.

Let’s focus on this list. It could be handwritten on paper, but clearly this isn’t very secure. If you do put it on paper then securely store it in a locked drawer or a safe. However, locking up your list makes it less convenient to grab and to update. So if you’re going to maintain your list on paper I recommend that don’t write the password itself. Instead, write a hint. For example, if your password is your childhood street address then you could simply write old address as the hint. This way you could keep the password list close to your computer and even if a burglar found it he wouldn’t immediately have all of your passwords.

An even more secure way to store your password list on a computer is in an encrypted disk image. I think this solution offers a great combination of security and convenience. A previous tech tip describes how to setup an encrypted disk image. Since the disk image is on your computer, you’ll always have this information conveniently at your fingertips, but it’ll be stored in a secure, encrypted manner. Of course, you’ll have to remember your password for your disk image. If you forget it then you’ve lost access to your entire list!

Another option that some of my colleagues use and recommend is a password manager like 1Password or mSecure. This blog article covers 8 password managers for the Mac and iOS devices. 1Password and mSecure are the two that I’ve personally worked with.

Whichever method you choose, I hope you compile a list of your current accounts and passwords and hopefully take some time to select longer, more secure passwords for these accounts.

Would you like to secure your Time Machine backup data so other people wouldn’t be able to view your files in case your backup drive fell into the wrong hands? Apple doesn’t provide a built-in way to encrypt your Time Machine backup files, but it can be done. A clever individual named Jay has figured out how to do it and has the best documentation that I could find on how to setup encrypted Time Machine backups. Thanks Jay. [Update, Fall 2011: Mac OS X Lion's version of Time Machine now includes a built-in way to encrypt a backup hard drive and its contents. Turning on encryption is now as easy as checking a box in Time Machine Preferences. If your backup drive is empty then the drive can be encrypted in about a minute. If the backup drive already has data on it then it can take many hours to encrypt the entire drive.]

In previous Tech Tips, I’ve written about how useful Time Machine can be as well as how to setup Time Machine and test your Time Machine backups. Apple got a lot of things right when they created Time Machine. It’s by far the easiest backup system to setup, monitor and use to restore a file. Having said that, it does have some short-comings including the fact that it doesn’t let you automatically switch between multiple hard drives and doesn’t let you encrypt your backup data. I describe how to manually switch between drives but Jay offers a way to automate the process. I haven’t tested his method myself but I have successfully setup encrypted Time Machine backups.

Jay provides excellent step-by-step setup instructions but here’s a quick overview.

You obviously need an external hard drive on which Time Machine will store the encrypted data. (Time Machine comes with Mac OS X 10.5 or newer.) Next, you use Disk Utility to create an appropriately named encrypted sparse bundle disk image which you put on the external hard drive. Save the password for your disk image and then move this saved password from your own Login keychain to the System keychain. The disk image then needs to be tweaked slightly so Time Machine will be able to figure out that it can store your data in it. This is accomplished by creating a custom preference (plist) file and putting this plist file into your Disk Image. Finally, select the external hard drive in Time Machine Preferences and Time Machine will magically store the backup data inside the disk image.

This post builds upon the information that I presented in my last blog entry about how to securely store personal information on your Mac. A disk image is a special kind of file. When a disk image file is opened, it makes the computer think that an actual disk, like a CD, has been physically inserted into the computer. Thus, a disk image file, or more simply a disk image, can be thought of as a virtual disk.

Here’s how to create and use a password-protected (encrypted) disk image in Mac OS X 10.4, 10.5 or 10.6:

1. Go to your Applications folder and open the Utilities folder.

2. Open the Disk Utility application.

3. Click the “New Image” button, or choose New > Blank Disk Image from the Disk Utility File menu.

• Enter a name for your disk image file in the “Save As” field

• Change the save destination to either your Documents folder or your Desktop, whichever you prefer.

• Set Volume Name set to “Virtual Disk” (In 10.6 the field is called “Name”, not “Volume Name”)

• Select a Volume Size for the image file. If you’re just going to store a few Word or Excel files in the disk image, then 10 or 20 MB should be large enough. (In OS X 10.6 40 MB is the smallest you can select.) You can choose any size you’d like by selecting “Custom” at the bottom. If you ever fill your disk image you can always create a larger one and move the files from the smaller disk image to the larger one.

• Leave the volume format set to “Mac OS X Extended (Journaled)” (In 10.6 the field is called “Format”, not “Volume Format”)

• Leave “Partitions” set to “No partition map”

• Leave the Image Format set to “read/write disk image”

• Set Encryption to “128-bit AES” if your Mac uses Mac OS X 10.4. Choose “256-bit AES” if your Mac uses Mac OS X 10.5 or 10.6

Warning: If you forget the password to your encrypted disk image, your data will be irretrievably lost so please write down your password on a piece of paper. This is just a precautionary measure.

• Click the Create button.

• Important: In this next step you’ll need to first uncheck “Remember password (add to keychain)” then enter the same strong password twice. This password is used to secure your disk image.  [By "strong password," I mean one this is long and contains a mix of letter, numbers, odd capitalization and punctuation marks or at least most of these features. For example, 1%milKisgooDforyoU is a strong password.]

• Click OK

4. The disk image file will be created and then it’ll be opened automatically.

5. Look at your Desktop you should see an icon named Virtual Disk. This is what appears whenever your disk image is opened. Copy a file into this Virtual Disk. Notice that the file will automatically be copied when you put it in the Virtual Disk. The original file will remain where it is so you’ll probably want to put it into the Trash in a couple of days after you’re sure you understand how your new disk image works.

6. Close Virtual Disk by dragging its icon to the Trash, which will eject this virtual or fake disk.

7. Now, locate your disk image file. (It’s in the location that you selected in step 3, second bullet). Double-click your disk image file. Enter your password when prompted and then click the “OK” button. You should now see the icon for Virtual Disk again. Open it and you’ll see the file that you copied into it.

8. Now that you know how to use your disk image, you can copy more files into it and then delete the originals. For example, if you keep a list of passwords or other sensitive information in a Word or Excel file, copy this file into the secure disk image. Once you’ve confirmed that this file is inside your disk image then throw away the original file so it’s no longer sitting unprotected on your Mac’s hard drive.

9. Don’t leave your Virtual Disk on the Desktop all day long. This defeats the added security. Only open it when you need it and then close it when you’re done by dragging its icon to the Trash icon on your Dock.

Do you have personal or sensitive information about yourself or your clients on your Mac? Things such as credit card numbers or passwords? If so, I recommend storing this information in a special kind of file known as an encrypted disk image. I store a list of my own passwords and other sensitive information in such a file on my Mac laptop. This file is always readily available while still being inaccessible by others, even if my laptop were stolen.

Without getting very technical, disk images were invented as a way to make a backup copy of a disk such as a floppy or CD, but other uses have emerged over time. Mac OS X lets you create a blank disk image that can be thought of as an empty folder. Additionally, this file can be encrypted which requires a password when you open it. Thus, in an over-simplified way, you can think of an encrypted disk image as a password-protected folder.

Read my next blog post for step-by-step instructions on how to create and use an encrypted disk image on your Mac. After creating your own secure disk image, copy the files that you want to protect into this disk image. For example, if you keep a list of passwords or other sensitive information in a Word or Excel file, copy this file into the secure disk image. Once you’ve confirmed that this file is inside your disk image, then throw away the original file so it’s no longer sitting unprotected on your Mac’s hard drive.