I’m very good about my passwords on my primary machine, my getting-long-in-the-tooth PowerBook. I have to admit though on the iPhone, and on all my past cells, I’ve been lazy about that. I just hate the fact that I have to enter digits every time I use the thing, which is a lot.

I’m heeding Merlin’s advice here and at least giving the pass code a go for the iphone. These days I work and blog enough that I don’t have any time to watch iTV, so I’m not going to have to worry about that one until I get this giant flywheel of my business over the initial momentum of moving from part to full time. Hopefully by then Steve Jobs, duly shamed by Merlin’s throwing down of the iTV video challenge gauntlet, will have directed his R & D drones to get cracking on making the iTV security a little more user friendly and, uh, Apple-like.

I’m in the process of making all of my existing passwords significantly more secure since I use 1Password for everything on my Mac and when my1Password works (it’s iffy, right now) it works well on the work computers, too. This is regardless of what the App Store on the iPhone requires, etc.

Because I’m not just entering passwords into web forms, though, I need them to be memorable at all times as well as strong — which wasn’t working when I just used 1Password’s strong password generator.

Now, I use a pattern (the pattern I’m using here isn’t the one that I use, but it’s a sample):

(sitename:hardkey)

The parentheses are part of the password and the “hardkey” is a medium strength password that I’ve been using for years that I have ingrained into my muscle memory (it’s one of three that I use). So, for 43folders, it might be:

(43f:m@Cd4ddy)

It means I have to flip keyboard arrangements on the iPhone more often than I’d like, but it’s memorable, it works, and it’s very secure overall. Now my only bane are sites that (a) don’t allow symbols in passwords and/or (b) prevent my password from being long enough to be meaningful.

Excuse me, not trying to spam or anything, I know Merlin has alot of friends that are on the inside at Apple, which is great. But there is a site where I and my fellow bloggers are accepting ideas to write Apple about.

www.dearcupertino.com

It’s just too convenient, because it’s the same number of characters, easy to remember, etc.

Regarding locking the iPhone, I had a close call a couple of months ago. I just happened to be perusing the options when I saw you could lock it. I really didn’t even know you could. I’d locked every other phone I’ve owned, mostly to avoid accidentally calling someone, but of course with this thing it’s much more important to have my data behind some kind of pwd.

Long story short, I set up the phone to auto-lock and literally 15 minutes later is was stolen. I can’t believe how lucky I was to have turned on the locking function.

I agree that ease of use is important, but now every time I see that locking screen I remind myself that I’ve already gotten a phone stolen once. Better safe than sorry.

Regarding using my bank PIN, I know it’s…sub-optimal…but I continue to do it. Guess I should look into 1Password.

The iPhone passcode would work better if you didn’t have to ‘slide to unlock’ before having to type the password in. Since you have to type something in before the phone will dump you to the home screen, the extra interaction with the interface is unnecessary. (You won’t accidentally get dumped to the home screen when your phone is in your pocket for example.) I go through phases where I have the passcode on.

I am at home most of the time so it’s not worth the unlocking hassle to secure my phone every time I run out.

Why not support a location aware locking mechanism that keeps the phone unlocked in certain safe areas like your house? Sure, it wouldn’t authenticate me, but it would authenticate my house and that’s good enough for my use.

@Mauronic: I really like the location aware automatically disabling auto-locking, that sounds elegant.

However, another idea is to track other information beyond just digits for passwords. What about tracking the timing in which a 4-digit passcode was entered? I imagine typing 2, 2, pause, 2, 2 (or whatever). A pause, or quick rapid taps, could be tracked, and this gives the simplicity of typing four characters into a number pad and makes it very hard to crack, especially via a bot.

I remember reading somewhere that people actually have typing patterns, and that some people were experimenting with the physical, syncopated patterns in which words were typed as a way to authenticate. It seems that same idea could be lent to typing into a numberpad, even if it was a short, simple password, the pattern makes it strong.

This could definitely be accomplished on the iPhone, could be accomplished with the AppleTV remote, and with javascript, I have to imagine is possible in a browser.

Also, check out Vidoop, they are doing some interesting things with passwords as well. http://www.vidoop.com/

Re: your comment:

“via a password-protected bookmarklet. Imperfect, but a big step up over nothing.”

We have already submitted it and as soon as Apple finishes there review you should be seeing our new native iPhone application in the App Store.

Insanely, we’re making it available for free. :)

Thanks

Carl S. Chief Evangelist Agile Web Solutions http://1password.com/ http://switchersblog.com/

This is one of those situations where smartphones are really ticking me off. Compared to my old iPaqs, it feels like we’ve taken several large steps back. I really miss my hx2750’s built in fingerprint scanner. It was SO easy to lock that thing down. If Apple wanted to get away from buttons, a fingerprint scanner could be used for all manner of functions as well…

I’m also an unpaid advocate of 1Password, and will get it the second I see it in the App Store. I have a different password for every site I use. But I recently changed my apple.com password because I got sick of playing the “write down my password” dance to buy an app on the iPhone. It’s not a bad password, at least. Just not as random and long as I’d like.

Also, I used to use Ebay/Paypal’s Security Key device for my Ebay and Paypal accounts. But since I don’t carry the Security Key with me reliably, I ended up taking it off of both accounts so I can access the sites from iPhone, and also so I can use the Ebay app.

One thing I was glad to read that is that eventually remote wipe will be available in iPhone 2.0 not just for enterprise users but also consumers (http://tinyurl.com/6pxfo4). If you lose your iPhone or iPod Touch, and realize it soon enough, you have some chance of limiting the privacy damage.

A friend at a party tried to get past the auto-lock on my iPod Touch. We were amused to see that after a few failed passcodes it locked the device for five minutes. What would have happened after another failure? I think there should be an option for the device to auto-wipe under those circumstances. Really, all the data is synced, so better safe than sorry!

Of course, the real risk here is if your device is lost or stolen then it will quickly end up with someone who specializes in re-selling it for the grey market. This person will need to know how to reset the device, to do carrier unlocking, etc., and it would not be too far out of the normal line of business of such a shady character to briefly rent the device to professional fraudsters of one kind or another.

These folks might not have the chops to get through a secure wallet app like SplashId, eWallet, or 1Password, but I assume they would be able to get past the “screen door” level of security necessary to access contacts and email. And, unfortunately, that is already a bonanza of info for identity theft.

What a great idea. I use the marvellous little MarcoPolo to do exactly this with my Air.

I get to work, it detects the wireless network there, knows where I am, and amongst other actions it turns on my screensaver password.

I get home and it does the reverse. Magic.

Edit: damn, this was meant to appear in reply to “Location Aware Unlocking”, above. Sorry.

I have actually changed a few passwords to accomodate the iPhone keyboard. It is very annoying to type in characters like * and %, which used to show up in my passwords all the time, because you have to switch to the number keyboard and then hit shift to access them. (This used to be the case for the underscore, too… glad they moved that one!)

I am wondering if anyone has tried a service logon aggregator like PageOnce? It seems a bit crazy to put all of your eggs in one basket like that, but I have to admit that I am tempted.

Backtick (`) is missing from the US layout.

If you've got a password with a "`" in you *might* be able to type some of your password, switch to the Japanese keyboard layout, hit the "`" key and then switch back, but on some sites it seems to leave me at the US layout even if I disable it so changing the password is the only option.

I knew there was a reason why I didn’t use this feature.

Call me an optimist, but I’d like to think that if I lost my phone there’d be a fair chance that the person who found it would look through it, work out who they could contact to reach me (a quick check of my text screen would show this), and contact that person to tell them that they had my phone.

This is what I would do if I found a phone in the street or in the back of a cab. I’d like to believe - and I do believe - that there are more people that would take this course of action than there are who would steal my identity.

Of course, if my phone is locked the nice person who finds it can’t do this.

Thoughts? For the record, I live in Melbourne, Australia.

I am a member of the dying breed, a non iphone owner so most of these comments have gone over my head. I am more tempted to get an iphone now. Better check the balance on my credit cards :)

Mashedspud Green lasers rulz