How we handle security at iMore: Our apps and approaches to keeping our data safe!

All this week on Talk Mobile we've been discussing security - how we keep our information, and the information of others safe. Each of us here at iMore have different approaches, different go-to apps and authentication methods, and generally different levels of paranoia we try to balance with the realities of time and convenience. So what do we do? What security apps and authentication approaches make up our personal arsenals? Here we go...

Rene Ritchie

1Password 4 for iPhone

My security begins with unique passwords for each of my Macs, desktop and laptop, and unique Passcodes for my primary iOS devices, an iPhone 5 and iPad mini. Yes, I do mix them up frequently, but retyping something is a small price to pay for satiating paranoia. Once inside, I use 1Password to manage everything and anything security related. I use a strong master password to access 1Password, of course, but then 1Password generates, records, manages, and auto-completes unique passwords for every other app and service I use.

This works amazingly well on the Mac and Windows, but is still a huge pain in the ass on mobile. That's not 1Password's fault - Apple doesn't allow the same type of browser plugins on iOS as they do on the Mac, and even Android isn't as conducive. Combine that with passwords being harder to enter on mobile in general, and it makes me hope those automagical thumbprint reader rumors manifest sooner rather than later. (Safari's new iCloud Keychain sync could solve part of the problem, if you're Apple only, but hopefully 1Password and other managers will be able to sync with it as well so cross-platform types can enjoy the best of all worlds.)

I have 2-step verification set up for Google and Dropbox, but I still get bad tokens and sometimes get locked out of my own stuff. It's annoying enough I sometimes consider turning it off, but again, paranoia demands I don't. Still, I'd dearly love them to get their sh!t together on this, because it's important.

I don't currently use any onion routers or end-to-end encrypted communications systems, because while I think the idea of illegal spying by governments is repulsive and counter to the very freedoms they're sworn to defend - seriously, make a case to the people and change the laws if you think you're in the right, don't violate them - there's no major system I trust anyway, and rolling my own is too much overhead. My paranoia, it seems, can crumble in the face of practicality at times.

Then again, I'm careful what I put online, how and where I access things, and with whom I share what. I assume anything that touches the internet in any way will eventually become public, so I don't put up anything that I'd have a problem with being public.

Find my iPhone gives me remote tracking and wiping capabilities, something I've had to use in the past when my car window was smashed at the mall and my MacBook Pro and iPad 3 stolen.

Ally Kazmucha - how to editor

As far as iOS security goes, I have a password on every single device I own. I also have Find My iPhone/Find My Mac installed on any computer or iOS device I have in my possession. I also keep desktop passwords on all my Macs. Not any one of them are the same either. Any backups that I make I also encrypt in case they fell into the wrong hands.

As for logins to other general websites and services, never the same passwords! Since I can't possibly remember all my logins, I use 1Password religiously on both iOS and OS X. I also use it to generate passwords for me for new accounts. They're much more secure than anything I could ever dream up. I only really use my own passwords for things I need to log in to frequently and don't have time to fiddle with 1Password each time. Even then, I make them extremely difficult to guess.

If a service offers me two-step authentication, I use that as well. I've got it set up for iCloud, Google, and Dropbox for sure and keep an eye on other services that offer it as well.

Richard Devine

mSecure for iPhone

When it comes to passwords, mSecure is my chosen security tool of choice. I appreciate that in many respects 1Password is a better choice, but I've been invested in mSecure since first picking it up as a free app of the day in the Amazon Appstore for Android. With a decent Mac client, and sync between iPhone, iPad and Mac – and other, non Apple platforms – possible using Dropbox, it keeps everything I need to keep hidden, everywhere. And of course, I still use it to generate those random passwords that are so crucial.

Generally I have different pass codes on my different mobile devices, likewise each of my Mac's is locked with a different password. Specific to my Apple gear I of course have Find my iPhone installed on my iOS devices just in case. I'm actually really looking forward to the new security features iOS 7 will bring as well.

Outside of this, the biggest thing I rely on is 2-Step Authentication. Google, Dropbox, Apple ID are the three biggest, with the first two kept within Google's own Authenticator app. It's a pretty awful application – it doesn't even support the iPhone 5 display – but it does the job.

Simon Sage

Yep, it's a pain having to wait for a call or text for a code to punch in alongside your Google credentials every time you're logging into a new service, or worse still, having to manually generate a passcode, but I've got enough important stuff strapped to my Google account that 2-step authentication is a necessary evil. It's easy enough to set up, and once you've set up your usual go-to services, it's not something you have to wrangle with often.

Peter Cohen

Google Authenticator

1Password is an enormously useful utility when it comes to managing passwords on my systems. And, in fact, that's where a lot of my security begins and ends. Having said that, I use two-factor authentication wherever I can. Two factor authentication is a process supported by more and more web services. It relies on a fundamental concept: Something You Know (like a password) and Something You Have (like a cell phone). In practical terms, what happens is that you enter a password and get a second code sent to your cell phone, which you then have to enter to proceed. It's simply a more secure way of making sure you're you. Sure, it's not foolproof - if someone stole both my laptop and my cell phone, they could potentially get around it - but it helps make sure that services I use stay as secure as they can. I use two-factor authentication with my bank, Google and other services.

  • 1Password for iOS - $17.99 - Download now (opens in new tab)
  • 1Password for Mac - $49.99 - Download now (opens in new tab)

Nick Arnott

Find my iPhone

Like so many others, I've been sucked into the world of 1Password in recent years. Most websites don't disclose how they store your passwords on their servers. If a site is using weak encryption methods, or none at all, you usually won't find out until its too late, and you receive an email from the website telling you that your account has been compromised. Using the same password on multiple sites means any site using that same password is now at risk. 1Password makes it easy to generate unique, and difficult to crack passwords for every site and service you use. To make things even better, Agile Bits (opens in new tab), the company behind 1Password, offers a lot of transparency (opens in new tab) when it comes to the architecture and methodologies used in 1Password. The company takes security seriously and seems to understand that solid security is achieved with transparency and peer-review, not obscurity.

On all of my iOS devices, I enable Find My iPhone in Settings so that if they're ever lost or stolen, I can try to track where they are and remotely wipe them if necessary. I also set a passcode on all of my devices, but I don't enable Simple Passcode, which limits your passcode to 4 digits. I also don't use a complicated alphanumeric passcode. I can't type on virtual keyboards well enough to reliably enter a complicated password every time I want to unlock my iPhone. Instead, I use a sort of hybrid. If you set a passcode in iOS (with Simple Passcode turned off), and only enter numbers on the keyboard, you can set a strictly numeric passcode that's longer than 4 digits. In this case, iOS is smart enough to offer you a number pad when you go to unlock your device, rather than a full blown keyboard. You get some increased security by using a passcode that would be of an unknown length to somebody trying to break into your phone, creating far more possible combinations to guess, while keeping the ease-of-use of the number pad.

I also set passwords on my Macs, but a password alone is not enough for me. FileVault is a feature that was introduced in OS X Panther and got a significant redesign with FileVault 2 in OS X Lion. File Vault encrypts the contents of your hard drive using your password. If you just have a password set, but no encryption, somebody in possession of our computer could remove the hard drive and hook it up to another computer as an external or secondary drive to view all of its contents. All of your data would be accessible to them without them ever needing to know your password. When FileVault is enabled, the contents of your hard drive are encrypted and would be unreadable to anybody who doesn't have your password to decrypt the contents. File Vault is fairly easy to set up (opens in new tab), which you can do from the Security & Privacy section in System Preferences.

  • 1Password for iOS - $17.99 - Download now (opens in new tab)
  • 1Password for Mac - $49.99 - Download now (opens in new tab)

Your security go-tos?

So that was what we use for security and peace-of-mind on our iOS devices and PCs. What about you? What are your go to password, authentication, verification, backup, and sync apps?

Rene Ritchie

Rene Ritchie is one of the most respected Apple analysts in the business, reaching a combined audience of over 40 million readers a month. His YouTube channel, Vector, has over 90 thousand subscribers and 14 million views and his podcasts, including Debug, have been downloaded over 20 million times. He also regularly co-hosts MacBreak Weekly for the TWiT network and co-hosted CES Live! and Talk Mobile. Based in Montreal, Rene is a former director of product marketing, web developer, and graphic designer. He's authored several books and appeared on numerous television and radio segments to discuss Apple and the technology industry. When not working, he likes to cook, grapple, and spend time with his friends and family.

  • I've heard from local Apple experts that FileVault is more trouble than it's worth--what do you folks think? Have you heard anyone say the same? Thanks!
  • Lion FileVault was a bag of hurt. Mountain Lion FileVault 2 is way better.
  • Agreed. Off the top of my head, the only thing I can think of that doesn't work with FileVault 2 are games by Blizzard. No loss there.
  • Btw, if anyone still is hesitant to use FileVault 2 on their computer, you should read John Siracusa's article on Mac OS X 10.7/10.8 about FileVault. I tried to put in the link to it but apparently the comment system considers that spam... Anyways, go to Arstechnica and search for Mac OS X 10.8 Mountain Lion Review and it's the second link that pops up and then click on the section about FileVault. Spoiler Alert: It works great and it's awesome
  • I use Passwords Plus for all kinds of stuff; passwords, serials, etc. And I use DocWallet for documents that need securing.
  • Great article and I have a question to ally
    How can I configure iCloud 2-step password,I have it on my apple id-google-outlook-Dropbox etc but every time I log on there is no code asking,sms or known device code asking
    Is some how apple lacking on this feature? And even outside USA there is no way to step up apple id 2-step password.
  • Step 1: remove all Apple stickers from your car. :-(
  • Re: "Outside of this, the biggest thing I rely on is 2-Step Authentication." Everybody: if you haven't set up 2-step authorization on all of your devices and accounts that support it, just do it. It's an absolute must. "Do it. Do it now!"
    - Jack Bauer (Kiefer Sutherland, "24," 2001 - 2014)
  • iOS and OS X: I use Find My iPhone/Mac, manage my passwords with 1Password, and use 2-step authentication when offered. If it's possible to have my data erased after x number of failed password attempts, I will opt for it. When travelling abroad and there is no reasonable alternative to hotel Wi-Fi, I will use a VPN should I need to check my email, bank balance, etc. Specific to OS X: - Standard user account
    - FileVault 2 with Firmware Password
    - Firewall with stealth mode and Little Snitch
    - Google Chrome
    - Sophos Anti-Virus I grew up using Windows, so naturally I follow the Principle of Least Privilege and use a standard user account. FileVault 2 with Firmware Password is purely to spite to a prospective thief. If someone steals my computer, I want the pleasure of knowing that they won't be able to use it. The AV protection might make some scream "overkill!", but I don't see it that way. Not only are more bad guys targeting OS X, but as someone who regularly sends files to Windows users, I have a duty of care to ensure that I'm not passing along something that can harm their computer. Just because OS X isn't vulnerable to Windows-only malware doesn't mean it can't host and distribute it.
  • I highly suggest you take a look at Authy ( as a Google Authenticator replacement. Works better and there is now a OSX App that syncs with Bluetooth to Authy for iPhone. I'm also a long time Lastpass user and very happy with it.
  • it sounds like 1Password is a must. Next 50% off sale, I'll give it a try. Thanks!
  • Quick rundown of my security procedures. I use a number of features that work across my Macs and iOS devices. Some of them work across both systems like 1Password Sync or the 2-factor apps in the iPhone used to login to websites on the Mac. Mac OS X Mountain Lion 10.8.4:
    - File Vault 2 for full disk encryption
    - Passwords for all user accounts, and require password immediately after screen saver begins
    - Disk Utility to create encrypted disk images for data files - 256-bit AES sparse bundle disk image format.
    - 1Password to create and maintain all passwords, at least 24 characters long including both numeric and special characters, sync with Dropbox
    - CrashPlan for cloud and local backup with full TNO (Trust No One) custom 448-bit encryption key
    - Firewall with Stealth Mode enabled
    - iCloud Find My Mac turned ON
    - S/MIME or PGP encrypted email in Apple Mail for recipients that require encryption
    - HTTPS with all sites that support it
    - Turn OFF Auto-Fill in browsers and let 1Password fill logins and personal data
    - DNSCrypt to encrypt DNS packets with OpenDNS iOS 6.1.3:
    - 1Password to access website passwords, sync with Dropbox
    - Symantec VIP Access app for 2-factor login to eBay and PayPal
    - Google Authenticator app for 2-factor login to Gmail and Dropbox
    - 2-factor with SMS code login for Twitter, Facebook, Apple ID, LinkedIn
    - Require passcode immediately upon lock
    - Passcode lock screen, simple (long passcode with full keyboard too cumbersome)
    - Erase data after 10 failed passcode attempts
    - Find My iPhone/iPad turned ON and locked in Restrictions>Location Services
    - Don't Allow Changes to Accounts in Restrictions so the Find My iPhone account can't be deleted.