Security vs. convenience: How do you balance your passwords?

Security is at constant war with convenience. The stronger the passwords we use to keep our data safe, the more steps we take to lock down what we own, the less accessible our data and our devices become -- even to us. Balancing it all can be tough, and a lot depends on what the platforms and services we use do to help us. And nowhere is this more evident than mobile.

Multitouch keyboards, in large part, rely on things like like character pair prediction and auto-correct to make entry acceptable. Neither of those things are possible with passwords, and strong passwords require far higher than normal frequencies of shifting between upper and lower case, and between letters and numbers and symbols. It's the worst possible experience.

A 4-digit passcode lock, or weak password, gets around that by reducing the complexity at the expense of security. Intervals can also be set, so that your passcode is only required minutes after you last used your device instead of seconds. A short interval offers better protection should you lose your device or should a friend try to prank you during an unguarded moment, but it can be maddening if you need to complete a long series of intermittent tasks.

On iOS, ironically, Apple's security policies prevent password managers from working through Safari browser extensions the way they do on OS X, thus requiring more cumbersome copy-paste procedures, or the use of an in-app browser instead of Safari. Some websites, flabbergastingly, use JavaScript to block copy-paste, increasing the difficulty of using strong passwords.

2-step verification requires the use of an authenticator app, or the transmission of a token. Sometimes tokens don't work for no apparent reason, or network connectivity is spotty, complicating transmission. Sometimes it ends up being so secure, even you can't get in.

It's not an iOS-only problem either by any means. BlackBerry Z10 passcode entry is such that Adam Zeis of CrackBerry has stopped using a password to secure his phone.

It's possible future technologies like biometrics might make security more convenient, for example letting a thumbprint automagically allow access to a device. But what happens if your thumbprint is hacked or phished or otherwise compromised? You can't change your body as easily as you can a password.

Where do you stand between convenience and security? Do you use a passcode? A strong one? A password manager? 2-step verification? And what could be done to make being secure even more convenient for you?

Rene Ritchie

Rene Ritchie is one of the most respected Apple analysts in the business, reaching a combined audience of over 40 million readers a month. His YouTube channel, Vector, has over 90 thousand subscribers and 14 million views and his podcasts, including Debug, have been downloaded over 20 million times. He also regularly co-hosts MacBreak Weekly for the TWiT network and co-hosted CES Live! and Talk Mobile. Based in Montreal, Rene is a former director of product marketing, web developer, and graphic designer. He's authored several books and appeared on numerous television and radio segments to discuss Apple and the technology industry. When not working, he likes to cook, grapple, and spend time with his friends and family.

  • That's why we need to see the biometric scanner in the new iPhone 5S
  • Well when i'm at home my 4S is open but i do have a App thats Called Big brother Security and i love it if some steals my phone it takes pics of the person and sends it to my Email. But when i'm out and about i do Lock my Phone
  • A nice feature in iOS is that if you turn Simple Passcode off, but then only enter numbers for your passcode, when you unlock your device it will still give you the number pad, rather than the full-blown keyboard. The biggest deterrent for me on using a complicated passcode is I fat finger iOS' keyboard far too much to make its use every time I need to unlock my phone impractical. However, using a longer, numeric passcode adds a little more complexity while still keeping it fairly easy to enter.
  • Did this myself, but it keeps people from being able to guess as most think its 4 digits.
  • Didn't know that, nice!
  • This is a great tip that I didn't know about. I use a 4-digit PIN code on my iPhone, but a 6 or 7 digit PIN would make it even more secure and now I know the iPhone still displays the large number pad. Thanks for the tip!
  • A really nice tip, thanks!
  • I bought 1password but never got around to finding the time to set it up. It'd be nice if Apple worked with them to integrate it into safari.
  • Really it depends what you use your phone for and security features for the individual apps. I have a pass code for the phone to protect others from getting my contacts but I only have their publicly available info on the phone. Otherwise content I access is in the cloud or on work servers (with 2step authorization). Each app with their own password. I have memorized four 8-digit alphanumeric passwords and cycle them between all my apps and memorize a new set every 6 months. Tedious but I don't trust password managers.
  • Well it is not even just the passcode. Have you tried setting up a Apple ID recently? Telling others using an Apple devices is simple is no longer true. Since you cant do anything without an Apple ID. Apple ID force you to have alphabetic and numbers and Capital letters for password. Great that is good for security. But 99% of people i set up for them simply forgotten their password and write it down somewhere. ( Now that is not secure ) Then you have to setup three security questions! And 90% of times i see people just stop and find someone to help or totally give up. Security vs. convenience, Apple was used to be good at the later, ( and pretty crap on the other ), now it is just not good at both.
  • 1Password for iPhone and Mac. Plus two step verification when applicable.
  • Agreed. For now, at least, it's the best compromise between security and convenience.
  • Well, I hope it let me vote for all the choices. I have apps that I lock down with a 4 digit passcode as I should do my phone itself. Most sites I use 1Password for and some I still need to make a password for with 1Password and for WoW it was a self created password but I also have 2 step verification and have their authentication app. I literally use all the options and it's only inconvenient when logging in to things ok my laptop and not on my phone, but completely worth it.
  • Just set up 2-step verification for my iCloud account. Took a few days because I needed to improve the strength of my password before even starting the process. I highly recommend doing it, even if you don't have a credit card associated with your account. re: "2-step verification requires the use of an authenticator app, or the transmission of a token. Sometimes tokens don't work for no apparent reason, or network connectivity is spotty, complicating transmission." Fortunately, you rarely ever need to go through that 2-step process (typing your password into Apple's login page, waiting for Apple to display a 4-digit code on a "trusted device," then typing that code into Apple's login page). You only need to do it when you want to view or change your actual Apple ID account info. My guess is that most people won't need to do it until they change their credit card expiration date every few years. Re: "But what happens if your thumbprint is hacked or phished or otherwise compromised?" I've read that some fingerprint scanners can detect temperature and density of the finger. So a severed finger won't work. Of course, all that does is prevent unauthorized access with the severed finger. It won't stop the bad guys from severing your finger(s) in the first place. :-(
  • I read somewhere that they didn't detect temperature. Did this change recently?
  • Hey Rene, update your stock photos! using the same for your black wallpaper article, i see. Dec 6 :o
  • Another good thing to consider adding to passwords: à,á,â,ä,æ,ã,å,ā and so on and so forth.
  • "none" should be an answer as well. well at least considering the lock screen.
  • I used 1password for all my passwords. I allow it to create the password. I would rather have complicated password than, what used to do prior. Before I would use the same password to almost everything. Thanks to 1password, my life has changed!
  • I didn't know it had this ability. I've downloaded it illegally, and I'm already loving it. I'll probably purchase it legally by day's end. Up until now, I didn't like using security codes because I hate having to unlock it each time I turn on my phone.
  • I Use LastPass it is cross platform and integrates into almost anything that connects to the internet
  • I use msecure to track passwords. I am not trustworthy enough to allow browsers to link to these password managing apps tho. So I still memorize. The apps mainly keep track of the passwords for me.
    Four digit numeric passwords for the iPhone and iPad.
  • Passwords are pointless. They are easy to get by.
  • I use LastPass, and purchased the iOS integration. It's not a perfect solution, but I am easily able to go into LastPass and copy a password, then paste it into an app or web form using multitasking. It would be nice if it was integrated into Safari the way it is a browser plugin on desktop machines. But I do love how it allows me to have unique, complex passwords for every site. When I was still on Facebook, I had a 64 character password (the max allowed). I always use the maximum character count when I create a new account somewhere (kudos to the sites that list the password rules right there next to the field to create your new password). So entering complex passwords on desktop machines I use regularly is easy as possible, and only slightly less convenient on my iPhone.
  • I use eWallet which allows me to sync MacBook Pro, iPad2, and iPhone5 over the wifi. Have used eWallet for years on BlackBerry. Sync is much easier on IOS but still have to sync MacBook with IOS devices separately to keep all in sync if not using the Cloud. I often have to refer to eWallet to retrieve the passwords for different sites. I've tightened up the passwords recently to make them more secure.
  • I use a 4-digit passcode and 1Password on iOS and desktop with Dropbox sync, usually with the built-in app on iOS. Really impressed with 1Password but some sites don't allow the copy/paste functionality to work. I thought it was a problem with iOS but according to the article it seems to be a site-implemented javascript issue. This throws a monkey wrench into the workflow and sometimes makes it almost impossible to use strong passwords.