Update 11 November 2017
About a year ago I switched to LastPass (see the article here) which resolves the weaknesses of mSecure. Now syncing to devices is not required because it is cloud-based. Yet there is also a locally cached copy that is accessible when no Internet connection is available. Unlike mSecure, LastPass can automatically log into a site vs. just reminding you of the authentication information.
Are you concerned about theft of confidential information that you store electronically?
How important is privacy to you? If you're an "older" individual, your answer may be significantly different from that of your grandchildren who are growing up in an age of social media "let the world share my angst" attitudes. Yet hiding in the tangles of ethereal vines wrapping around our own that we call the Internet and amidst our new intimate conversational nooks of, oh, ten million of our favorite strangers, hide pranksters and predators who are trolling for victims for nefarious purposes with reasons ranging from curiosity to identify theft or worse.
Privacy and security are broad topics. For this article I am going to focus on a low friction solution to protect confidential information that you store on your computer, laptop, and/or smartphone...typically all three and with a desire that they stay in sync.
The information you need to protect includes passwords, personal identification numbers (PINs), license keys, credit card info, bank accounts, and any other tidbits that you want to keep away from prying eyes.
This article is NOT about encrypting your files and folders or entire drives. That is a different topic but also one with a practical solution. More on that later…
What do we know?
- Hiding our password on a piece of paper taped to the "hidden" drawer is not going to cut it if I really care about protecting what's behind that password.
- A password is just a lock. It is only as secure as it is difficult to break. Part of making it difficult to break is being a password than cannot be guessed or discovered by (practical) brute force. Easy passwords are easier to break. Hard or strong passwords can be hard to remember (thus our propensity for hiding them in the first place someone will look).
- In today's digital world we may have dozens or even hundreds of passwords. And even if we manage to use the same one universally (a weakness itself), we still have to remember the associated username, site address, product or service name, license key, and on and on.
- Granted there are access controls that do not rely upon a password: physical keys of many types, pattern recognition, biometric controls (retina scanners, fingerprint readers, voice print analysis...even mind control). Two-factor authentication enhances security greatly. But here we'll focus on a password-based solution.
- Don't trust computer or smartphone operating system passwords. Those are ludicrously simple to work around. Don't trust the current state of the art in consumer pattern recognition (face recognition and drawing patterns). They are not secure.
- If we must deal with passwords, then we need a way to remember them or to at least have protected access to them. Failing to remember one could result in a loss of access to critical information.
- For a password to be strong it needs to be long and include elements that are not contained in any dictionary. Long passwords are difficult to remember unless they are mnemonic. That becomes more likely if the long password can actually be a long phrase or sentence. This is possible if the password rules allow spaces. The password sentence can be long in odd ways that aids its mnemonic nature without being connected to something about you that could be guessed. But a sentence is, by definition, dictionary based. Modern computing power can quickly shred a dictionary based password.
- Inserting or replacing characters with special characters greatly strengthens the password against dictionary attacks. And if we think of the special characters with alternate names like "bang" for an exclamation point or hash / hashtag for a # symbol, then we can still have a memorable yet long and strong password. Characters can be swapped with similar characters such as a 3 for an E. Mixing case, especially oddly, is good. It is best to use a combination of trickeries. Keep in mind that some uses of special characters are so common as to be readily susceptible to attack; e.g., a bang (!) at the end of the password.
- Of course, we must also be able to successfully type the password sentence blindly.
- If we were only required to remember (and adequately protect) just one strong password, that may be practical. That one strong password could be our lock to open access to a vault that contains the other passwords and other confidential information.
- We need a common solution for each of our electronic storage systems; i.e., desktop computer, laptop computer, pad, and smartphone. The latter is particularly scary since a smartphone is so easy to lose or to be stolen...life information suddenly at the fingertips of a predator.
- Ideally our solution should automatically sync securely to each of our devices so that updating it in one place updates it in all. Even better if the syncing takes place automatically.
What is the low friction solution we seek?
The best solution I've discovered is mSecure by mSevenSoftware. mSecure is available for iOS, MacOS, Android, and Windows (including 64-bit).
Its concept is simple. mSecure is a vault protected by a password that you can make as strong as you wish (including the use of a long oddly-structured but easily remembered sentence as described above).
When the vault is opened its organized records are accessible to you. mSecure has predefined common types of records with appropriate fields for each (bank accounts, credit cards, email accounts, etc.). You can edit the list of types and create your own with fields of your choosing.
Saved records are easy to find and easy to open. So your confidential information is literally at your finger tips. You can even group records and filter your view by a selected group, e.g., "favorites".
- It works on all of my computing devices.
- It is very easy to use. Click the icon, type the password, view your data.
- Syncing with all of my devices is easy (with the caveats noted below).
- mSecure uses a very strong encryption technique.
- mSecure supports sentence passwords.
- It works and is very low friction (with the caveats noted below).
- It stores a lot of data. I was able to store 31,083 characters in the "Notes" field of one of its records. Not as much as Outlook, especially since Outlook can include rich text formatting, but still much more than many smartphone personal information managers.
mSecure is the best solution I am aware of, and its common usage is very low friction. I am very happy to have it and the peace of mind it brings. But it is not without significant and minor weaknesses.
- Syncing mSecure to all of my devices via Dropbox is a great convenience. It makes a secure connection to Dropbox and stores the data in an encrypted file. Unfortunately, there is no alert on the PC side if Dropbox is closed. mSecure happily syncs to the Dropbox folder on the PC but cannot tell you if the result is NOT getting synced to the cloud for access to your other devices. So I've found myself syncing my mSecure data only to discover that it didn't really happen.
- mSecure data can only be stored in plain text. Without rich text formatting there is no way to turn content into a link or to format content in the "Notes" field where I would like to keep a lot of unstructured information in a visually organized fashion. In fact, I would like to be able to store it the same way I can in Outlook contacts notes fields. While testing this I discovered that Ctrl-A does not work in the Notes field to select all the data (to copy/paste).
- mSecure lacks the option to remember sites you log into and automatically provide the password for that site, requiring only that you are able to log in to your vault. I would like that ability that some tools have, but I prefer mSecure's range of capabilities.
- When changing phones or factory restoring/reinstalling on a device, I discovered a serious issue. FYI, this issue is avoided if you can remember and have the opportunity to deregister mSecure on your old device before replacing it:
- mSecure has a built-in limitation on the number of registrations. This is an understandable business practice, but it is very frustrating for the time it takes to take care of it since there is no telephone tech support. When I encountered this, it wasn't obvious that I had run into this issue. I got this error. After three days I got this response: "Thank you for your purchase. I have gone into our records and increased your activations in our system. This should allow you to register the software again."
The next day, my response: "Something isn’t working correctly. I registered and didn’t receive any error. But it continues to prompt me to register each time I open the program. I’ve tried again a few times, no joy."
I received this 3 days later:
It looks like your preferences file is either damaged or corrupt. We can fix this by simply deleting the preferences file. Doing so will not have any consequence on your mSecure information.
To delete the preference file:
1. Click on the Start menu
2. Type or copy and paste (%userprofile%\appdata\local) to the search bar and hit enter (don’t include the parenthesis)
3. Double click the mSeven_software.. folder
4. Double click the mSecure…. folder
5. Double click the 3.5.4… folder
if you have an older version, click on the older version number. It should be the only folder in mSecure folder
6. Delete the user.config
You should now be able to open mSecure without the error message.
I then noted: "It worked when I added the key inside the application instead of during opening it."
So it took 7 days to be back up and running with mSecure.
Important note: If you have an additional registration available, all you have to do is go back to the app store and view "My Apps" to download and install it again.
I highly recommend mSecure. It accomplishes the intended purpose in a low friction manner (low friction except for tech support timeliness in the rare times it is needed) and offers real peace of mind. Just make sure that peace of mind is justified by using a strong, well protected front door password into mSecure.