We here at Rocket Yard love to hear from our readers – especially when they have a hack, trick, or unique way of addressing their needs. All the better when it comes to non-traditional methods of accomplishing everyday tasks!
In this post, Rocket Yard reader, Jay Turner, shares his unique password management technique. It’s completely free, very simple, quite secure, and most importantly, it works well for him! He hopes there is something that someone else can take away, and we do too. Thanks, Jay!
— by Jay Turner —
Your Mac has all the necessary apps to make a secure, free password manager – one that’s easy to use and maintain. Being able to “copy and paste” and “cut and paste” was all I needed to build my own secure password manager.
I have tried several password manager apps and found them lacking in several areas. They don’t work the same way for each site. One used multiple copy and paste efforts just to work, and another was hacked – it could happen again!
I also see no need to give a third party my password and all of my login information when it isn’t necessary. That is why I made my own password manager. It is under my control, on my computer, and uses my master password – with nothing shared.
Maybe you will find this helpful too!
What You Need to Make Your Own Secure Password Manager
The three main ingredients are:
- Pages. If you use Pages, this password manager for Mac is a snap.
- A unique way of handling your usernames and passwords. This is the trick that makes it work.
- An app for Mac called Quitter to log me out if I forget.
Mac Pages can password protect a document. I use this as the start of my password manager. Apple makes it possible to secure a Pages document by encrypting the file. This gives me even more protection, making my data as secure as my computer. No company or service is needed for my protection or storage, making my data as safe as my password.
Why I Don’t Use Keychain as a Password Manager
I never store my passwords in Apple’s Keychain. I searched on “how to recover a password from Keychain” and found many articles telling me how to do it. I feel that a recoverable password is not secure enough for me, or for you, and thus not recommended.
A similar search for the recovery of a Pages password found this comment from Apple Support:
“Important: There’s no way to recover your password if you forget it. Be sure to choose a password you won’t forget, or write the password down in a safe place.”
How To Password Protect a Pages Document
In a Pages document, when you select “File > Set Password…” it brings up a location where you enter your password and a hint. It’s not required, but I always add a hint and suggest you do too, as it is a useful way to help you remember. This is the one password you don’t want to forget!
Once I set up my document password and add the hint, my password document is protected and ready for use.
Why I Use Pages as a Password Manager
I use Pages because it is a full-featured word processor. I find it an easy-to-use application and, while not needed for this task, has excellent page layout capabilities. I like the new Apple San Francisco font as it is clear, clean, and without the extra squiggles. I puff up the font size to 12 and above too.
I split my Pages document (in my mind) into 3 columns:
- On the left-hand side, I put a name
- On the right-hand side, I put the login URL. (I use a little extra time on the URL to find the one that takes me directly to the login page.)
- The middle column is for “USERNAMEpassword.” Yes, combine the two as this is the trick for efficient use. It is not obvious until you try it, but having USERNAMEpassword together makes it possible to get all the logon information at once without going back to the password manager again and again.
Using Chase Bank as an example, the left side would say “Chase,” the USERNAMEpassword is in the center (myname@gmail.comOregonTrail99), and the URL on the right is Chase.com.
I make the username portion bold, emphasizing the split between the username and password when I need it. Starting the password with a capital letter helps me too, when it is time for me to “cut and paste.”
This is an example of what it would look like:
How to Use the Password Manager
STEP 1.
Copy myname@gmail.comOregonTrail99
STEP 2.
Click on the URL and enter the site.
STEP 3.
Paste myname@gmail.comOregonTrail99, where the site asks for username.
STEP 4.
Cut out the password, OregonTrail99, leaving the correct username, myname@gmail.com, in place.
STEP 5.
Next, paste the password, OregonTrail99, into the password location, and enter the site.
In short, that’s all it takes!
Add Additional Info as Needed
To make the information more useful to me, I include all of the things in the password manager about the site that may be needed to log in. I don’t write down the security questions, but I do make a note of the answers. Sometimes I need account numbers, so I add that too. If something is needed for logon, this is where I keep it.
I added a couple of other entries to illustrate how my overall document looks:
I have about 150 entries, and they all work as described. Some sites use two pages for entry. Some sites require changes after logon like allowing 3rd party cookies. I have 5 sites that logon perfectly; however, they don’t work with Safari. My notes remind me to logon using Firefox. I put all the information needed into my password manager, but logon is always is “copy and paste,” “cut and paste.”
For my use, I have a dozen sites that I use all the time. I group these together and put them first in my document. Following that, in alphabetical order, are all the rest.
The purpose of this password manager document is to make it easy to use and not cluttered with extra facts.
I have another password-protected document where I put all the rest of the site information, like account numbers, credit card numbers, and phone numbers. When I log in, I don’t want to stumble over unnecessary items. Just the facts! Only was is needed!
Storing Your Password Document
To make this password manager more effective, I have mine stored in the cloud. That way, all of my computers have access to this password logon information. While I trust cloud sites and use them, I make sure all of my files are encrypted before going to the cloud. (I trust but not 100%)
Because I am the only one with the master password to my password document, I know my content is safe. I use Time Machine too, giving me dual backups.
Use Quitter for Added Security
After using this password manager for several days, I discovered a problem. If I forget to close the password manager document, it is left open on my computer for anyone to see. When I click on a URL to login, Pages is pushed behind and not visible. While the password manager file was hidden and forgotten, it was still there – and unlocked.
I found a way to fix this problem. Marco has a free app they call Quitter. It works as advertised and automatically closes Pages after a set time, and in doing so, automatically closes out my password manager document.
As long as I am using the password manager, the document stays open. But with inactivity, Quitter closes the Pages document after the set time delay. I have mine set for 7 minutes, which is long enough for me to enter one site for quick answers, and still find the Pages password manager open for a second entry.
Quitter lives in the Menu Bar as a big “Q,” and clicking on the Q brings up the setup menu. The menu for “Edit > Rules…” is shown, and changes to the time for inactivity are made there.
FYI, Quitter closes Pages! Not just your password manager document, but every Pages document. It monitors Pages’ inactivity, and when it hits the limit, Pages closes. It would be nice to have an app that only closed one document, but I haven’t found one. Quitter has a “disable” setting to use if expect to have Pages open and inactive for a long time.
Using Pages as a free password manager is easy, and secure. Try a couple of your own web sites and make your own USERNAMEpassword for testing. “Copy and Paste” — “Cut and Paste,” it couldn’t be easier! Add a few more names, and you will soon have a complete password manager. It works great for me, so maybe it can be helpful for you too!
This is a lot of work for an outcome that is more inconvenient and insecure than Keychain, and still relies on third party tools.
The reason you can recover your keychain passwords easily is because your login keychain is, by default, unlocked when your computer is – so it can be used. If you’re leaving your computer unlocked when it’s unattended, that’s an awful security decision anyway, but I digress.
To fix this “problem” just set your keychain password to a different one from your login password, and set it to autolock after 5 minutes. Done. Now you’re prompted for your master keychain password to log in to your sites, and you don’t need to invent your own data structures to copy and paste with as well as download some random tool to quit Pages for you because you don’t lock your computer.
You can also do this in Notes, just lock the note.
Yes,l Notes is great and I use it for a few sites I go to often, same UsernamePassword idea.
Keyboard text substitution works too and I use it with hard, but incomplete passwords filling in the rest when I use it. There are many ways to safely, securely do this simple task. All Free.
How about an encrypted sparse bundle? Don’t save its password so it will not open automatically!
You can keep anything you want in there.
Just a thought.
I still use CiphSafe, free from Sourceforge.net. It still works in Sierra 10.12.6
I was doing something similar with an encrypted Word document, but didn’t think to add the Quitter. Since I forgot the password for the encrypted word document, I went back to using the Apple Keychain and have had no problems. Because the password for Keychain is the same one I use to log in every time I log on, I’m not so likely to forget it. However, I do like your idea of an encrypted file for the other information, like account numbers, phone number, etc.
Just to be clear, to me this is not a password manager. This is you manually managing your passwords with a list in a document. I used to use a solution like this in Word, and I couldn’t abandon it fast enough.
I understand it works for the author, but this is an kludgey solution at best. The issues I had with a list of passwords in a “secure” document were many, the two main ones: not being able to get to the document when I really needed it and the doc not getting updated when a password changed.
I switched to LastPass (https://lastpass.com). It’s free, automatic (no copy/paste), and secure: AES-256 bit encryption with PBKDF2 SHA-256 and salted hashes. If that last part makes your eyes glaze over, you should definitely not be using a homegrown system.
While LastPass has had one hacking incident in the long time I’ve used them, no user passwords were exposed. LastPass can also be used to securely store other information like bank accounts, credit card numbers, etc. Finally, they don’t have your master password, only an encrypted version of it. They mention up front that if you lose your master password, you will not be able to recover your information.
LastPass is available for all of Apple’s devices, as well as other platforms and as a plug-in for all major browsers. I mostly use Apple’s keychain now, but I still have LastPass and keep it up to date because it was my only solution before KeyChain, so I have a lot of information in it.
If you are absolutely opposed to having your passwords in another location (although “storing them in the cloud” amounts to this), you can look into KeePass (https://keepass.info/), which is also free. this stores your password archive in an encrypted local file (which can be placed on a cloud drive). It also features auto population of web login pages (no manual copy paste). Since it uses the clipboard for this, it automatically clears the clipboard after your login.
Keychain and both of these managers have a feature a document or spreadsheet doesn’t provide: generated passwords. With a real password manager, you can automatically generate secure, random passwords. You don’t have to remember them because they are automatically stored and used after generation. And, if you absolutely need to copy/paste, you can do it manually from any of these.
I equate using a document or spreadsheet to manage passwords to surfing the web with a terminal window. Yes, you can do it. But why, when the correct tools are available, better, and make the task so much easier. I agree with @JaySeb, I would never recommend anyone use a manual method of any kind to manage passwords.
Let’s put it this way. Some people like automatic transmissions and some have manual. They both get the job done.
1Password secures your data making it safe. Apple encrypts my data making it safe.
1Password does not save your master password and Apple does not save mine either.
Passwords are as hard as you want to make them for both.
1Password auto fills, I paste.
1Password has extra services that I don’t need and for sharing there are other free ways.
Thanks for your comments and as security is important, we need to discuss the many ways to do it.
Hello all,
As a Mac novice, this seems fairly simple and easy to use. No keyboard tricks, no scripting, and free is always good.
IMHO, the OP feared using a third-party (software/platform) because it would always be a (valuable) target for hackers, etc..
Frederico and JaySeb, you both imply that you are security pros, and that this method is faulty for many reasons. Care to elaborate (in layman’s terms)?
Also, what makes Keychain so much better? Thank You.
I agree with JaySeb 100%. I deal with password management for my firm and my clients and this approach has several glaring flaws, including the fact that it fails to address the creation of unique and strong passwords. Dashlane is a password manager that addresses all security concerns, syncs your passwords amongst all your devices, and it is FREE: https://www.dashlane.com/cs/eqrim5ZOG5ey
All good as long as you don’t have a clipboard logger maliciously installer on you Mac. I’ve never used keychain either using 1Password but since they switched to subscriptions and stopped supporting safari with version 6 I’m pretty unsatisfied with AgileBits.
With all do respect, this solution has so many fails, it hurts. This is what I do all day for major clients, and there is no way I would (or any other security pro) endorse any of this.
With all due respect, I could email you a password protected Pages document and you or other security pro could not open it. Sure, given enough time, money, desire and motivation any code can be broken. Apple does a good job with their security and I use it to my advantage in a simple application.
Hello RocketYard-ers!
This tip is brilliant! I love it, especially because I have been using the same technique for a lot of years with Apple’s Numbers application.
It works like a charm and I have all my stuff in one place. I use Dropbox for my Numbers file so I can access it from any of my devices.
Many thanks to Jay for sharing this tip with the rest of us readers!
Best computing wishes,
Carol Sierzega
Carol , thanks for your reply. I too tried Numbers as most of my information is in columns. The extra items that I include were easier for me using a less restricted Pages document.
I have to first say that I don’t support this method for a long list of reasons and critical flaws, but the author seems content except for his Quitter issue; this is easily solved with AppleScript and timeouts. Use AppleScript / Automator to both open and close the document (without affecting the other docs in Pages) immediately after use, from a single keystroke shortcut that can grab the address currently open in the browser, and deliver the required login/password without manual intervention. Less than ten minutes of scripting. But, that said, I strongly dispute the ease of which one can recover a lost Keychain password, and suggest the author has misunderstood the many how-to articles and what they are actually able to fix. I’ve never, ever, ever been able to recover a lost Keychain. For anyone reading this, please, I implore you to stick with Keychain if you want a reliable, 256bit encrypted password manager; or use something like 1Password if you want more advanced features like Shared Keychains/passwords.
Excellent suggestion for Automator. Please tell us how it is done. Use my pages document idea, please, in your reply.
I really like the idea of putting the username and password together. I always had them separate and had to go back and forth copying and pasting.
Thanks for the tip!
Thanks Tim, glad you could use the information. It does make it easier combining the two.
I do the same thing with Excel. When you save as in excel, click on “Options” to set a password to open or modify the document.
This sounds like a lot of work to make a not-very-good “password manager”.
I would love to hear your problems with 1Password. There’s no way to recover any passwords if you’ve forgotten your master password. All data is encrypted before being stored in their service – or you can choose to keep local copies only and sync them some other way.
He says in the post why he doesn’t want to use something like 1Password. It’s 3rd party software and not free.
I’ve used 1Password for years and love it, but I also appreciate hearing what works for him.
Remembering a keychain password to reveal your passwords is the same as remembering a Pages password to reveal your passwords. The great disadvantage of the Pages method is remembering a secure, unique password for every site on the internet – you’ll use less secure, more memorable passwords which make you more vulnerable to site hacks, and more likely to re-use the same password on multiple sites. Unless I’m missing something, I’d use Keychain, or some other password manager, not a text document.
Did you read his article? He uses Pages to set a unique password for each website. If he’s smart he’s using keychain suggestions for secure passwords not the dumb example password.