Introducing Password Utility

I hate passwords. Especially long complicated passwords. So I decided to do something about it. I ended up solving my own problem, but on the way, created a new app for macOS that you too can use. It is called Password Utility and I think you are going to love it.

It started small enough: I wanted to have a desktop Mac at home. My keychain on my laptop was becoming unusable and it had decades of cruft on it. My idea was simple: Make a full backup of my laptop and store it on my desktop Mac at home, and make it available over a VPN to grab stuff as I needed it. So I set up the Mac mini as a new machine, hooked up an external drive with the backup and I was good to go. 

However, after avoiding it for years,  I decided to use a unique, long password for local login since the mini had pretty much my entire digital life (and all my passwords in the keychain). I also didn’t want to reuse a password I had used in the past since that was bad security practice. 

How long should the password be? I wanted a password that would take years to crack. That meant I had to have a password that was at least 12 characters long, had upper and lower case letters, and symbols. 

So I came up with a long password and started to use it.  Doing this proved totally unreasonable and impractical. Entering the password became an issue. A pretty big issue since entering it was complicated and error prone. If I entered it wrong too many times (like 3 times!), I would be locked out. There is also no two factor authentication for local passwords on macOS, so a long password was pretty much my only option. 

It was annoying to use the long password, especially on the Mac mini because it doesn’t have Touch ID. So I bought an Apple keyboard with Touch ID built in and that worked great for most things. However, I soon discovered during my daily use some big issues:

1. If FileVault was on and if the power went out (or someone power-cycled the outlet), I lost connectivity to the mini when not in front of the machine since it was waiting at the FileVault login window.
2. I was also still prompted to enter a password when doing any of these things:
   • Logging In
   • Installing a configuration profile
   • Creating a user
   • Getting a password out of the keychain
   • Any auth dialog every 48 hours because Touch ID requires you to enter a password

Turns out, I do these things multiple times a day.

Even though Touch ID got rid of most passwords, when I did have to enter it, it was important. And error prone. And hard to type.

So I declared to the universe to never ever type my local password again.

And I did it! And in the process, I created a new app that I have been using on a daily basis and not only does it solve the problem, but it brings me joy to use it. 

I continue to use Touch ID for most authentications. But then, if  I’m ever prompted for the local password, I just hit a four key combination (I call it the “password chord”), tap Touch ID and then paste the password and that’s it.  Easy and a bit fun. Makes me a bit giddy each time I use it.

The app also refreshes Touch ID regularly so I don’t have to enter in the password every 48 hours to keep Touch ID active.

The app also sets up FileVault to unlock automatically using the current user’s password at next reboot, so that removes the issue of the Mac disappearing from the network during a reboot or power failure.

I now have a passwordless experience on macOS when logged in. There is still a password, but I never have to type it and my machine is always available on the network. I realized I could install this on my remote Macs that I manage and they will always be available to MDM, ssh, screen sharing, and remote management, even when FileVault is turned on and a reboot happens. 

Here is what my authentication looks like during the day:

1. When my day starts, I wake up my Mac and use Touch ID to unlock it from sleep. 
2. For most authentication dialogs, I use Touch ID.
3. When macOS prompts for the local password, I press the password chord, tap Touch ID and paste in the password with Command-V. The password is then cleared from the pasteboard automatically.
4. When I reboot my Mac, it returns to the login window and is available on the network (and accessible from anywhere due to the VPN). 
5. When I need administrator access in Terminal, I run sudo and use Touch ID to elevate my user session to admin.

There was one last authentication to solve: the login window. However, macOS has built in support for passwordless login at the login window: Smart Cards. So I set up a USB Smart Card and paired it with my local user account.

When I need to log in at the login window, I insert a USB-C dongle and put in a 6 character PIN. After that, it is all Touch ID and the password chord. 

We have been using the app in our office for a while and it has been working great. The macOS  passwordless experience is here.