DIY optimize

Are you in favor of password management software? Take the poll.

No one is supposed to use passwords in more than one place, but even techs that should know better sometimes break this rule. Is password management software a good solution?

No one is supposed to use passwords in more than one place, but even techs that should know better sometimes break this rule. Is password management software a good solution?

----------------------------------------------------------------------------------------------------

Confession time.

Hi. My name is Will, and I reuse passwords.

I know, I know. I'm breaking one of the first tenets of data security. Using each password in only one place limits one's exposure if that password ever falls into malicious hands. Not reusing passwords is one of the most basic ways to protect one's data. I should know better. I do know better.

And yet...I reuse some of them anyway.

Frankly, I have no good excuse for doing so, other than the fact that, like most humans, I am sometimes lazy, and reusing passwords makes life easier. I try to be smart about this dumb thing I do, though. The passwords to the mission-critical systems I use at work are unique and complex. My personal financial accounts and e-mail accounts are also protected by individual passwords that aren't used anywhere else.

Where my laziness overcame my good sense was in setting up my accounts on systems that are less critical. There are a few Web services that I've signed up for that don't have any personal information attached to my account on their systems. Frankly, I don't think I'm putting my safety at risk by using the same password to comment on two different technology blogs.

But rules are rules. I feel like I try should practice what I preach. That's what people call credibility, right?

So in hopes of turning over a new leaf, I'm investigating setting up some password management software for my personal use. If I find something that works well during my tests, I'll probably recommend it to some of my users as well. A few have inquired after my recommendations on this topic already.

Right now, I'm looking at getting started with KeePassX. This application is open source and cross-platform (two of my favorite things). I also like that it's portable; I could carry my password file and the KeePassX binaries on a USB key and have my saved passwords accessible on all the computers I need to interact with.

If you use password management software, which package do you like? Maybe you've decided that such programs aren't a good idea. Either way, I'd like to hear your thoughts in the comments.

96 comments
LarryBoy2
LarryBoy2

Yeah, it's a little late to reply here, but I missed this one last year. I use Bruce Schneier's Password Safe for Windows: http://www.schneier.com/passsafe.html. It's free, open source, easy to use, and designed by the world's premier security expert. That's hard to beat. The only thing I don't know is whether it's cross-platform. The executable is pwsafe.exe, same as the pwsafe in Linux, but that could be coincidental.

JCitizen
JCitizen

probably the last password safe I'll ever need! Works even better that the Identity Safe feature in NIS 2010! LastPass is a piece of cake!

viralnexxus
viralnexxus

Yes! I am very happy with a freeware utility for Firefox and Internet Explorer called "LastPass." It does an excellent job for all things password related, ie: auto-login, encrypted passwords, password generator, yubikey support, fill form profiles, secure notes, etc.. and best of all, none of my passwords are stored on their server, so I don't have to worry about their website being compromised and having to change all of my passwords. There is an premium version but it is geared towards businesses and has no effect on the single user, like it isn't crippleware.

albin.moroz
albin.moroz

I have used Password Safe ver 1.7 for 10 years. It has served me well and it was free.

mandrake64
mandrake64

I am not in favour of working in a closed environment, i.e. firewalled company network, and also having to change my password every 2 months, not being able to use the same password again for 12 months and then having to remember increasingly complex passwords without writing them down. What is the point of making a company network so secure and then expecting users to dream up new passwords every 2 months. I am a system administrator. I have a complex password that I have never changed on my UNIX systems. Security on those systems has never been breached. The powers that be dream up rules but don't subject themselves to the same environment, perhaps only having to log on to a single system. We all know that managers only need email, right! Goodness knows how they would go supporting a dozen or so different systems and juggling a set of unique complex passwords in their heads. Password keeping software is fine for some. But the reality is that it is useless for you if you are unale to log onto your computer to access the software to tell you your passwords or you have to store it on some portable media thta represents a greater risk if lost in the public domain.

WizzieFoggs
WizzieFoggs

RoboForm is a software easy to understand and use. Secure and fast. I use it for everything - passwords, secure notes etc. It uses modern encryption algorithms and is ready to protect any password/login or bookmark you offer it.

The Heat
The Heat

We have to have too many passwords... What is needed is biomentric protection so one does not need to rember a bazzilion different complex %@#$*##dam passwords.

JCitizen
JCitizen

don't forget to lock the USB of floppy your using to provide these solutions to Mobil password safes. Wouldn't want the bad guys hopping on board your device and pwning you key safe would you?

pdr5407
pdr5407

I use Open Office Calc to store websites, user names, and passwords. Also MS Excel works good for this task.

suewhitehead
suewhitehead

I use KeepPass both the installed version and the portable version for my USB drive. Lots of times when I go to a new website, I find I need to set up a new account. So how in the world could I remember them all? I do a few that I re-use, but only in areas that I feel are pretty safe to start with.

datdof
datdof

Been using Roboform for quite some time and find it's a blessing, considering the great number of logins required for 'benign' sites, such as e-magazines,information sites, etc. The danger of course is that if the intial password is discovered, you are totally compromised. However that one password can be well protected and is less likely to be hacked or stolen.

oldguardreindeer-techrepublic
oldguardreindeer-techrepublic

I've used this for at least 10 years (why fix it if...). It is encrypted, portable, customizable, quiet, generates random passwords according to your own specs (length, types of characters, etc.), floats if you want it to. Friendly support, decent Forum. Free limited use (20 passwords) and good price (Euro 29).

steelyron
steelyron

Why get fancy? I just use an Excel spreadsheet that is password protected. I can put the sheet on a USB drive and carry it with me anywhere.

Michael Jay
Michael Jay

currently holding 15 different passwords in my head, should I list them? Guess not. Should I write them down? I hope I never have to. My passwords are linked to life experiences that if I forget, well nothing will matter at all anyway. A software to store my passwords, what if it fails? No, I will continue to rely on my memory, just another exercise for my aging brain. I think.

gophertd
gophertd

Love Roboform2go Pro on U3,Specifically for multiple profiles,RoboForm Online as a backup with free Goodsync use,and Safenotes.Very Valuable App.

tim
tim

well the laptops entire file system is encrypted with 256 aes with 18 character random pass upon every boot/recover from hibernation and i keep all passwords in another 128 or 256 encrypted database managed by infokeep 1.4 within the encrypted file system. had it for many years, infact 9 years! never use open wireless, always use 256bit 63 character wpa-psk that is changed every few months! any more security than that is too much hassle! if anyone wants to get in, they will eventually regardless!

HavlicekChas
HavlicekChas

I like Sticky Password because it stores my passwords on my computer not somewhere online and it also has the portable version included, so I'm never without my passwords. Since I've been using sticky password I've been able to increase the strength of my passwords and I don't have to get all those 'remind me of my password' emails for my accounts. AND it supports programs too! http://www.stickypassword.com

deslegumes
deslegumes

As above, I asked my boss if it wouldn't be a good idea to move away from the horrible way they stored sensitive usernames/passwords etc. in Outlook Notes (!). I suggested KeePass, seemed the easiest to use and has synchronizing capabilities when more than one are working on the file at once, less implementation and hassle. While I had to listen to some complaining about "yet another program" and "I'm not logged on to the network so can't access the file", for the most part a lot of time has been saved in just by not asking around for recent password updates... :D Haakon

SoGifted
SoGifted

I use Deepnet browser, and one reason is the good password file it has. Occassionaly I have to use Explorer, and it is a mess: if you make a mistake, you cannot undo it, and if once you say "dont keep" it will NEVER keep. And I cannot access the file to delte the mistaken ID...

AllGeek2Me
AllGeek2Me

I use HP Canada Password Safe. it is a very small program I only havbe to remember one password and this lists all the others.The HP Canada Password Safe uses 128-bit Blowfish encryption to store your data securely. This encryption ensures that only a user with your password will be able to access the information you store in the HP Canada Password Safe. I've tried others, but his one seems most user-friendly. But then, I'm really user-friendly and I could see it in a different light. I use HP Canada Password Safe, version 3.1 Questions regarding this software and accompanying documentation must be made to: By Mail: HP Canada Password Safe 77 Mowat Avenue, Suite 507 Toronto, ON M6K 3E3 By email: passsafe@hpknows.com All inquiries must include the Product Name and Version.

jm09
jm09

Yes, I like password programs that are secure as long as it doesn't use over-kill ideas.

techotter
techotter

It's opensource, secure, transportable, and easy to use. I did use Bruce Schneier's Password Safe previously, and probably would be still, but KeePass came around in a portable version and that convinced me to change. Its database is on the same thumbdrive as the app itself, and I use Pegtop's PStart as the UI to easily kick the app into life. Wrapping it in TruCrypt is a good additional step.

nicholaswatts
nicholaswatts

Hey, great poll and article. I can't imagine my life without password manager. And the the best one I've found on the market is Sticky Password http://www.stickypassword.com Integrated into browser or application, easy, very secure, just great. I can only recommend it to all of you.

digitrog
digitrog

If you are a sieve head and can't remember passwords, carry a "little black book" with the relevant details of accounts and passwords - Really, how safe is a lump of software to use to save passwords, when you can find passwords etc. to circumvent the registration of said software ... ?!?!?! and if their security for registration can be bypassed - what other features of that database can be hacked as well ... Rather like those chain letter emails which ask to be passed to as many "friends" as possible, only to be monitored by a scam site which harvests emails for its propagation use ... Think about it !

Patrick
Patrick

And it's worked for many years now! Love it, and it is inexpensive... HTH

sterghe
sterghe

I came up with a system that lets me "know" all my passwords without recording them anywhere. It's not perfect, but basically I use a simple substitution system based on the name of the site or software that requires the password. That way, all the passwords are different, they all use uppercase/lowercase/numbers/symbols in an apparently unpredictable way, and they're also easy to remember. That said, I do keep a file on my computer that contains all my passwords. It's part of my "What if I got hit by a bus?" file--which contains all sorts of information that would allow family, coworkers, and friends to keep various projects that I care about going even if something unexpected were to happen to me. The passwords used to be in AnyPassword, which I really liked, but since my newer computer runs Vista I had to give AnyPassword up--so they're actually in OneNote now. It works.

ian.obrien
ian.obrien

One word KeePass Opens source and works great

itsmeray
itsmeray

Go Robo!!!! I'd be lost without it. I use both the resident application as well as the USB flavor. It allows me to make passwords very long and complex and yet I never have to worry about remembering them. Combined with a good synch software and internet web storage I'm synched and locked down 24/7 365 from anywhere on the planet with internet access.

c
c

I use Password Safe, free download on SourceForge. I have used it for the past Decade, and with 100% satisfaction and performance!!!

kgunnIT
kgunnIT

The problem with some of the password managers listed above is that they store passwords on the hard drive. This is generally not a good idea, whether the dbase of passwords is encrypted or not. Like www.pwdhash.com, passwordmaker.org uses a master password to generate an encrypted password. Unlike www.pwdhash.com, passwordmaker.org never sends anything to the web server. PasswordMaker uses javascript or html to generate the password, which is more secure than sending information back and forth to the web server. Password Maker is available across all platforms, accessible online at http://passwordmaker.org/passwordmaker.html, as well as a Mac Widget and firefox addon. All you have to remember is the url string and the master password. You can also assign usernames for each website. You can save the master password to the disk, but I don't recommend this. I type in the master password every time I need to enter my password, then just copy the result password to my login credentials and log into the desired site. This service offers a number of encryption schemes, such as MD4, MD5 Ver 6, SHA-1, SHA-256 (recommended), and several others. All of my login passwords are different, using a few different master passwords. I can even access my passwords on my mobile device via the online method, or running a javascript plugin. Again, you don't have to be connected to the server to get your password, it is all client-side, which adds to the security.

egermain
egermain

I keep them all in an encrypted excel spreadsheet. I only have to remember the password to the spreadsheet. Inside are my username, password, URL, security question, etc. I also use white font on white background in case anyone walks by while I have it open. The cell value shows up at the top only, not in the cell itself.

earthrat
earthrat

I have been using LastPass as a Firefox plugin for awhile now and it has really been a great help!

sammy.mah
sammy.mah

Try KeePass, it's FREE, opensource. It seems to work great, i haven't tried any others though.

Harry Hardin
Harry Hardin

I am in favor of this type of software and I use RoboForm. It now works with Firefox.

oldguardreindeer-techrepublic
oldguardreindeer-techrepublic

I neglected to mention that Password Depot automatically completes logon steps without typing or tabbing, etc. Also, the clipboard is monitored to determine if any applications are monitoring it (keyloggers will do this as well as monitor the keyboard) and will notify the user BEFORE anything goes to the clipboard. The user can approve the app that is monitoring the clipboard.

JCitizen
JCitizen

This is what I live about my ID safe in my Norton Product, but plenty of good solutions for free, are posted here!

nick
nick

I have not found a reason to change from it.

aabottom
aabottom

Quite addictive actually, I store everything there, carry the encrypted backup with me on USB stick and have no trouble logging quickly and safely from anywhere. Actually finally changed passwords on all my accounts to more sophisticated ones (created easily by StickyP) since I do not have to remember them. Good bye to three passwords for 50 sites:-)

deskhero
deskhero

When you have dozens of PCs to manage and 100's of applications and websites. Even a little black book is struggling with that much data, and if you lose it ..... I do not trust these passwords to PC's or Browsers, or the cloud. A password vault on a PDA is my solution. But I will confess to letting FF remember a common PW for those myriad sites where you have to register/login to get information and drivers etc.

JCitizen
JCitizen

to obfuscate the typing your doing on the client side too. Your link didn't work, so I can't comment on the capability.

JCitizen
JCitizen

takes a snapshot of your passwords when viewing or appending the spreadsheet. I know AV/AS solutions should prevent that, but since XP, their haven't been any good Input/Output firewalls for Vista, or 7.

sseifert
sseifert

It's the only one that I have found so far that is truly cross platform and I can use for both work and home.

roger_b
roger_b

I use KeePass on Windows and KeePassX on Linux/OSX. I have it require both a password and a keyfile which I keep on a flashdrive, which is kept with me.

lu1x-by8i
lu1x-by8i

I just remember one password - and Identity Safe logs me on with varied complex passwords. The list can be transferred from one computer to another with a flash drive & your master password. - As with any password manager, memorize your master password and don't write it down anywhere for obvious reasons.

JCitizen
JCitizen

Just wondering; I assume you mean a clipboard to the application and not to the operating system. Just read somewhere on TR about this recently. Very hard to keep things from keyloggers on public hardware.

JCitizen
JCitizen

you can keep unbelievable difficult passwords to crack, and you don't have to remember them or even attempt to write them down. When they get changed ID safe asks you if you want to append the new password. Piece of cake!

JCitizen
JCitizen

spy-ware has the capability to monitor "hooks" in the hardware layer at the input/output level. In XP, Snoopfree Privacy Shield can detect and block these to ANY process running on the PC. Basically an I/O firewall. However this does not help on PCs not under you control. Most good encryption software, intercepts the data before it can reach any keyboard hooks. However video hooks can take snapshots of SSL sessions to discover user IDs and secret questions, multi-factor authentication, etc. Authors at Windows Secrets claim this capability is taxing to the CPU and makes the system unstable, which supposedly puts the malware author at a disadvantage. But this does not hold water in my lab tests. I have had many unwelcome video spywares on my honeypot lab system units that exhibited no instability or any behavior odd at all, other than Snoopfree popping alerts that they were trying to read my screen. Some screen reading behavior is normal for some applications, but they are poorly written in my opinion. No one needs to be reading your screen in an SSL session; that is just not kosher! Anytime this information can be intercepted before reaching the hard-drive is good as well, as some spyware only has to do a quick scan of the hard drive to look for sensitive information. This is done quite rapidy, and with no outward detectable behavior. The anti-keylogger/spyware methods on that Windows Secrets article was quite eye opening but notice the author was not definitive about 100% defeat of every type of method and madness out there. It is a very discouraging situation, and reading their article and user reviews at CNET, is paramount, to see which utilities can win the war against this despicable criminal activity

oldguardreindeer-techrepublic
oldguardreindeer-techrepublic

It is my understanding that it monitors the Windows clipboard and watches for all applications. Not sure how it does it but it has deteced Itunes, Excel, Word, and Foxfire that I have approved and have not seen any other heinous apps. I keep a pretty clean system so I don't think I have any nosy apps. In addition, it also clears the clipboard after a designated amount of time. Passwords are also encrypted. You can check Password Depot out at Acebit.com...both German and English are supported. I also saw the an article on Windows Secrets about Keyloggers...I wrote to them about PD but haven't heard back yet. Sorry, I'm not sure what you mean about video hooks.