What if you could access any strong password anytime, anywhere? What if you never had to worry about not remembering the link to the login page for an important but seldom used site? And what if you never had to enter all that necessary but repetitive information about yourself when registering on a new site or purchasing from a new online vendor? It's all possible, with RoboForm Online.
Yes, there are better ways to secure your online activities. However, passwords are still the primary method of access, whether we like it or not.
The strong password challenge
The use of strong passwords has been debated for years. One of the biggest reasons not to use them is user forgetfulness. Most of us cannot remember the 20 or 30 strong passwords for the really important sites we visit. So we either assign weaker passwords or—wait for it—use the same password in multiple locations. Both of these approaches weaken our defense against financially motivated attackers.
What I need is a tool that allows me to use strong passwords everywhere and not worry about not remembering them or going through the reset-your-forgotten-password hassle.
I'd also like to frustrate attackers who think they can guess my security questions. A good way to do this is to use answers that have absolutely no relationship to reality—like entering South Park High for the name of the school from which I graduated. I would also like to have more than one set of secret question answers.
Finally, I want to access my strong passwords even if I don't have my laptop with me. For example, if I'm at my son's house and need to access my bank account with its unique 20 character, random password.
Well, over the past year I've used a tool that meets all these requirements—RoboForm.
RoboForm comes in three versions: free, Pro, and Enterprise. In this post, I focus on the free version. It has all the features of Pro, with some limitations on the number of personae you can create.
The following list of features for the client-resident version is from the RoboForm site:
- AutoSave passwords in browser [without exposing them to common browser-stored password attacks]
- AutoFill passwords to login form
- Fill personal information into online forms
- Save offline passwords and notes [including answers to secret questions]
- Generate secure random passwords
- Encrypt passwords and personal data using various accepted encryption methods
- Works without limitations with:
- iPhone and IPod Touch
- Google Chrome
- Google Android
The core of the solution is its integration with my browser. Figure 1 shows the toolbar as it appears in FireFox.
As I fill in password or other forms for the first time from within FireFox, I am asked if I want to save the information in RoboForm. If I do, I can select the login page from the Logins button, and I am automatically redirected to the proper page, the user ID and password fields are populated, and RoboForm "clicks" the page's signon button.
This is all pretty nice, but it wouldn't work very well if I wasn't sitting in front of my laptop or desktop.
RoboForm on the road
For me, the real value of RoboForm is its online and smartphone capabilities. RoboForm Online is a beta service that allows me to sync my locally stored information with the RoboForm servers. The synchronized data is encrypted using a single strong password only I know. If I forget it, not even RoboForm can retrieve my stored or synchronized passwords and personal information.
After signing up for RoboForm Online—you have to be a desktop user to use the online service—I synchronized my information by clicking on the Sync icon shown in Figure 1. I could now access all my information via the online interface, as shown in Figure 2.
From the Logins tab, I can click on a site name to automatically login. I can also use the Identities tab to view credit card or other personal information. Finally, I can use Safenotes to save the answers to secret questions, PINs, or other sensitive information I might need on the road.
Although this meets a good portion of my online information retrieval needs, it doesn't work that well with my iPhone. However, RoboForm has a solution for that as well.
I just started using the iPhone app this week, and it works as advertised.
RoboForm on the iPhone
The following discussion is about the iPhone app, but similar functionality is available for Android-based phones.
I set up my RoboForm iPhone app to require a PIN to access the password interface. This PIN is not the same as the password I use to encrypt the password information. It is just an additional layer of protection.
Once I enter the PIN, the screen displayed in Figure 3 appears.
There is a short synchronization step required to download this information from RoboForm Online. The process is:
- Use RoboForm desktop to create credentials
- Sync desktop information to RoboForm Online
- Sync the iPhone with RoboForm Online
For this example, I touched the TechRepublic login. I was immediately asked for the decryption password. This is the same password used to encrypt my data across all my RoboForm storage locations.
I can set RoboForm to forget my password after a period ranging from 1 minute to never forget. I set mine to 120 minutes. Once expired, the password is purged from memory. I can also manually purge the password within security settings.
After entering the password, the form in Figure 4 appears. At this point, I have the option to log in or to copy my password for pasting into a Safari TechRepublic session. I touched Login.
RoboForm for iPhone includes its own browser. So the TechRepublic site appeared without shifting focus to Safari, as shown in Figure 5.
If I like, I can stay in the RoboForm app, switching between logins and site windows without a separate Safari load. But this isn't all.
I can also use RoboForm to fill login forms when using Safari on the iPhone. I installed a RoboForm Bookmarklet onto my iPhone.
Once a login form displays on my iPhone, I touch the bookmark icon at the bottom of the iPhone screen. I then touch the RoboForm Bookmarklet listing, as shown in Figure 6.
The bookmarklet is context sensitive and knows what site I'm trying to sign in to. It attempts to retrieve my login information. If my decryption password has been flushed from memory, I am prompted for it.
Once entered, I see the form in Figure 7. At this point, I have the option of simply having the fields filled or having the script behind the bookmarklet also "click" the login button.
Regardless of what I choose, I am returned to Safari for the rest of the session.
The final word
So is this a "perfect" solution. No. Is it good enough? I think so. Until we can come up with something better, something users will actually use, we are stuck with passwords. And if we continue to push users to use strong, unique passwords for each site they visit, we also must provide recommendations for how to manage them. I have no reservations about recommending RoboForm.
For Safari browser users, Siber Systems, the company behind RoboForm, says on its site that a version is coming for you by the end of 2010.
Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be published in Q1/2013). Before joining the private sector, he served 10 years in the United States Army Military Police with four years as a military police investigator. He has an MBA and CISSP certification. He is also an online instructor for the University of Phoenix.