Drowning in Passwords: Tips and Tools to Stay Safe and Sane
Another day, another password: Thanks to Web-based apps, we're all acquiring passwords at quite a clip. How do you remember them all while staying secure? Here are some helpful tools and strategies -- that don't involve writing your passwords on sticky notes.
Mon, November 09, 2009
CIO — Who the heck am I? Am I shopper-Bill, flyer-Bill, reader-Bill, buyer-Bill, potrero-Bill, or this that and the other Bill on the 30 or more sites that comprise my online life? And which of my many passwords do I need right now?
If you spend much time online, you probably have the same problem I do: How to remember your ever-growing list of online usernames and passwords—and stay secure at the same time.
[What's the latest in Microsoft's War against Google Apps? See CIO.com's recent analysis of where Office stands against rival Web-based apps. ]
You're savvy enough to know that identity theft and illegal access to personal and financial data are real-world problems that you want to avoid. But what are you doing about it? Odds are, not much, says Andrew Jaquith, a computer security analyst at Forrester Research. "There are two classes of people; those who seem to care about the security of their accounts, and those who act as if they don't." Most people, he says, fall in the later category.
If you're one of the majority, your security strategy may be nothing more than using a single password for every site you need to access. On the one hand, the chances of it being stolen aren't terribly high and you probably won't forget it. But if it is stolen, the malefactor will have access to your entire online life, including bank accounts and maybe medical records. Not a pretty thought.
It turns out that there are a number of strategies that will help you avoid that ugly scenario. Most of them are simple, free or quite inexpensive, and much more secure than what you're doing now. But some are just halfway measures that could let you down in a pinch.
A Password Safe of SortsLet's start with my favorite. A Windows program called RoboForm, ($29.95) from Siber Systems. RoboForm stores your passwords, usernames, personal information, and the URLs of sites you visit on its secure server. Your information is protected by a master password that you'll enter before logging into a site. The program will then log you in, and automatically fill out the kinds of forms you need to do things when shopping online. If you typically work on two computers, say one at home and one in the office, you can synch the two PCs and have your passwords on both systems.
Until recently, RoboForm suffered from the same flaw that most password managers suffer from:it was useless if you were on a public computer. That's a real problem if you're traveling without your laptop and suddenly realize you have bills to pay via your banking site, or want to make an online trade.
RoboForm Online fixes that. It is however, in beta form, and a bit clunky, requiring a double sign on and a few other minor annoyances. But it does work (based on my try out) and the company expects to have a finished, and presumably more polished, version out within a few months.
There's also a version for the iPhone, and it's possible to load RoboForm onto a USB drive and take it with you for use on public computers. The company says the USB version leaves no traces behind.
If you use RoboForm do not forget your master password—it is not recoverable. Although password recovery is a common feature on many Web sites, Siber Systems decided that enhanced security was more important than potential inconvenience.
Tools for Mac UsersBy the company's own admission, RoboForm doesn't work very well on a Mac (that's supposed to change next year) but a similar program called 1Password ($39.95) from Agile Web Solutions, offers many of the same features for use on Apple hardware. I haven't tried it out, but it's earned good reviews and gets nod from Forrester's Jaquith. Users of various versions of the Mac OS can also take advantage of a built-in feature called Keychain that offers password management on a single machine.
Another option that's similar to RoboForm, Callpod's $29.95 Keeper utility, comes in versions for Mac, Windows, and Linux users (The vendor offers a 15-day free trial.) A separate mobile Keeper version serves iPhone and iPod touch users.
If you are a smartphone user, the first step you should take to stay safe is password protect your whole device: See instructions from CIO.com's Al Sacco on how to do it.
A Free Trick or TwoDon't want to spend money? You could simply put your passwords in a password-protected file. If you use Microsoft Word, it's easy. Simply go to Tools, then Options and click the security tab. You'll have the option to require a password to open the file, or just to modify it. If you're traveling, you can put that file on a USB drive. But don't forget that password. If there's a backdoor that will let you recover the file without it, I haven't heard about it. Warning: Many security gurus, such as Bruce Schneier, don't advocate keeping this type of file on your PC. (See this useful blog post from Schneier for some more advanced advice on crafting and managing passwords. )
Most browsers, including Internet Explorer, Firefox and Safari, can automatically fill in forms and passwords for you. That's certainly helpful and if you're certain that no one else has access to your computer, it's not terribly risky. However, if your teenager or someone else does use your computer, you could be in trouble.
A simple solution is to delete saved passwords and forms when you get done. In Firefox, for example, go to "Tools," "Options" and then the security tab and look for the "saved passwords" button. Click it and a list of saved passwords and usernames opens up. Simply delete all or some of them. Other browsers have similar features.
Also remember that public computers are often infected with malware, including keyloggers that copy everything you type. Password managers defeat them, since the password is not actually typed on the page.
Finally, Google and some other online heavyweights are reviving an old idea, a secure, single password/username combo, such as your Google or Yahoo ID, that you could use for multiple sites.
Sun and other companies have experimented with similar schemes, but none ever got off the ground. Maybe this attempt will be the charm. But I'm not holding my breath, and willcontinue to explore password management options that really exist. So should you.
San Francisco journalist Bill Snyder writes frequently about business and technology.
Follow everything from CIO.com on Twitter @CIOonline.