Painless password management: The best free and paid tools
How to keep your passwords safe on the wild and woolly Web.
Once upon a time, you might have thought you could get away with a single user ID and password for all your favorite Web sites. Then, the popular gossip Web site Gawker was hacked, and more than a million user IDs and passwords were revealed. Would it surprise you to know that many people used those same user IDs and passwords on many other far more important sites such as their bank accounts?
I could lecture you about how dumb that is, about how you need to use different passwords for different sites; that you need to pick passwords other than those old favorites, "123456" and "password; and how you should change your passwords every month for every site, but what's the point?
[ See also: The case for lousy passwords ]
Leaving aside that most people are lousy at security, can anyone really keep in their heads the dozens of passwords you need for your bank, Facebook, Twitter, office e-mail server, Gmail, phone, electric, 401(k), LinkedIn, ITworld and countless other accounts? Who can manage to remember dozens of IDs and passwords for dozens of sites outside of savants such as the fictional Raymond Babbitt? I'll tell you who: No one.
So what can you do to use safe passwords on the Internet without driving yourself crazy trying to remember all of them? There are several ways to try to do it and here's my list.
[ See also: Password management: How the pros store their passwords ]
Do it yourself
Write out a list of account numbers, IDs and passwords. I don't mean a physical list, though, that's classic idiot security. Make the list on your computer and encrypt it with a program like TrueCrypt, which can be used on Linux, Mac OS X and Windows; or AxCrypt, FolderLock or PGP Whole Disk Encryption which are Windows-only programs.
These programs can also be handy for keeping snoopers out of your computer's data if someone swipes your PC.
This kind of approach doesn't work easily with Web sites though and, if you're like me, you may also have doubts about the wisdom of using programs that encrypt your entire hard drive. So, you may want to look into password management programs.
There are two kinds of basic password management programs. First, there's local, where the passwords or their encrypted versions, are stored on your local hard drive or on a portable device such as a USB key-drive. The other is to use a Web-based program to store and manage your passwords.
Local password management
There are dozens of PC-based password management programs. While I have some recommendations, there are several important features to look for before you buy or start using password management. These include: encrypting files that contain passwords; restricted access to the management program and its password files; and using one-way cryptographic hashes for password storage instead of storing the passwords themselves.
There are also some features that, while not as important, are just nice to have. Given my druthers, I want a program with multiple operating system, device and browser support that will run on my Windows and Linux PCs, my Macs, my Android Droid 2 smartphone and my iPad. I also like programs that automatically create and save passwords for new sites as I log into them for the first time.
That said, here are some of the best local password managers. You're bound to find one that suits your needs.
At the top of the list is RoboForm. As Mark M. Webster a Senior Consultant for BT Global Services told me, you'll find "that it does most of what you would want a password manager to do and a lot else as well. I have been a customer of RoboForm for nearly 10 years and I am partial to passwords on the order of ¡Dál87o2JsQoi! and worse, so it has been a great help."
Webster's right. RoboForm is an excellent program and I appreciate that it works with almost all browsers and smartphones. Now, if it only worked on Linux, I'd love it. As it is, though, I think RoboForm is a great pick for most people. Pricing varies from a free version to a $29.95 one-time option for PCs to a $19.95 subscription model that also covers mobile devices and a unlimited number of PCs, smartphones, and tablets (at the time of this writing, the subscription version is being offered for $9.95 for the first year).
Let's say though that you're really, really serious about security. In that case, you may want to consider IronKey Personal. These are secure USB flash drives that come pre-configured with a built-in version of the Firefox Web browser for Windows and use military-grade encryption. What happens if you lose it? Well the thief had better be darn good because he'll get 10 cracks at guessing the drive's master password and then Ironkey will blow away everything on the drive.
IronKey Personal doesn't come cheap though. You're looking at a minimum of $79.95. That said, if you need serious security on the road, this is what you want.
Two other local password managers worth considering are Norton Internet Security 2011, which comes with a host of other decent security programs, and Kaspersky Password Manager 4. I like that in the Kaspersky program you use a virtual keyboard with your mouse instead of the keyboard when you enter a password for the first time. This defeats any keylogger malware. The Norton program lists for $69.99 direct for three licenses, while Kaspersky retails for $24.95.
Web-based password management
Web-based password management programs make some users nervous. I can understand that. You're putting all your passwords -- or their encrypted hashes anyway -- in the hands of a third party over the Internet. On the other hand, done correctly, your passwords can't be read by the password management company because they're stored securely and they'll only be sent to Web sites over encrypted connections. They're also just easier to use if you, like me, use a host of different devices to visit Web sites and you don't want to reenter passwords into management programs on one device after another.
My particular favorite is LastPass. This program runs on all the operating systems I use, and I use pretty much everything that's out there. It will automatically capture your login credentials and then enter them into the site for you the next time you visit. As an added plus you can buy it with Xmarks, to my mind the best of all the Web browser bookmark synchronization programs for an annual $20 subscription price. By itself, the paid version of LastPass is $12 a year. Both programs are also available in free versions.
If you're working with a team of people you may also want to consider Passpack. With this program, you can share some passwords with your family, say for the Apple Store; others, like a Zoho or Google Docs project, with your co-workers, and some you want want to keep to yourself, like handsome open-source gents with beards. Passpack will let you share your passwords with these different groups.
For some people this can be a very handy feature. You don't have to take my word for it. Passpack is Webware and will run on any browser or operating system. It's available in a free version that can handle up to 100 passwords that you can share with one user and one group. If you love it, and have a business of your own, the company offers it in a variety of packages up to a 10,000 passwords/1,000 users/100 groups deal for $40 a month.
More than one way to secure a Web site
While MD5 (Message-Digest algorithm 5) can be broken, I find SuperGenPass to be an interesting way to generate unique passwords on the fly from multiple systems that will prove much harder to break than the usual run of passwords.
Biometrics and single sign-on
It would be great, of course, if you could use your fingerprint or an iris scan to log in to systems. After all, as I've said myself, and any knowledgeable security expert will tell you, passwords are dead. But, while it's easy to integrated a fingerprint scanner on a Windows laptop to let you log in, it's orders of magnitudes harder to integrate biometrics authentication across literally millions of Web sites.
Both Apple and Google are working on mechanisms that will let you use iOS and Android-powered devices and biometrics to access multiple Web sites, but neither of them are ready to announce a shipping product yet. I have a sinking feeling, having seen similar efforts fail over the years -- smartcards, for example, that were meant to be universal login cards -- that these efforts won't work out either.
Another idea that sounds good, but hasn't worked out in real life, is Single Sign-On (SSO). While SSO can, and does, work well with corporate IT using such technologies as the network authentication protocol Kerberos, on the wild and woolly world of the Web it doesn't work so well.
OpenID, the most successful of the public Internet SSO systems, has the support of Google, Facebook, Microsoft, and Yahoo and has been active since 2005. Despite broad industry, government, and open source community support, and, the OpenID Foundation assures us, a billion plus user accounts, I honestly know very few people who use OpenID on any kind of regular basis.
The closest thing to a popular universal SSO is, God help us, Facebook Connect. Do you want to trust Facebook (Facebook!) with your login and password for multiple sites? I don't! You can make Facebook safer, but I wouldn't trust Facebook as far as I could throw Mark Zukerberg.
No, for the foreseeable future, we're all still going to be using our own passwords on hundreds of different Web sites. Fortunately, there are many good programs, and some darn fine USB drives, that make securing yourself on the Internet a lot easier than just typing "password" over and over again.