How To Keep Your Passwords Safe

toggle-button

Yesterday at http://www.techsupportalert.com/content/how-choose-strong-password.htm I talked about how to choose an uncrackable password.  Today, as promised, I'll cover the thorny problem of how to keep all your passwords safe and secure.

The problem is an obvious one.  If you're like me, you probably have dozens of passwords for all the different web sites you use.  Taking into account all the systems I look after as part of my day job too, I probably have over 100.

But how best to manage them all, without choosing simple passwords or writing them down?

Here's how I do it, and how I advise others to do it.  

To start with, choose a simple password and use it for all the sites which, if someone found out your password, really wouldn't matter.  For example, if you need to register online in order to download a free program, or to enter a competition, and so on.  This will take care of a lot of the passwords you need to remember.

Now to deal with the other passwords, for all the non-trivial systems where it would be bad news for someone to know your password.  This includes all sites and systems that allow access to personal information about you, or which handle online payments.

The first rule is that you must always use a different password for each such system.  Otherwise, if someone discovers your password on one site they can use it on others.   The second rule is that there should be no link between your passwords, otherwise it's easy for someone to work it out.  If your password on Amazon is Othello, don't use another Shakespeare play for any of your other passwords unless you don't care about keeping them secure.

Rule 3 is that your passwords need to be strong.  See yesterday's article (link above) for details on how to do this.

But how to remember all those strong passwords without writing them down?  The key is to write them down in an encrypted database on your PC.  Now, the only password you need to remember is the one for the encrypted database, which then allows access to all the others.

The simplest way to do this is to use a password manager which was designed for the job.  Two of the best known, and most widely trusted, are KeePass and Password Safe.  They're both free, and I'd recommend that you try each of them.  

KeePass is at http://keepass.info/ and Password Safe is at http://passwordsafe.sourceforge.net/.  

Don't be tempted to use the password protection facility built into your favourite word processor or spreadsheet in order to store your passwords in a protected document, by the way.  While such features will keep out casual intruders, they are not sufficiently secure for storing something like a list of passwords.  The page at http://www.elcomsoft.com/aopr.html will show you why.

 

 

 

 

Please rate this article: 

Your rating: None
4.555555
Average: 4.6 (18 votes)

Comments

I see lot of comments about KeePass but nothing about Password Safe ,

I have been using Password Safe for about a month and it seems safe to me, does anyone have comments that might change my mind?

I will probably try KeePass to see how it works, problem is it took me a while to figure out how to use Password Safe, it doesn't seem to follow the same dialogue as I am used to with Windows, is it just me or do they use different phrasing?

Hope to read your comments and suggestions.

God bless
Jim

Thanks Remah,

I will read the articles you suggested.

God bless
Jim

Both products, Password Safe and KeePass, are safe to use and both are free open-source software for Windows. But Password Safe is not rated as highly as KeePass which has more features and runs on more platforms. For example, I can access my Keepass database on several platforms including my Windows computers and Android phones. The article Best Free Form Filler and Password Manager provides you with more information on these and other options. This 2010 blog post provides some information on migrating from Password Safe to KeePass. It could be useful to you but just take care because some details are out of date.

I am also a LastPass user -- for more than 2 years. Its got some great features like the other good products it can fill forms, provide user IDs and Passwords, generate super complex passwords and organize my sites.

All sensitive data is encrypted and decrypted locally before syncing with the LastPass cloud server. Your decrypted data never leaves your device and is never shared with LastPass. Your data stays accessible only to you. Downside of this is you better not forget your master password.

Don't laugh, its easy. My main computer at home is set to automatically log on to lastpass -- I don't need to enter the master password. After I retired, I no longer signed in from work and seldom used the family laptop -- until a year later on vacation. Its true the support folks at LastPass can't help you if you forgot the master password.

I had to wait until I got home, and used my home desktop (automatically logged in) to update the master password, then sync the new password with all the others. Warning! Do not forget your master password.

I can install Lastpass on any computer. I can also configure for different password profiles and identities. One profile for work, another for home another for casual browsing etc.

LastPass is free for computer based browsers. You need to upgrade to the premium model to use it on mobile devices, game systems or smart TVs.

If I save my passwords in a program on my computer then what do I do for backup? If my computer crashes, then what?

I too use LastPass, and have used it for years now.
What I don't like is, that when "sites" are not written in the same way as LastPass want, then it don't work. If I.e. I have to write in my credit card information, and the publisher hasn't written it in the same "language" as LastPass think, then it don't work.
I observe this a lot of times.

To find the best password manager / manageress, look in a mirror.
All my passwords are strong and varied, stored separately in notepad, including the email address used on that particular site. Once all my passwords are done, I use 7Zip to compress the folder with a very strong password that is easy for me to remember.

What about LastPass? In my opinion, it's the most secure and advanced pastword protection system, and it's cloud-based (with encryption)--preventing others from gathering passwords stored on your PC. (Yes, KeePass stores passwords on your PC.)

I use Robo Form been using it for years. Haven't had any problems with it yet.

What about just type the password in a word or excel document and protect it with AxCrypt or a similar encryption software? Will that work?

It will work, it called storing your passwords locally. There are two issues. 1) If you go to another machine, you cannot log on. 2) What happens if you lose your machine? What I used to do which you may consider store my passwords in gmail in an obscure and hidden way in an email. So someone who wanted to break in would have to go through thousands of emails to find that one, and it was not noticeable that the passwords were on that one anyway.

Open source is actually much safer than closed source when it comes to encryption software. It assures that the program has no backdoors and having a lot of eyes on the source code that any vulnerabilities are exposed and eliminated.

When the program is first written everyone will jump all over it looking for issues, however as the program holds more value and it gets tougher to find you will find fewer people coming forward.

Another excellent password manager is Dashlane (www.Dashlane.com). It's not as famous as the others, having been around for only a couple of years. But it does all the basic password storage and form filling that LastPass and RoboForm do, plus more. (KeePass, by the way, doesn't automatically fill forms, so I don't use it.)

I tried Dashlane briefly, didn't like it. It also leaves a heap of junk behind in the registry when you try to delete it.

If you're using the KeePasss and the Firefox browser, the Keefox add-on autofills your log-in details for you (works about 80% of the time.)

???? Keepass has a strong random password generator, all you need to do is activate it. You do not need any of the stuff you mentioned yesterday. If you want to test how good it is go to this site http://howsecureismypassword.net/

>> Keepass has a strong random password generator
>> You do not need any of the stuff you mentioned yesterday.
So true

>> If you want to test how good it is go to this site
>> http://howsecureismypassword.net/
Another illustration/confirmation of the fact that "long = strong"

Length has a strength of its own for example it claims that aaaaaaaaaaaaaaaa takes 345 thousand years to solve I recommend all passwords be at least 16 digits now.

What about LastPass? It used to be highly rated - is it no longer?

It certainly is! (It's just a matter of taste; every editor has its preferences ;)

I use lastpass because I have been using it for ages and am used to it. What I do not like about it is its free version has no support for mobile devices! I am worried about using KeePass as it is Open Source which means any hacker can study how it works in detail. What I do suggest is you take a look at this review too http://dottech.org/84605/windows-best-free-password-manager-program-last...

>>What I do not like about it is its free version has no support for mobile devices!
That's how they try to make you pay for it.

>> I am worried about using KeePass as it is Open Source which means any hacker can study how it works in detail.
That's exactly why others prefer to use it: everybody can check if it doesn't do suspicious things with your passwords. (like eg. sending it to ???)
A hacker can see how the passwords are encrypted with AES265. So what? As long as he hasn't your (long and secure) master password you're safe.

>>What I do not like about it is its free version has no support for mobile devices! > That's how they try to make you pay for it. It is why I am thinking of using Dashlane >> I am worried about using KeePass as it is Open Source which means any hacker can study how it works in detail. That's exactly why others prefer to use it: everybody can check if it doesn't do suspicious things with your passwords. (like eg. sending it to ???) >A hacker can see how the passwords are encrypted with AES265. So what? As long as he hasn't your (long and secure) master password you're safe. You maybe quite stunned what a good programmer can find if he is let loose with the code. A few years ago, I discovered looking at some code a work around where some of the security of a rather expensive financial system could be bypassed.

>> It is why I am thinking of using Dashlane
Same: only the premium version gives you "The full power of Dashlane everywhere!"

>> You maybe quite stunned what a good programmer can find if he is let loose with the code.
I know. I am a (good?) programmer myself.
But that's imo exactly the strength of open source: millions of brains/eyes can have a look at it and if there is a security hole to be found, it will be found and patched.

I'm using Dashlane and I can use it everywhere. And I'm not premium user. Compare versions: https://www.dashlane.com/app/en/#premiumComparison