Gizmos Needs You

Gizmo's Freeware is Recruiting

 We are looking for people with skills or interest in the following areas:
 -  Mobile Platform App Reviews for Android and iOS
 -  Windows, Mac and Linux software reviews       Interested? Click here

                  

 

How To Keep Your Passwords Safe

Yesterday at http://www.techsupportalert.com/content/how-choose-strong-password.htm I talked about how to choose an uncrackable password.  Today, as promised, I'll cover the thorny problem of how to keep all your passwords safe and secure.

The problem is an obvious one.  If you're like me, you probably have dozens of passwords for all the different web sites you use.  Taking into account all the systems I look after as part of my day job too, I probably have over 100.

But how best to manage them all, without choosing simple passwords or writing them down?

Here's how I do it, and how I advise others to do it.  

To start with, choose a simple password and use it for all the sites which, if someone found out your password, really wouldn't matter.  For example, if you need to register online in order to download a free program, or to enter a competition, and so on.  This will take care of a lot of the passwords you need to remember.

Now to deal with the other passwords, for all the non-trivial systems where it would be bad news for someone to know your password.  This includes all sites and systems that allow access to personal information about you, or which handle online payments.

The first rule is that you must always use a different password for each such system.  Otherwise, if someone discovers your password on one site they can use it on others.   The second rule is that there should be no link between your passwords, otherwise it's easy for someone to work it out.  If your password on Amazon is Othello, don't use another Shakespeare play for any of your other passwords unless you don't care about keeping them secure.

Rule 3 is that your passwords need to be strong.  See yesterday's article (link above) for details on how to do this.

But how to remember all those strong passwords without writing them down?  The key is to write them down in an encrypted database on your PC.  Now, the only password you need to remember is the one for the encrypted database, which then allows access to all the others.

The simplest way to do this is to use a password manager which was designed for the job.  Two of the best known, and most widely trusted, are KeePass and Password Safe.  They're both free, and I'd recommend that you try each of them.  

KeePass is at http://keepass.info/ and Password Safe is at http://passwordsafe.sourceforge.net/.  

Don't be tempted to use the password protection facility built into your favourite word processor or spreadsheet in order to store your passwords in a protected document, by the way.  While such features will keep out casual intruders, they are not sufficiently secure for storing something like a list of passwords.  The page at http://www.elcomsoft.com/aopr.html will show you why.

 

 

 

 

Share this
4.5
Average: 4.5 (16 votes)
Your rating: None

Comments

by fred64 on 8. January 2014 - 22:08  (113492)

I am also a LastPass user -- for more than 2 years. Its got some great features like the other good products it can fill forms, provide user IDs and Passwords, generate super complex passwords and organize my sites.

All sensitive data is encrypted and decrypted locally before syncing with the LastPass cloud server. Your decrypted data never leaves your device and is never shared with LastPass. Your data stays accessible only to you. Downside of this is you better not forget your master password.

Don't laugh, its easy. My main computer at home is set to automatically log on to lastpass -- I don't need to enter the master password. After I retired, I no longer signed in from work and seldom used the family laptop -- until a year later on vacation. Its true the support folks at LastPass can't help you if you forgot the master password.

I had to wait until I got home, and used my home desktop (automatically logged in) to update the master password, then sync the new password with all the others. Warning! Do not forget your master password.

I can install Lastpass on any computer. I can also configure for different password profiles and identities. One profile for work, another for home another for casual browsing etc.

LastPass is free for computer based browsers. You need to upgrade to the premium model to use it on mobile devices, game systems or smart TVs.

by rr on 13. May 2013 - 6:07  (107708)

If I save my passwords in a program on my computer then what do I do for backup? If my computer crashes, then what?

by glofp on 9. May 2013 - 6:30  (107580)

I too use LastPass, and have used it for years now.
What I don't like is, that when "sites" are not written in the same way as LastPass want, then it don't work. If I.e. I have to write in my credit card information, and the publisher hasn't written it in the same "language" as LastPass think, then it don't work.
I observe this a lot of times.

by Roderunner on 8. May 2013 - 14:59  (107565)

To find the best password manager / manageress, look in a mirror.
All my passwords are strong and varied, stored separately in notepad, including the email address used on that particular site. Once all my passwords are done, I use 7Zip to compress the folder with a very strong password that is easy for me to remember.

by RogerC on 8. May 2013 - 13:39  (107563)

What about LastPass? In my opinion, it's the most secure and advanced pastword protection system, and it's cloud-based (with encryption)--preventing others from gathering passwords stored on your PC. (Yes, KeePass stores passwords on your PC.)

by daelmore1952 on 8. May 2013 - 13:13  (107562)

I use Robo Form been using it for years. Haven't had any problems with it yet.

by Goliath on 8. May 2013 - 12:47  (107561)

What about just type the password in a word or excel document and protect it with AxCrypt or a similar encryption software? Will that work?

by bernardz on 9. May 2013 - 1:50  (107575)

It will work, it called storing your passwords locally. There are two issues.

1) If you go to another machine, you cannot log on.
2) What happens if you lose your machine?

What I used to do which you may consider store my passwords in gmail in an obscure and hidden way in an email. So someone who wanted to break in would have to go through thousands of emails to find that one, and it was not noticeable that the passwords were on that one anyway.

by DrBongo on 8. May 2013 - 12:24  (107560)

Open source is actually much safer than closed source when it comes to encryption software. It assures that the program has no backdoors and having a lot of eyes on the source code that any vulnerabilities are exposed and eliminated.

by bernardz on 9. May 2013 - 1:54  (107576)

When the program is first written everyone will jump all over it looking for issues, however as the program holds more value and it gets tougher to find you will find fewer people coming forward.

by Bruce_Fraser on 8. May 2013 - 12:17  (107558)

Another excellent password manager is Dashlane (www.Dashlane.com). It's not as famous as the others, having been around for only a couple of years. But it does all the basic password storage and form filling that LastPass and RoboForm do, plus more. (KeePass, by the way, doesn't automatically fill forms, so I don't use it.)

by godel on 8. May 2013 - 23:23  (107573)

I tried Dashlane briefly, didn't like it. It also leaves a heap of junk behind in the registry when you try to delete it.

If you're using the KeePasss and the Firefox browser, the Keefox add-on autofills your log-in details for you (works about 80% of the time.)

by bernardz on 7. May 2013 - 12:56  (107520)

????

Keepass has a strong random password generator, all you need to do is activate it. You do not need any of the stuff you mentioned yesterday.

If you want to test how good it is go to this site
http://howsecureismypassword.net/

by Geert on 8. May 2013 - 8:58  (107546)

>> Keepass has a strong random password generator
>> You do not need any of the stuff you mentioned yesterday.
So true

>> If you want to test how good it is go to this site
>> http://howsecureismypassword.net/
Another illustration/confirmation of the fact that "long = strong"

by bernardz on 8. May 2013 - 10:59  (107553)

Length has a strength of its own for example it claims that aaaaaaaaaaaaaaaa takes 345 thousand years to solve

I recommend all passwords be at least 16 digits now.

by jnewmarch on 7. May 2013 - 12:10  (107519)

What about LastPass? It used to be highly rated - is it no longer?

by Geert on 8. May 2013 - 9:00  (107547)

It certainly is! (It's just a matter of taste; every editor has its preferences ;)

by bernardz on 7. May 2013 - 13:11  (107521)

I use lastpass because I have been using it for ages and am used to it. What I do not like about it is its free version has no support for mobile devices!

I am worried about using KeePass as it is Open Source which means any hacker can study how it works in detail.

What I do suggest is you take a look at this review too

http://dottech.org/84605/windows-best-free-password-manager-program-last...

by Geert on 8. May 2013 - 9:07  (107548)

>>What I do not like about it is its free version has no support for mobile devices!
That's how they try to make you pay for it.

>> I am worried about using KeePass as it is Open Source which means any hacker can study how it works in detail.
That's exactly why others prefer to use it: everybody can check if it doesn't do suspicious things with your passwords. (like eg. sending it to ???)
A hacker can see how the passwords are encrypted with AES265. So what? As long as he hasn't your (long and secure) master password you're safe.

by bernardz on 8. May 2013 - 11:03  (107554)

>>What I do not like about it is its free version has no support for mobile devices!
> That's how they try to make you pay for it.

It is why I am thinking of using Dashlane

>> I am worried about using KeePass as it is Open Source which means any hacker can study how it works in detail.
That's exactly why others prefer to use it: everybody can check if it doesn't do suspicious things with your passwords. (like eg. sending it to ???)
>A hacker can see how the passwords are encrypted with AES265. So what? As long as he hasn't your (long and secure) master password you're safe.

You maybe quite stunned what a good programmer can find if he is let loose with the code. A few years ago, I discovered looking at some code a work around where some of the security of a rather expensive financial system could be bypassed.

by Geert on 8. May 2013 - 11:46  (107556)

>> It is why I am thinking of using Dashlane
Same: only the premium version gives you "The full power of Dashlane everywhere!"

>> You maybe quite stunned what a good programmer can find if he is let loose with the code.
I know. I am a (good?) programmer myself.
But that's imo exactly the strength of open source: millions of brains/eyes can have a look at it and if there is a security hole to be found, it will be found and patched.

by mirtma65 on 8. May 2013 - 12:14  (107557)

I'm using Dashlane and I can use it everywhere. And I'm not premium user. Compare versions: https://www.dashlane.com/app/en/#premiumComparison