Password security is a favorite topic of mine, and one I’ve written numerous posts on. Today I thought I’d deal with the topic of password management. If you’re active on the web you’ll likely have a lot of accounts all over the place from things like facebook and twitter, to your bank and paypal, as well as memberships with other social networks and websites. Hopefully by now you’ve recognized the importance of using a different password for each of these sites. (If you haven’s and your banking password is the same as your facebook password than do yourself a favor, stop reading this article right now and go make some changes. Once you’ve done that come on back and finish off this article for some tips on managing your now myriad of different passwords.)
There’s a lot of different ways to manage passwords, and you’ve got to find something you are comfortable with and assured of its security. Perhaps you’re still the type that keeps scraps of paper and sticky notes by your computer, this may be okay for you since it’s unlikely you’ll have any hackers visiting you at home, and as long as you trust the people who are there, but it’s not the most organized, efficient and secure system available.
Browsers like Firefox, Internet Explorer etc, have stored password features which will store both your usernames and passwords and then fill in the appropriate fields for you when logging in to a site. Bev Robb from Tekblog suggests “not saving passwords in the browser due to the potential for cross-site scripting malware drive bys.” rather Bev advises “if you must save passwords (in your browser) than use third party [plugins] such as LastPass“
For myself I’ve struggled to find password management software that is secure, and easy to use. I’ve tried numerous password management programs over the years, and the one I’ve continued to come back to time and time again is KeePass Password Safe. KeePass is a free open source password manager, which helps you to manage your passwords in a secure way. You can put all your passwords in one database, which is locked with one master key or a key file. So you only have to remember one single master password or select the key file to unlock the whole database. The databases are encrypted using the best and most secure encryption algorithms currently known (AES and Twofish).
Now before you go gung-ho on managing all your passwords, it is important to make sure you are creating strong passwords. That is passwords that are not guessable or easily hackable by brute force. Microsoft offers some helpful advice on creating strong passwords here.
I asked Brian Krebs his opinion on browser-based password managers. “I think browser-based password managers are fine for some things. I use Firefox’s password manager to store passwords for things like Twitter, and random forums that I visit a lot. For laptops and physical security, one should always make sure the stored passwords are assigned a master password. [Firefox does include this feature, but you need to set it up manually]. But one should never store passwords to sensitive sites (bank, credit-related). Keyloggers, form-grabbers and password stealers are embedded in almost all malware these days, and the first thing malware does is rip out your stored passwords.”
Brian recommends, “A better solution is to use a password manager that encrypts the data on your hard drive and allows the browser to interact with it when needed. This sure beats having a lot of passwords written on random scraps of paper, which described my password system up until a few years ago. I use Roboform2go, but there are free alternatives (I think Bruce’s Schneier’s PasswordSafe is still available and is a great program).”
And with that our attention is drawn back to KeePass which does a masterful job at storing your password and is also able to interact with a third party plugin for your browser.
So how are you managing passwords?