Password security is a favorite topic of mine, and one I’ve written numerous posts on. Today I thought I’d deal with the topic of password management. If you’re active on the web you’ll likely have a lot of accounts all over the place from things like facebook and twitter, to your bank and paypal, as well as memberships with other social networks and websites. Hopefully by now you’ve recognized the importance of using a different password for each of these sites. (If you haven’s and your banking password is the same as your facebook password than do yourself a favor, stop reading this article right now and go make some changes. Once you’ve done that come on back and finish off this article for some tips on managing your now myriad of different passwords.)
There’s a lot of different ways to manage passwords, and you’ve got to find something you are comfortable with and assured of its security. Perhaps you’re still the type that keeps scraps of paper and sticky notes by your computer, this may be okay for you since it’s unlikely you’ll have any hackers visiting you at home, and as long as you trust the people who are there, but it’s not the most organized, efficient and secure system available.
Browsers like Firefox, Internet Explorer etc, have stored password features which will store both your usernames and passwords and then fill in the appropriate fields for you when logging in to a site. Bev Robb from Tekblog suggests “not saving passwords in the browser due to the potential for cross-site scripting malware drive bys.” rather Bev advises “if you must save passwords (in your browser) than use third party [plugins] such as LastPass“
For myself I’ve struggled to find password management software that is secure, and easy to use. I’ve tried numerous password management programs over the years, and the one I’ve continued to come back to time and time again is KeePass Password Safe. KeePass is a free open source password manager, which helps you to manage your passwords in a secure way. You can put all your passwords in one database, which is locked with one master key or a key file. So you only have to remember one single master password or select the key file to unlock the whole database. The databases are encrypted using the best and most secure encryption algorithms currently known (AES and Twofish).
Now before you go gung-ho on managing all your passwords, it is important to make sure you are creating strong passwords. That is passwords that are not guessable or easily hackable by brute force. Microsoft offers some helpful advice on creating strong passwords here.
I asked Brian Krebs his opinion on browser-based password managers. “I think browser-based password managers are fine for some things. I use Firefox’s password manager to store passwords for things like Twitter, and random forums that I visit a lot. For laptops and physical security, one should always make sure the stored passwords are assigned a master password. [Firefox does include this feature, but you need to set it up manually]. But one should never store passwords to sensitive sites (bank, credit-related). Keyloggers, form-grabbers and password stealers are embedded in almost all malware these days, and the first thing malware does is rip out your stored passwords.”
Brian recommends, “A better solution is to use a password manager that encrypts the data on your hard drive and allows the browser to interact with it when needed. This sure beats having a lot of passwords written on random scraps of paper, which described my password system up until a few years ago. I use Roboform2go, but there are free alternatives (I think Bruce’s Schneier’s PasswordSafe is still available and is a great program).”
And with that our attention is drawn back to KeePass which does a masterful job at storing your password and is also able to interact with a third party plugin for your browser.
So how are you managing passwords?
Recommended Password Management Resources:
LastPass. award winning password manager.
KeePass, open-source password manager.
RoboForm2Go, portable automated password manager.
PasswordSafe, simple and secure password management.
You should also read these informative and interesting posts on passwords.
Passwords: Brute Force Attacks & You.
Passwords: Dictionary Attacks & You.
Hackers May Already Know Your Password
Passwords are a Pain: Top 7 Password Mistakes
12 comments
Vote on this article at blogengage.com says:
Jul 27, 2010
Safe password Management, something better than sticky notes….
Password security is a favorite topic of mine, and one I’ve written numerous posts on. Today I thought I’d deal with the topic of password management. If you’re active on the web you’ll likely have a lot of accounts all over the place from things like …
bloggerden.com says:
Jul 27, 2010
Safe password Management, better than sticky notes….
Password security is a favorite topic of mine, and one I’ve written numerous posts on. Today I thought I’d deal with the topic of password management. If you’re active on the web you’ll likely have a lot of accounts all over the place from things like …
Brian says:
Jul 28, 2010
When I select my password it's so advanced sometime I cannot use it because there are character limitations. Most of the time however it's fine. I use numbers, letters, lower case and upper case. To be honest I don't think anyone could hack my password it's just to much.
Don't get me wrong I'm not challenging anyone please don't hack me but the fact of the matter is I have a very advanced password compared to any of my online friends.
danielsnyder says:
Jul 29, 2010
I hear you Brian, I use such complex passwords there is no way I could remember them – without a password manager I'd be in serious trouble.
Btor says:
Jul 30, 2010
HI BRIAN . is your Safe Returner giveaway over , if not can i have a free key ,, any ways great blog man and take care
regards
btor
danielsnyder says:
Jul 30, 2010
Hey, I'm checking with my friends at Safe Returner to see if I'm closed off yet. Will get back to you via email.
Trevor Sullivan says:
Oct 13, 2010
Highly recommend checking out Passpack as well — free online password management. It sounds a bit risky trusting someone else with all your passwords, but …
http://blog.passpack.com/2007/01/online-vs-offline-password-managers/
Daniel Snyder says:
Oct 14, 2010
Thanks for the suggestion Trevor…
Rajesh@Hack Facebook Account says:
Feb 20, 2011
Man, I just checked about page of Brian and m it looks very good. Coming to password storage point, no doubt, Roboform does the best job of securely storing your passswords. And I would like to add one more point of using less famous browsers like Flock or so. I studied code of some of stealers available to me and found that they work mostly on drive path given to them.
And hence, since IE and FF are most used browsers, most stealers are having path of FF and IE and lack path of less famous browsers like Flock. So, storing passwords in Flock can be at times safe, though not 100%.
Correct me if m wrong, just my thought.
Daniel Snyder says:
Feb 21, 2011
Your theory makes sense but it’s not a method I would rely on to stay secure. I wouldn’t want to abandon a browser of choice just so I could avoid the fear of having my password stolen. In addition, things are always changing, so what is popular today may not be tomorrow and vice versa. Still I hear what you’re saying.
Paul Williams says:
Apr 27, 2011
I’m a fan of password safety too. Here’s a link to a site I’ve been helping on: http://safepasswordmanagement.com/online-password-generator/ (in particular, a learning tool to help users generate a long but memorable password)
Daniel Snyder says:
Apr 28, 2011
Thanks Paul.