I’m looking at some hardware and software devices for managing username/password combinations and other authentication secrets. I’m looking at fingerprint readers, smartcard devices, and password storage/encryption utilities.
Anyone out there using these tools? What are your favorites? Any categories I’m missing?
Also, I’m curious about how security-conscious you are when creating and using passwords on websites. Do you use genuinely strong passwords? Do you ever reuse passwords? How often do you use weak passwords at sensitive sites? Do you save passwords in IE7 or Mozilla?
I’ll probably post something similar at ZDNet but I know I’ll get a much higher signal-to-noise ratio here.
Ed Bott (@ wordpress.com) 
I don’t use any hardware devices. I resuse passwords, but they are genuinely strong and decidedly impossible to guess even by people who know me well. I do save these passwords in IE7. I lock my computers (using different “genuinely strong” passwords) when I am away from them. So, I’m pretty much a mixed bag. 🙂
I use KeePass (http://keepass.info), a free open-source password manager. It’s portable — it can be installed and run from a USB drive. It will also generate strong passwords for you. I’ve started using this feature on high-security web sites like bank sites. I put in the maximum password length the site will allow, the full range of characters it will allow, and let KeePass generate a random password. When I need to log in, I can easily copy/paste from the program (and it clears the clipboard after 10 seconds, a nice feature). But because the generated passwords are too long and random for me to remember, I do keep a backup of the database.
Also remember that on web sites that require you to create security questions in case you forget your password, your secure password is irrelevant if the thief can link your username to your real name and gather information about you or if the thief personally knows you and your username. It’s also irrelevant if your security question is something like “What is your favorite color?” and the answer is “blue”. I like creating custom questions if allowed, but if not, I use a standard set of false answers that only I know. That may seem paranoid, but I know that a thief with my username AND my city of birth is not outside the realm of possibility.
Hey Ed,
I’ve written a free, open source, tool that might help.
I’ve been using it for years to store not only my passwords, but any other little bits and pieces I might need in a handy place, like credit card details, bank accounts, etc. It does this by allowing you to create any number of custom item types, kind of like a really simple database.
It sits in the system tray, where you can set up a menu that lists your most common sites, you can then copy your username and password without having to open it in a window.
It can run directly from a USB drive, can save all the information in XML, or it can of course encrypt it using the Windows encryption API’s.
Anyway, I’m biased, but I think it is worth a look.
http://www.niftysoftware.com/Products/Latito/default.aspx
Always keen to get feedback.
Daniel
My personal #1 choice for a software management utility is KeePass: KeePass Password Safe.
Been using it for years and love it. It suggests strong passwords, has a ton of options, flushes copy/pasted items from the clipboard (like those userid’s and pwd’s). Oh yes…it’s free.
I’ve heard how complex passwords can be headaches, and passphrases can be hard to remember as well. Some suggestions I heard say to make a “pass-sentence” with punctuation. You can make some pretty long passwords by using a sentence (if the password field supports them).
For web-browsers, I don’t keep anything important in the browser’s password keeper…except maybe a throwaway website login. I only use KeePass. For those few (low-security/low-impact) websites I choose to let the browser remember, for Firefox i use the Secure Login extension.
Security guru Bruce Schneier recommends Password Safe
I always use very strong randomly generated pw strings using as many characters as the pw field will accept. My dear wife thinks I’m crazy, but with KeePass, it isn’t a burden at all.
Another important consideration when using a password utility, is to keep a backup somewhere…on a hidden USB stick, a CD/DVD ROM disk, etc.
Nothing more frustrating than having your HDD/system go “belly-up” and not being able to access that secure passsword file from another “borrowed/backup” system.
A web-based service that was recently brought to my attention was PassPack – Free Online Password Manager. I haven’t had time to fully check it out, but their website has quite a bit of how they report they have their service set up. Not sure how I feel about using a web-based service (hosted by someone else).
Another KeePass user here.
As for passwords, I re-use a standard “insecure” password at places that don’t have any particularly sensitive information about me, but use separate passwords for important sites.
I use a little bookmarklet tool called genpass — http://labs.zarate.org/passwd/ — which has been absolutely fantastic. I don’t need to install anything; it’s simply part of my existing bookmark library. If I’m logging in from, say, a shared terminal, I can dash over there real quick to remind myself what the password is for a given domain, but most of the time I have zero problems with it.
I hate with a passion the new security measures that banks use to try and make it harder to hack your account. I’m not convinced they do anything other than make it harder for me to log in.
Claus,
“Security guru Bruce Schneier recommends Password Safe.”
Didn’t he write it?
I use Password Safe, http://passwordsafe.sourceforge.net/. As for most of the others, it will generate strong passwords. Also, it’s open source and will run on a thumb drive.
I have various strategies:
If it’s a low-security risk site then I use the same password across all sites. Things like forum registration, newsletters, mailing lists, etc.
If it’s medium-security I tend to use a different password, yet the same across all medium-level sites/apps. This one is much longer and is actually a pass-phrase. I’ve found song titles, book names and even favorite quotes to be great passphrases.
If it’s something banking or financially related I have a unique password per site. I keep all of those passwords in Password Agent by moonsoftware.com. The main password file is kept on my home server and I operate under the theory that I really shouldn’t be accessing my highly personal information from other computers anyway.
I use IE7 and Firefox’s remember password only on my main home desktop, not on my laptop.
KeePass for me too.
Long-time RoboForm Pro user here.
I mostly reuse a number of passwords, but I also generate new ones, from time to time, especially for less trustworthy sites. I almost never fill in a form manually; I let RoboForm do it for me. It really is a masterpiece; well worth the money.
I use FlexWallet from WebIS.net: http://webis.net/products_info.php?p_id=wallet
The nice thing about it is that there is a Windows Mobile version for it.
Patrick
“Didn’t he write it?”
Yes, it is my understanding that he did.
Somehow I flubbed adding the intended HTML link at the end of that statement. Had I succeeded, that may have made the context of that brief comment quite a bit more clear.
Password Safe
Since I’m not a cryptography expert, I enjoy and benefit from reading Mr. Schneier’s frequent posts; particularly those regarding computer security, password issues, and the like. Schneier on Security
Gomen
Interesting. I have used a software Password Safe for longer than I can remember. I generate a new strong password for every place where I need a new User ID and password. If I lose the safe I’m a goner. (When I transferred to a new machine, I forgot what the encryption for the safe was, which scared me for a while).
I use an inexpensive commercial one (Vince Sorenson’s Password Max). I don’t let IE remember passwords or do logons for me. The Password software runs out of the system tray and I can have it know how to do the logon sequence for each of as many on-line accounts as I want. In practice, I usually only need to get the password to the clipboard, because most places I have the same user ID. (This works more reliably than keeping up with the different URLs that sites go through for their logon pages.)
Having said all of that, I like the idea of having the safe and the software on a thumb drive when I travel. Maybe the same one used to hold my Bitlocker key when I get that working. This would simplify the synchronization between my laptop and my regular desktop, which is usually the most-current one. I have to think over the single-point-of-loss of too much information factor before I actually do that.
I’m really looking forward to an OpenId and CardSpace based systems to cut down on the amount of duplication I have to deal with. In particular, I’m not all that happy about how social network platforms want to provide their own federated ID for all of the networks they operate. I know most of them are doing a terrible job at that.
I use manually created passwords and allow for the Windows Live Toolbar to remember them for me. Ed, how do you feel about programs like KeePass and Password Safe, I’ve never used anything like that but am interested. Do you feel they are “safe.”
For several important sites I use the strong password (but the same). For the rest unimportant internet – the same email and password. I’m not care what happend with my login there 🙂
Our company uses the Aladdin eToken USB key for secure access, user authentication, file encryption, and digital signatures, and it also doubles as a detachable hardware password manager. It is more of an enterprise solution, but I highly recommend it.
I primarily use PasswordSafe. Schneier did create this program but hasn’t had anything to do with the program for some time now.
Ed, I keep most of my security type data in a password protected Quattro Pro file.
At work, I keep my username/password combinations in a LockNote file. It gives you, essentially, an encrypted Notepad file. At home, I keep them in an Excel spreadsheet, secured in a Cryptainer LE file, which I mount as a removable drive to access.
Either way, I only have one (very secure) password to remember to gain access to a list of all my “secure” (and harder to remember) passwords.
Now, that’s how I handle the passwords for sensitive stuff. For run-of-the-mill you-have-to-signup-to-use-them Web sites, I have a generic, relatively unsecured password. For sites that are moderately sensitive, I have a second-tier, more secure, less often used password.
I always maintain a unique secure password for my Web e-mail, never having the same password on a site that I am providing my e-mail address to.
My strategy is similar to Shawn Oster’s. I reuse a set of passwords depending on the sensitivity of the site. I generally use long passwords or passphrases that include special characters and numbers and that are not in the dictionary.
* For low security sites like forums or tech support sites, I tend to reuse the same password.
* For medium security sites like my webmail or retail sites, I tend to reuse a set of several different passwords.
* I use yet another password for any site that involves online banking, loans, my SSN, etc.
I store all my passwords in PassKeeper – http://www.passkeeper.com/, which I like because it doesn’t require an install, so the entire password directory is portable.
I think it’s an EXTREMELY bad idea to store any password you want to keep in a browser – especially Internet Explorer. If I were a hacker, I’d be spending quite a bit of my time picking apart the password storage facility of web browsers.
I don’t logon to online banking sites or my company’s web mail from public computers. Every time I go to an IT conference, I watch a bunch of (presumably) domain admins logon to their webmail from the PCs at the conference. If someone puts keyloggers (http://www.keyghost.com/USB-Keylogger.htm) on those machines, those admins just lost the keys to the kingdom.
I use a text file on my home computer, accessible by one user, that my wife and I su to when it is needed.
I do store passwords in Firefox. I don’t know if there are any sites that allow password storing in IE and/or Firefox that I purposely don’t save. So, yeah, I probably should change that, although I think all of my banks have purposely disabled auto-storing by the browser.
I have four levels of passwords. I use the username or the name of the site for the sites I really don’t care about. I have a pattern-ish for the medium level, that because I know my system, I can generally guess the system that I used given a particular site name, domain name, etc. And then for “secure” sites, utilities, banks, etc. I use pretty hard passwords that I generally don’t remember unless I use the site often enough. And then my logins to machines and servers are the most secure, and I remember them, but they are stored in a root-only accessible file on my home computer.
My home computer is ssh-accessible, so I’ll login from work to check the passwords. To check it requires two passwords.
I use Password Safe at work, and at home I use the Personal page in OneNote (locked by a password) and (for convenience) the Windows Live Toolbar form fill add-on (also protected by a password). I am still considering using a USB key with Password Safe for all of my passwords so they are portable, but I haven’t gotten there yet.
I use TurboPasswords by Chapura. That way, I can sync the passwords to my Treo, so I have have my passwords with me if I need them.
It’s the standard wallet style program otherwise. Encrypted, and need a password to enter. It also has a IE (and Firefox as well) toolbar, so that I can fill in the fields automatically. That usually works for most stuff, except for the financial stuff…
Ed: I use SplashID for passowrd storage (strong encryption and Mac, PC, and Palm clients that all sync). I use the biometric scanner built into the Lenovo X60t Tablet PC to link the strong passwords I generate in SplashID to my fingerprints and on the Mac I use the Keychain to store and access these same passwords. It’s been working out great.
I use RoboForm to automatically generate strong passwords and enter them into web pages. I am in the process of swapping all my passwords to 60bit strong passwords that I can’t even remember.
I use ewallet to store any other kind of info.
Ed,
I use Darn! Passwords! first written by EmmaSoft, but sold to Thornsoft Development in 2003. They haven’t upgraded it since 2004, so I’ve been migrating to KeePass recently.
I do let Firefox remember certain passwords to really non-important sites like the WSJ etc. I generate my own passwords with a small random number generator utility that I wrote. The generator gives me a 10 character password letters, numbers and characters. I change the case where I want to.
I store the password files backed up on a flash drive that sits at home in the back corner of my closet safe in the bedroom.
Ray
Hello, glad to see PassPack mentioned among the comments (thank you Claus). I can understand being worried about passwords stored online, but PassPack does offer many security features, number one on the list the fact that your passwords can’t be read even by PassPack itself.
The big pull towards online password management is usually portability – 24/7 web access. No USB stick to carry around, and fully cross platform.
In the end, you need weigh your options and decide which password manager to use – offline, or online. That’s a personal decision.
Good luck with it all. Here are a few links:
Compare Online vs. Offline Password Managers
About PassPack’s Security
and of course…
Get a free PassPack account (sorry, couldn’t resist – after all, I’m a co-founder).
Cheers,
Tara
I’ve used Roboform for years. Use their password generator to generate 60 character passwords with 347 bit strength and protect the whole mess with a Master Password. Has never let me down. Use it both with Firefox and IE7. Disappointed that it won’t work in Opera.
I to use RoboForm. Works great, handles all my passwords and logins, plenty of features and no problems or errors so far.
I’ve got an interest in these tools, especially two-factor authentication and SSO. I’ve looked at solutions by RSA (SecurID) but tbh found the interface clunky and difficult to manage. The other one I’ve seen (albeit only a demo) is ActivIdentity though I’ve recently heard about a solution from a company called Vasco. Both Vasco and ActivIdentity, or so I believe, both do SSO options. The Vasco solution was introduced to me whilst looking at a product called Netilla which offers secure remote access without a VPN – although it uses a fair amount of java.
Hope this helps, feel free to pop by and say hello at my place:
http://theitmanagersjournal.blogspot.com
Jas.
I use RoboForm and the Fingerprint reader that came w/ the Toshiba Satellite I’m using now. It’s really helped w/ the 30 or so passwords I have. The fingerprint reader is used for computer and Windows XP security, and RoboForm for all the different websites….Works great.
I use Free Password Manager Plus, unlike Roboform it is Free, it has a master password that makes my life easier as I just have to remember one complicated Password and Billeo remembers the rest of them. My passwords are encrypted and stored in a Password Vault. I love the additional features such as Auto -fill forms and Save Page. Check Out the link:http://www.billeo.com