Helping people with computers... one answer at a time.

Password management utilities are great tools to not only manage your passwords, but be more secure about how you use them.

Recently I tried to use RoboForm for an account at a large financial institution, but I couldn't get it to work. In response to my inquiry, this institution said they do not permit log in using credentials that are stored on software because the security of the password could become jeopardized if my computer were hacked, invaded, etc. Is this true? Am I safer not to use RoboForm?

Technically they are mostly correct.

But not-so-technically I believe - strongly - that they are seriously misguided.

Using a password manager like Roboform is significantly safer than the alternatives most people choose.

The real problem is that most people will not do what your bank really wants you to do.

And I'll admit it - I don't do what your bank wants you to do either.

What the Bank Wants

By preventing you from using a password manager, it's pretty clear that your bank wants you to:

  • Have a good, strong password

  • Keep it nowhere but in your head

Yes, that would be ideal.

It's also impractical in my opinion.

As far as I'm concerned those two requirements are mutually exclusive - particularly if you also keep to best practices and never use the same password for more than one (important) site.

"... to me the real value of tools like Roboform and Lastpass are that they make best practices easier."

Without a Password Manager

Faced with the restriction of not being able to use a password manager, most people will compromise their security in some other way.

  • They'll choose a less secure password that's easy for them to remember.

  • They'll use the same password at multiple sites in addition their bank.

  • They'll save the password on their computer using some other, less secure technology.

  • They'll write the password on a sticky note kept close the computer.

As you can see, in my opinion preventing use of technology specifically designed to keep passwords secure doesn't increase security. When you factor in human nature it significantly decreases overall security.

But the Bank is Right, Sort Of

Ultimately the bank is correct in that if your computer is compromised all bets are off. Malware could gain access to whatever it is you have stored on the computer.

For example while I'm logged into LastPass, or while a TrueCrypt volume is mounted, all the information in each is technically available to software running on my machine - good software or bad.

That's a serious concern and not to be taken lightly. Some have suggested avoiding Windows completely for online banking to reduce (though not eliminate1) the risk of malware. Some avoid online banking completely (though that, too, is not without its risks).

But from a practical perspective, online banking is simply too convenient for the average person to take such extreme measures. As a result banks should be encouraging best practices, not arbitrarily ruling out classes of software specifically designed to improve overall security.

Particularly when ruling out those tools will, as a practical result, cause people to use even less secure alternatives.

But are Roboform and Lastpass Safe?

Used properly, yes. In fact, I'll go so far as to say that they are safer than almost any practical alternative that you might think of.

Of course there are no absolutes - that, too, is a practical reality. As I said earlier if you fall victim to malware then all bets are off, no matter what technique you use to keep your password information.

In fact, I'll put it this way: password managers are the safest way to keep a record of your online account information, but they are no safer than:

  • the master password you use to access the password manager

  • your own ability to use your computer safely

The last one scares most people, but my claim is that using password managers is, in fact, one way to use your computer more safely.

What Roboform and Lastpass Really Add

Tools like these add several features that are convenient - the ability to use them from multiple computers and mobile devices, the ability to automatically fill in not just passwords but common web forms, and the ability to store arbitrary notes securely are all convenient and handy.

But to me the real value of tools like Roboform and Lastpass2 are that they make best practices easier. Using a password manager allows you to:

  • easily generate and use secure, completely random, and appropriately long passwords without ever needing to type or remember them

  • easily use different passwords on different sites

These are things that people typically don't do unless they have a tool in place to help them.

What I Do

Here's what I do.

I keep my machine(s) secure - the traditional stuff that you hear over and over: up-to-date, up-to-date scans, avoid malicious websites and downloads3, don't fall for phishing, and so on on and so on. ( Internet Safety: How do I keep my computer safe on the internet? is a fine place to start if you're not sure.)

I use Lastpass (I have used Roboform and still recommend it - either will do) to manage my passwords and some additional security information.

I use the Google Authenticator form of two-factor authentication to access my Lastpass vault. (There are several forms of two-factor authentication available in Lastpass.) What two-factor authentication boils down to is that if I'm not logged into my Lastpass account then you can't get in even if you know my master password. To get access to my Lastpass vault you would need both my master password and my cellphone.

Even with two-factor authentication I keep my master password secure and complex.

And yes, I bank online. In Windows.4

I'm not going to claim it's impossible for anything to happen - that'd be a foolish claim. I am, however, satisfied with the risks and trade-offs.

Let's face it, even doing business off-line has risks and trade-offs.

References

Online banking has multiple elephants in its room - Michael Horowitz, Computerworld.

Defensive banking - Michael Horowitz, Computerworld.

1: Many vulnerabilities are platform-independent, such as browser-based issues, or phishing attempts.

2: Roboform and Lastpass are the two password managers I am personally familiar with. While I know that there are others - several very popular - I can't personally speak to their relative safety, pro or con.

3: Not always easy, given what I do for a living. If I'm ever tempted to open or run something questionable I'll fire up a virtual machine - possibly running Ubuntu Linux instead of Windows - and research the item there first before even thinking about running directly.

4: And Mac. And Linux. And Android. In part, because Lastpass works on all.

Article C5555 - July 6, 2012 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

31 Comments
PC Resolver
July 7, 2012 12:51 AM

I totally agree! I used Roboform but I find LastPass to be superiour in many ways. Not least of which is that is easily available to me on any platform.
I am so reliant on it that it now contains all the info required In Case of Emergency (ICE). My dependants have half the password each so that should anything happen to me they can gain access to my LastPass account in which they will see not only my passwords but instructions on how to deal with other matters.
I highly recommend this. The free version of LastPass is all you really need but please consider supporting them by upgrading to the Pro version for $1 a month. I do.

Dave Smithson
July 7, 2012 3:31 AM

I have used KeePass for the last few years - free, easy, convenient and safe. I can strongly recommend it.

Rachael Morris
July 7, 2012 6:45 AM

The reason banks don't allow password managers is not technical - they can and do hire top tech brains - but legal - they can and do hire top legal brains too. If they take certain preventive measures they shift the responsibilities to the customer. The customer is supposed to keep the password safe, isn't it?

Basically they want only customer entered inputs at the website (or the app); not any software accessed. Having deep pockets, they can be deemed responsible if they don't have such usage restrictions.

Technology may solve our problems but legal system can and will prevent it from being used. You will be surprised how much of our life is governed by legal system lurking hidden behind us.

Billy Bob
July 7, 2012 7:08 PM

Leo, you sound like a candidate to join my one-man crusade against expiring passwords. No computer security measure could be more irritating. Password expiration policies only reduce security for many of the same reasons as not allowing password managers.

Salvador
July 9, 2012 9:16 AM

I have been watching the debate concerning password managers. I know the idea is nice because it make it easier to manage 30 different passwords. I also agree somewhat with the bank.
But ultimately the fact is strong passwords do not replace the need for other effective security control. These banks need to add additional layers of authentication for access and transaction verification without unreasonable complexity and this will help their customers by implementing some form of 2FA were you can telesign into your account and have the security knowing you are protected if your password were to be stolen. This should be a prerequisite to any system that wants to promote itself as being secure. With this if they were to try to use the “stolen” password and don’t have your phone nor are on the computer, smartphone or tablet you have designated trusted, they would not be able to enter the account. This one of the biggest problems with internet security, people are still encouraged to rely on their password as if they were all that is needed.

Mark J
July 9, 2012 9:32 AM

In many, if not all European countries, Banks use a 2 factor authentication system called the PIN and TAN system. A TAN is a Transaction Authorization Number, a one time password to complete a transaction. Under the older PIN/TAN system, the bank would send you a list of 100 TANs and upon entering the information, the website asks for a specific random TAN from the list. In order to do away with a printed list which could be a weak link in the operation, many banks are switching to sending a text to your phone or using a TAN calculator. This calculates your TAN when you insert your bank card and enter a challenge code and your card PIN.

Jeff Niemuth
July 10, 2012 8:42 AM

So if our wonderful "copy-me" litigation avoidance system is behind this "conspiracy" how long will it be before all major web destinations adopt the "no robo login manager" policy? (I wonder if somebody has a patent on the technology to make robo-managers not work...)

But the thing that absolutely infuriates me is when I forget a password and the site (some, not all) helpfully sends it back to me - in plaintext email! Have they not heard of (decades old) one way encryption? This is even worse than robo-managers because the user has no control over security management on the other end of the wire to these sites. How many times have major breaches happened to large companies/website? I would love to publish a list of these sites and embarrass the heck out of them but then that would be compromising security too. This factor alone makes using the same password at more than one site an absolute no-no. So, Leo, I am all for best security practices by everyone but there are some outfits are a few brains short of a full kindergarten, tech, legal or otherwise, and there is not much we can do about that.

Tom R.
July 10, 2012 9:01 AM

I happen to use KeePassX as my password manager. I simply copy-and-paste my passphrase into the login form field. My bank is none-the-wiser.

bob price
July 10, 2012 9:06 AM

I have set my bank [B of A] online banking features to NEVER allow a withdraw, transfer, or check unless I have previously approved it. So, a hacker could send a check to my previously approved list, like the phone company or PG&E. I doubt they would do that.

If I want to send money elsewhere, a new place, I have to create a new payee or transfer, and then I must use by SafeKey card that generates a new code number via algorithm. I enter that number into the bank info and the money moves.

I keep that SafeKey at home.

I also use a jumbled up set of letters for my user name, a 16 number\symbol\letter password. All my credit cards are set to notify me if used for over $100.

Am I perfectly safe? Of course not, but no key logger could enter my bank info without the SafeKey card that is kept at home.

And passwords are encrypted with TrueCrypt.

Neil Copeland
July 10, 2012 9:09 AM

I am an expert in bank regulations and security. All banks must comply with a significant set of internet banking security regulations. Included in them are mandatory specific multi-factor authentication procedures which are designed to ensure that only a real person sitting at a pre-authorized computer can access customer accounts. These specifications require that the authentication procedure eliminates the possibility of automatic sign-ons to the furthest extent of current technological means. Because of this and other specific Ebanking regulations, the banks have no choice but to inconvenience their customers in order to make the government happy. Can you imagine how much it costs the bank just to have customer service staff available 24/7 to deal with this kind of problems? And if someone does get in and steal your money the bank is usually liable. There is simply no legal way to make it easier for the customers. We bank operations professionals sure wish there was. Investment banks may not be appropriately regulated, but bank operations and security have been and still are. If you don't like it, remember November 6!

Al Kubeluis
July 10, 2012 10:01 AM

A big problem with pw managers is that you have all of your eggs in one basket. If your pw manager pw is compromised, then all of your assets are compromised

RE Barwick
July 10, 2012 11:39 AM

Another method is to use "Your Password Card". Link is: http://www.passwordcard.org/en

An interesting concept.
Leo
10-Jul-2012

don rees
July 10, 2012 11:40 AM

re roboform and the safety issues using it, a couple of years ago i was using roboform, i had the passwords for 4 bank accounts and maybe 40 online sportsbooks ( all with money in them) stored there.
one morning i opened up my inbox and there was a message from a guy named , {removed} ( @yahoo7.com) , he said to me," i am a security expert, your master password at roboform is , {removed}, "and it was.
he claimed it and all of the P/W's at roboform were " in the background" and anyone could see them.
i immediately closed my roboform account, this guy, a very honest man, did not touch one cent of my money nor did he ever try and sell me anything.
roboform told me " he is a keylogger ", apparently either one who is only practicing or an honest one because he did not touch any of my money so why bother being a keylogger and he had access to everything i had.
no more roboform for me thank you, regards don rees

Siegfried
July 10, 2012 1:22 PM

Don Rees, you got somehow infected with a keylogger it is not the fault of roboform. As soon as you typed your password into roboform he could read it. Run several free anti malware software to get rid of it.

Rosie Perera
July 10, 2012 1:35 PM

I use what I think is an even more secure method. I use strong passwords, different ones for each account, and keep cryptic notes to myself that will help me (and me alone) to reconstruct what my passwords are if I forget them, which I do often. Yes, it's a bit of a pain having to go look up my hints to remind myself of what my password is every time I want to log onto a bank account or other online account, but I'd rather have to go through that then have it easily hackable. I *never* write my passwords down in plain text anywhere. Also, I always open a brand new browser window (not just a new tab) whenever I want to log onto a financial account, and I log off immediately and close the window afterwards, so that no other websites I happen to be connected to at the time could know what my bank URL is. I also practice all the safe computing practices Leo mentioned, so I'm pretty much not vulnerable to key loggers. I also reconcile all my financial accounts regularly against my own records (I don't trust downloading the transactions from the bank website) so I'll catch any fraudulent activity (or bank error) and be able to report it.

John Butler
July 10, 2012 1:38 PM

Leo is right that it is better to have a password manager like Roboform than rely on common sense!
Roboform does not in my environment let me into on line banking, it lets me access the entry to the account but I still have to enter the password for my account which changes every day.
Moreover a big added facility with Roboform is that you can carry access to your passwords with you on a memory stick and you have only to remember the master password which can be sixteen characters long

Don Bell
July 10, 2012 3:10 PM

I use KeePassX to generate my various passwords.
How does KeyPassX compare to Roboform and/or
Last Pass? Should I consider dropping KeyPassX
and move over to either of the alternatives, or am I
in good shape with what I have? Up to the present
I've had no problem with KeyPassX. Thanks for your anticipated response.

I'm not familiar enough with KeyPass to give a compare/contrast evaluation. I've heard good things about it, though. If it's working for you I don't know of a reason to change.
Leo
10-Jul-2012
Charles
July 11, 2012 2:44 AM

AOL has just offered it;s "Premium" paying members a bunch of free services. One is a password protecting software like Roboform and Lastpass. It is called "AOL OnePoint". AOL has been hacked before, so I don't know if I can be confident about this service. They don;t give info as to who is behind the solftware ... and what experience they have. Help on this.?

Lou Maule-Cole
July 11, 2012 2:50 AM

I have been using RoboForm for many years and have never had a problem. RoboForm generates very secure passwords and also enables one-click logging in to all your secure web sites. It's invaluable, especially if you have a memory like mine. I recommend it to all my friends.

Pete Miles
July 11, 2012 3:18 AM

In the UK banks have a variety of methods of logging on. My bank uses a client number as the first part, then a variation on a password, and last, a variation on a really long user invented word.

So every time a user logs on they are asked for entirely different variations of parts 2 and 3.

So using LastPass doesn't work because we have no idea what we will be asked when we log on.

For everything elese I use LastPass based on Steve Gibson's reccomendations and Leo's suggestions.

donotreadonme
July 11, 2012 4:53 AM

In conjunction with Speed Dial this is a cool way to automate and manage accounts. Speed Dial allows you to set up unlimited webpages listing sites anyway you want to categorize them. You click on the pointer and Last Pass logs you in. Roboform ticked me off after they tried charging me more money to upgrade to their Windows 7 version. I had paid for a lifetime subscription.

bob
July 11, 2012 6:04 AM

most banks or financial institutions uses a electronic key which without it you can not access your bank account

I'm afraid it's not "most" banks. Those that do offer two-factor authentication are few and far between here in the US.
Leo
11-Jul-2012

Gord Campbell
July 11, 2012 2:11 PM

Horse Puckey! I have a file folder which contains my (more than 50) passwords. I keep it physically secure. When I log on to a site, I type my password. Oh, I also use Linux, so I'm safe these days.

Kenny Driver
July 12, 2012 8:51 AM

Norton now has a password toolbar that works very good. Identity Safe. It's less buggy than Lastpass.

Maraiah MLynn
July 12, 2012 12:46 PM

Ive been using roboforms for over 6 years and i feel very saffe using it. Especially the new everywhere service. You can read more on the safety of it here (I found this on their web site) http://www.roboform.com/everywhere/security.

James
July 14, 2012 9:16 AM

Work requires that I have different passwords for the various things that I access (Windows logon, mainframe logon, Compensation website, encryption software, etc.). And work forces you to change your passwords every 90 days and repeating previous passwords does not work, nor does it work if the password is too similar. Passwords must be strong passwords. And writing down your passwords is a no-no.

A couple years ago, I came up with a "formula" that fit the password requirements. Every 90 days I can use the "formula" again to come up with the new set of passwords for the various systems. All I really have to remember is the "formula." I can always figure out my password if I forget what it is.

ThomasGC
July 17, 2012 11:28 AM

I and the rest of my household use LastPass, each with our ownYubiKey second-factor security. Works like a dream. Very impressed with the service and there's an Android app too, as well as a add-on for the Dolphin browser.

Tregonsee
July 27, 2012 11:53 AM

Roboform is slowly finding ways around those institutions which try to prevent its use. I only have one problem account, and it works with IE, but not Firefox. No problem, since I only access it once or twice a month.

I have one user name and password which I have been using since 1978 when I had a Department of Energy network account. It exists on literally hundreds of places, but all are in the "Don't Care" category. The simplicity of always knowing what it is far out weights the possible problems of compromise. The few accounts which matter, such as banks, email accounts, and a few professional sites, are all long, complicated, and different.

Byron
August 1, 2012 8:23 AM

I've used Roboform for years. Main reason I began using it was to protect against KEYLOGGERS. I use Viper Anti-virus. Great combination!

John Butler
August 29, 2012 2:27 AM

I strongly support Leo's recommendation to use Roboform as a password manager. I just add that as it is so secure make sure you backup the Roboform data on an external disk in case you have a crash. If you do not do this a crash may cause loss of all password information which can be a serious problem

Jerome Bush
August 31, 2012 5:46 PM

I have to agree with Tregonsee . I got the idea from the book, Lord of the Rings. In the fortress, there were "lesser passwords" that were taught to everyone. Then, there were stronger passwords for more important stuff and more important people.

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.