Helping people with computers... one answer at a time.
Password management utilities are great tools to not only manage your passwords, but be more secure about how you use them.
Recently I tried to use RoboForm for an account at a large financial institution, but I couldn't get it to work. In response to my inquiry, this institution said they do not permit log in using credentials that are stored on software because the security of the password could become jeopardized if my computer were hacked, invaded, etc. Is this true? Am I safer not to use RoboForm?
•
Technically they are mostly correct.
But not-so-technically I believe - strongly - that they are seriously misguided.
Using a password manager like Roboform is significantly safer than the alternatives most people choose.
The real problem is that most people will not do what your bank really wants you to do.
And I'll admit it - I don't do what your bank wants you to do either.
•
What the Bank Wants
By preventing you from using a password manager, it's pretty clear that your bank wants you to:
-
Have a good, strong password
-
Keep it nowhere but in your head
Yes, that would be ideal.
It's also impractical in my opinion.
As far as I'm concerned those two requirements are mutually exclusive - particularly if you also keep to best practices and never use the same password for more than one (important) site.
Without a Password Manager
Faced with the restriction of not being able to use a password manager, most people will compromise their security in some other way.
-
They'll choose a less secure password that's easy for them to remember.
-
They'll use the same password at multiple sites in addition their bank.
-
They'll save the password on their computer using some other, less secure technology.
-
They'll write the password on a sticky note kept close the computer.
As you can see, in my opinion preventing use of technology specifically designed to keep passwords secure doesn't increase security. When you factor in human nature it significantly decreases overall security.
But the Bank is Right, Sort Of
Ultimately the bank is correct in that if your computer is compromised all bets are off. Malware could gain access to whatever it is you have stored on the computer.
For example while I'm logged into LastPass, or while a TrueCrypt volume is mounted, all the information in each is technically available to software running on my machine - good software or bad.
That's a serious concern and not to be taken lightly. Some have suggested avoiding Windows completely for online banking to reduce (though not eliminate1) the risk of malware. Some avoid online banking completely (though that, too, is not without its risks).
But from a practical perspective, online banking is simply too convenient for the average person to take such extreme measures. As a result banks should be encouraging best practices, not arbitrarily ruling out classes of software specifically designed to improve overall security.
Particularly when ruling out those tools will, as a practical result, cause people to use even less secure alternatives.
But are Roboform and Lastpass Safe?
Used properly, yes. In fact, I'll go so far as to say that they are safer than almost any practical alternative that you might think of.
Of course there are no absolutes - that, too, is a practical reality. As I said earlier if you fall victim to malware then all bets are off, no matter what technique you use to keep your password information.
In fact, I'll put it this way: password managers are the safest way to keep a record of your online account information, but they are no safer than:
-
the master password you use to access the password manager
-
your own ability to use your computer safely
The last one scares most people, but my claim is that using password managers is, in fact, one way to use your computer more safely.
What Roboform and Lastpass Really Add
Tools like these add several features that are convenient - the ability to use them from multiple computers and mobile devices, the ability to automatically fill in not just passwords but common web forms, and the ability to store arbitrary notes securely are all convenient and handy.
But to me the real value of tools like Roboform and Lastpass2 are that they make best practices easier. Using a password manager allows you to:
-
easily generate and use secure, completely random, and appropriately long passwords without ever needing to type or remember them
-
easily use different passwords on different sites
These are things that people typically don't do unless they have a tool in place to help them.
What I Do
Here's what I do.
I keep my machine(s) secure - the traditional stuff that you hear over and over: up-to-date, up-to-date scans, avoid malicious websites and downloads3, don't fall for phishing, and so on on and so on. ( Internet Safety: How do I keep my computer safe on the internet? is a fine place to start if you're not sure.)
I use Lastpass (I have used Roboform and still recommend it - either will do) to manage my passwords and some additional security information.
I use the Google Authenticator form of two-factor authentication to access my Lastpass vault. (There are several forms of two-factor authentication available in Lastpass.) What two-factor authentication boils down to is that if I'm not logged into my Lastpass account then you can't get in even if you know my master password. To get access to my Lastpass vault you would need both my master password and my cellphone.
Even with two-factor authentication I keep my master password secure and complex.
And yes, I bank online. In Windows.4
I'm not going to claim it's impossible for anything to happen - that'd be a foolish claim. I am, however, satisfied with the risks and trade-offs.
Let's face it, even doing business off-line has risks and trade-offs.
References
Online banking has multiple elephants in its room - Michael Horowitz, Computerworld.
Defensive banking - Michael Horowitz, Computerworld.
1: Many vulnerabilities are platform-independent, such as browser-based issues, or phishing attempts.
2: Roboform and Lastpass are the two password managers I am personally familiar with. While I know that there are others - several very popular - I can't personally speak to their relative safety, pro or con.
3: Not always easy, given what I do for a living. If I'm ever tempted to open or run something questionable I'll fire up a virtual machine - possibly running Ubuntu Linux instead of Windows - and research the item there first before even thinking about running directly.
4: And Mac. And Linux. And Android. In part, because Lastpass works on all.
Article C5555 - July 6, 2012 « »
Leo A. Notenboom has been playing with computers since he
was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed.
After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers
to common computer and technical questions. More about Leo.
July 17, 2012 11:28 AM
I and the rest of my household use LastPass, each with our ownYubiKey second-factor security. Works like a dream. Very impressed with the service and there's an Android app too, as well as a add-on for the Dolphin browser.
July 27, 2012 11:53 AM
Roboform is slowly finding ways around those institutions which try to prevent its use. I only have one problem account, and it works with IE, but not Firefox. No problem, since I only access it once or twice a month.
I have one user name and password which I have been using since 1978 when I had a Department of Energy network account. It exists on literally hundreds of places, but all are in the "Don't Care" category. The simplicity of always knowing what it is far out weights the possible problems of compromise. The few accounts which matter, such as banks, email accounts, and a few professional sites, are all long, complicated, and different.
August 1, 2012 8:23 AM
I've used Roboform for years. Main reason I began using it was to protect against KEYLOGGERS. I use Viper Anti-virus. Great combination!
August 29, 2012 2:27 AM
I strongly support Leo's recommendation to use Roboform as a password manager. I just add that as it is so secure make sure you backup the Roboform data on an external disk in case you have a crash. If you do not do this a crash may cause loss of all password information which can be a serious problem
August 31, 2012 5:46 PM
I have to agree with Tregonsee . I got the idea from the book, Lord of the Rings. In the fortress, there were "lesser passwords" that were taught to everyone. Then, there were stronger passwords for more important stuff and more important people.
•
Comments on this entry are closed.
If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.
If you don't find your answer, head out to http://askleo.com/ask to ask your question.