Helping people with computers... one answer at a time.
Password management utilities are great tools to not only manage your passwords, but be more secure about how you use them.
Recently I tried to use RoboForm for an account at a large financial institution, but I couldn't get it to work. In response to my inquiry, this institution said they do not permit log in using credentials that are stored on software because the security of the password could become jeopardized if my computer were hacked, invaded, etc. Is this true? Am I safer not to use RoboForm?
Technically they are mostly correct.
But not-so-technically I believe - strongly - that they are seriously misguided.
Using a password manager like Roboform is significantly safer than the alternatives most people choose.
The real problem is that most people will not do what your bank really wants you to do.
And I'll admit it - I don't do what your bank wants you to do either.
By preventing you from using a password manager, it's pretty clear that your bank wants you to:
Have a good, strong password
Keep it nowhere but in your head
Yes, that would be ideal.
It's also impractical in my opinion.
As far as I'm concerned those two requirements are mutually exclusive - particularly if you also keep to best practices and never use the same password for more than one (important) site.
Faced with the restriction of not being able to use a password manager, most people will compromise their security in some other way.
They'll choose a less secure password that's easy for them to remember.
They'll use the same password at multiple sites in addition their bank.
They'll save the password on their computer using some other, less secure technology.
They'll write the password on a sticky note kept close the computer.
As you can see, in my opinion preventing use of technology specifically designed to keep passwords secure doesn't increase security. When you factor in human nature it significantly decreases overall security.
Ultimately the bank is correct in that if your computer is compromised all bets are off. Malware could gain access to whatever it is you have stored on the computer.
For example while I'm logged into LastPass, or while a TrueCrypt volume is mounted, all the information in each is technically available to software running on my machine - good software or bad.
That's a serious concern and not to be taken lightly. Some have suggested avoiding Windows completely for online banking to reduce (though not eliminate1) the risk of malware. Some avoid online banking completely (though that, too, is not without its risks).
But from a practical perspective, online banking is simply too convenient for the average person to take such extreme measures. As a result banks should be encouraging best practices, not arbitrarily ruling out classes of software specifically designed to improve overall security.
Particularly when ruling out those tools will, as a practical result, cause people to use even less secure alternatives.
Used properly, yes. In fact, I'll go so far as to say that they are safer than almost any practical alternative that you might think of.
Of course there are no absolutes - that, too, is a practical reality. As I said earlier if you fall victim to malware then all bets are off, no matter what technique you use to keep your password information.
In fact, I'll put it this way: password managers are the safest way to keep a record of your online account information, but they are no safer than:
the master password you use to access the password manager
your own ability to use your computer safely
The last one scares most people, but my claim is that using password managers is, in fact, one way to use your computer more safely.
Tools like these add several features that are convenient - the ability to use them from multiple computers and mobile devices, the ability to automatically fill in not just passwords but common web forms, and the ability to store arbitrary notes securely are all convenient and handy.
But to me the real value of tools like Roboform and Lastpass2 are that they make best practices easier. Using a password manager allows you to:
easily generate and use secure, completely random, and appropriately long passwords without ever needing to type or remember them
easily use different passwords on different sites
These are things that people typically don't do unless they have a tool in place to help them.
Here's what I do.
I keep my machine(s) secure - the traditional stuff that you hear over and over: up-to-date, up-to-date scans, avoid malicious websites and downloads3, don't fall for phishing, and so on on and so on. ( Internet Safety: How do I keep my computer safe on the internet? is a fine place to start if you're not sure.)
I use Lastpass (I have used Roboform and still recommend it - either will do) to manage my passwords and some additional security information.
I use the Google Authenticator form of two-factor authentication to access my Lastpass vault. (There are several forms of two-factor authentication available in Lastpass.) What two-factor authentication boils down to is that if I'm not logged into my Lastpass account then you can't get in even if you know my master password. To get access to my Lastpass vault you would need both my master password and my cellphone.
Even with two-factor authentication I keep my master password secure and complex.
And yes, I bank online. In Windows.4
I'm not going to claim it's impossible for anything to happen - that'd be a foolish claim. I am, however, satisfied with the risks and trade-offs.
Let's face it, even doing business off-line has risks and trade-offs.
Online banking has multiple elephants in its room - Michael Horowitz, Computerworld.
Defensive banking - Michael Horowitz, Computerworld.
1: Many vulnerabilities are platform-independent, such as browser-based issues, or phishing attempts.
2: Roboform and Lastpass are the two password managers I am personally familiar with. While I know that there are others - several very popular - I can't personally speak to their relative safety, pro or con.
3: Not always easy, given what I do for a living. If I'm ever tempted to open or run something questionable I'll fire up a virtual machine - possibly running Ubuntu Linux instead of Windows - and research the item there first before even thinking about running directly.
4: And Mac. And Linux. And Android. In part, because Lastpass works on all.
Comments on this entry are closed.
If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.
If you don't find your answer, head out to http://askleo.com/ask to ask your question.