Helping people with computers... one answer at a time.

Utilities that remember and enter passwords for you are helpful and convenient, but are they secure? When used properly: absolutely.

Leo, do programs (I'm thinking of browser helpers in particular) which memorize and play back passwords/personal information really provide added security along with the their obvious convenience? Will a key logging program just record mouse clicks if I use the program to input my credit card info? Are there programs that will sniff (the credit card info) as it put into the order form? Does having the stored password personal information on my computer put me at risk (even though I assume it is encrypted)?

There is risk in everything, even getting out of bed in the morning.

The challenge is to choose those tools, techniques and habits that minimize your exposure to risk.

Using a password safe, using it in the right way, and using it in conjunction with habits you should already have to stay safe, is in my opinion much, much more secure than the alternatives.

I happen to use Roboform, but there are several alternatives and variations on the theme.

In general, the single biggest advantage that they bring to the table is that you can safely select and use multiple arbitrarily complex passwords that you simply don't need to remember. This is big. It renders you almost completely immune from people stealing or remembering your password manually, or guessing your password even through automated means.

"With or without a password safe, you must take steps and develop habits to avoid malware."

Like I said, that's big.

It's the difference between common passwords of the form word-digit-word, and "e7J8VHaXe7". It's the difference between having one password you can remember and using it everywhere, and having a different complex password for every site you visit.

Did I mention that I think that's big?

A different, extremely secure password for every site that you visit. That's, by far, the biggest reason I recommend using these tools. Sure, there are other conveniences, and that's fantastic, but being able to use maximally secure passwords all over is what does it for me.

You can still screw it up.

Now, having a password safe doesn't remove the need to continue to act responsibly.

For example, you asked about a key logger. I'll be more general: once you're infected with anything, all bets are off - whether or not you're using a password safe. Of course a key logger could intercept the strings that the password safe is "typing in" on your behalf. A password safe doesn't protect you from this.

But neither is it any riskier. In fact, I'd guess that you're slightly safer:

  • Without a password safe you use the same password (or just a couple) everywhere. A key logger comes in, captures it, and now has the password to several of your accounts.

  • With a password safe, you choose to use a different and complex password for each site. The key logger gets one password for only one account.

But with or without a password safe, malware is something that you need to avoid anyway - simply because once you're infected, all bets are off. You don't know what the malware is doing, capturing and compromising.

With or without a password safe, you must take steps and develop habits to avoid malware.

Finally, as you've pointed out, the password safe will typically keep its data in some kind of encrypted form. That means it's your responsibility to choose and remember one strong password to access that encrypted data. If you choose a simple easy guess password, someone could come along, guess the password to your password safe, and see everything inside.

But one complex password should be much, much easier to remember than a different one for each site.

Article C3692 - April 1, 2009 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

13 Comments
Dave Hartley
April 1, 2009 3:28 PM

One plug-in for Firefox which I've been playing with is PasswordMaker. This uses a "master password", the web address of the site, your user name, and any other information you want to use to generate passwords on-the-fly using a hash algorithm. I really like the idea of creating passwords like this -- no saved password lists in your browser, it just re-creates the password time after time.

Still haven't gone with it totally yet, though, for one very simple reason -- portability. Even though they have a website that can generate the passwords if you're away from your computer, it just not as easy to use as the plug-in. I'm still trying to work out a "best practice" for using it, but I think there's merit in the idea ...

rammolo
April 1, 2009 5:20 PM

You can check for your password strength here.

http://www.microsoft.com/protect/yourself/password/checker.mspx

Dave
April 7, 2009 9:38 AM

If you don't want to even chance someone hacking your computer for passwords, try cloakpass.com as nothing is stored and you can easily scramble your simple passwords. It's free.

Yoshi
April 7, 2009 10:07 AM

CloakPass.com is interesting because it's a totally different approach. It doesn't store your passwords in a vault that can be stolen or hacked... it doesn't store them online... It stores them in your own brain. It's not a web tool and it allows you to have passwords like %43kjl6^^@#K and not have to even type it in... It's a totally new approach to password management. www.cloakpass.com..... it's not a plugin.... so you can use it for ANYTHING (except logging into windows its self)

Since you didn't say what CloakPass is I went and looked. It's something you install in Windows that, on demand, lets you type in a plain text password that you would remember and converts what you type on the fly to more obscure characters. On the surface, an interesting idea.

It does mean that you must have CloakPass installed to login to anything for which you chose to use it. They make it easy(ish) to "mail yourself" (as they put it) the program, but it requires .NET framework, so you're not going to use it from other platforms like Linux or Mac.

The idea is interesting, but I'm not at all convinced of its practicality for the average user.
- Leo
08-Apr-2009

Richard
April 7, 2009 11:38 AM

Leo,

I've been using KeePass password safe for a few weeks now. But I've always wondered if I am vulnerable to being hacked while KeePass is opened. In other words, is it important for me to keep the password safe locked when not in use, or can I leave it unlocked and on my taskbar? It's kind of a hassle to have to key in my master password every time I want to use the safe. But, my assumption is that while unlocked, I am vulnerable to any sort of online attack. Please advise.

It's as safe as any information on your computer. If your computer is infected with a keylogger, for example, where you store your passwords won't matter - the keylogger will capture your entry. I've not heard of any malware that actively hunts for password safes, though.

Bottom line: a password safe is part of a strategy to stay safe, but it's no replacement for making sure that you don't get infected. Once infected, all bets are off.
- Leo
08-Apr-2009

Gigi
April 7, 2009 1:57 PM

I think the best solution is the Wand facility from Opera browser, it's already integrated in the browser (no aditional problems with another, separate program like Roboform) and the data is very well encripted. Online sites like Gator or CloakPass are the absolute worst solution, it would be safer to put your passwords on a billboard and hope nobody reads them.

Gord Campbell
April 7, 2009 5:30 PM

If you use a password safe, one thing is guaranteed: one day, you will lose all your passwords. My preference is a file folder that is in a stack of file folders near my computer, with all my passwords written on the inside of the folder. And the really essential ones, on a slip of paper in my wallet when I travel, with hints as to what they are the password to, not the actual web site name.

As long as you back up regularly, there's no need to ever lose your password safe or its contents. Paper by the desk is notoriously unsecure.
- Leo
08-Apr-2009

dave
April 7, 2009 8:34 PM

i just tried out LAST PASS and i like it better than roboform. it really is awesome.

Glenn P.
April 8, 2009 5:20 AM

Does anyone know of a password keeper that uses Blowfish? I have just learned -- to my astonished dismay -- after years of contented usage, that the password manager which I *thought* used Blowfish, in fact uses nothing of the kind! Any suggestions for a new one?

Ken Crook
April 11, 2009 10:47 PM

After I had bought the new Norton AntiVirus 2009, I noticed another version of Norton AntiVirus that seemed to have a password vault included. Has anyone seen this? Is the product any good?

Thomas
March 19, 2010 6:03 AM

I use LoginTrap.Itís prog can capture every login events by using iSight.It really good prog.

Vally
June 2, 2010 8:55 AM

I prefer to use LoginTrap. It is for Mac OS.

Hank
July 21, 2010 5:01 AM

Try to use LoginTrap.Itís tool can capture every login events.I use this tool and I know who logs on my Mac. Itís really good program. Try)

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.