Helping people with computers... one answer at a time.
Utilities that remember and enter passwords for you are helpful and convenient, but are they secure? When used properly: absolutely.
Leo, do programs (I'm thinking of browser helpers in particular) which memorize and play back passwords/personal information really provide added security along with the their obvious convenience? Will a key logging program just record mouse clicks if I use the program to input my credit card info? Are there programs that will sniff (the credit card info) as it put into the order form? Does having the stored password personal information on my computer put me at risk (even though I assume it is encrypted)?
•
There is risk in everything, even getting out of bed in the morning.
The challenge is to choose those tools, techniques and habits that minimize your exposure to risk.
Using a password safe, using it in the right way, and using it in conjunction with habits you should already have to stay safe, is in my opinion much, much more secure than the alternatives.
•
I happen to use Roboform, but there are several alternatives and variations on the theme.
In general, the single biggest advantage that they bring to the table is that you can safely select and use multiple arbitrarily complex passwords that you simply don't need to remember. This is big. It renders you almost completely immune from people stealing or remembering your password manually, or guessing your password even through automated means.
Like I said, that's big.
It's the difference between common passwords of the form word-digit-word, and "e7J8VHaXe7". It's the difference between having one password you can remember and using it everywhere, and having a different complex password for every site you visit.
Did I mention that I think that's big?
A different, extremely secure password for every site that you visit. That's, by far, the biggest reason I recommend using these tools. Sure, there are other conveniences, and that's fantastic, but being able to use maximally secure passwords all over is what does it for me.
You can still screw it up.
Now, having a password safe doesn't remove the need to continue to act responsibly.
For example, you asked about a key logger. I'll be more general: once you're infected with anything, all bets are off - whether or not you're using a password safe. Of course a key logger could intercept the strings that the password safe is "typing in" on your behalf. A password safe doesn't protect you from this.
But neither is it any riskier. In fact, I'd guess that you're slightly safer:
-
Without a password safe you use the same password (or just a couple) everywhere. A key logger comes in, captures it, and now has the password to several of your accounts.
-
With a password safe, you choose to use a different and complex password for each site. The key logger gets one password for only one account.
But with or without a password safe, malware is something that you need to avoid anyway - simply because once you're infected, all bets are off. You don't know what the malware is doing, capturing and compromising.
With or without a password safe, you must take steps and develop habits to avoid malware.
Finally, as you've pointed out, the password safe will typically keep its data in some kind of encrypted form. That means it's your responsibility to choose and remember one strong password to access that encrypted data. If you choose a simple easy guess password, someone could come along, guess the password to your password safe, and see everything inside.
But one complex password should be much, much easier to remember than a different one for each site.
Article C3692 - April 1, 2009 « »
Leo A. Notenboom has been playing with computers since he
was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed.
After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers
to common computer and technical questions. More about Leo.
April 8, 2009 5:20 AM
Does anyone know of a password keeper that uses Blowfish? I have just learned -- to my astonished dismay -- after years of contented usage, that the password manager which I *thought* used Blowfish, in fact uses nothing of the kind! Any suggestions for a new one?
April 11, 2009 10:47 PM
After I had bought the new Norton AntiVirus 2009, I noticed another version of Norton AntiVirus that seemed to have a password vault included. Has anyone seen this? Is the product any good?
March 19, 2010 6:03 AM
I use LoginTrap.It’s prog can capture every login events by using iSight.It really good prog.
June 2, 2010 8:55 AM
I prefer to use LoginTrap. It is for Mac OS.
July 21, 2010 5:01 AM
Try to use LoginTrap.It’s tool can capture every login events.I use this tool and I know who logs on my Mac. It’s really good program. Try)