Summary: Utilities that remember and enter passwords for you are helpful and convenient, but are they secure? When used properly: absolutely.
Leo, do programs (I'm thinking of browser helpers in particular) which memorize and play back passwords/personal information really provide added security along with the their obvious convenience? Will a key logging program just record mouse clicks if I use the program to input my credit card info? Are there programs that will sniff (the credit card info) as it put into the order form? Does having the stored password personal information on my computer put me at risk (even though I assume it is encrypted)?
•
There is risk in everything, even getting out of bed in the morning.
The challenge is to choose those tools, techniques and habits that minimize your exposure to risk.
Using a password safe, using it in the right way, and using it in conjunction with habits you should already have to stay safe, is in my opinion much, much more secure than the alternatives.
•
I happen to use Roboform, but there are several alternatives and variations on the theme.
In general, the single biggest advantage that they bring to the table is that you can safely select and use multiple arbitrarily complex passwords that you simply don't need to remember. This is big. It renders you almost completely immune from people stealing or remembering your password manually, or guessing your password even through automated means.
Like I said, that's big.
It's the difference between common passwords of the form word-digit-word, and "e7J8VHaXe7". It's the difference between having one password you can remember and using it everywhere, and having a different complex password for every site you visit.
Did I mention that I think that's big?
A different, extremely secure password for every site that you visit. That's, by far, the biggest reason I recommend using these tools. Sure, there are other conveniences, and that's fantastic, but being able to use maximally secure passwords all over is what does it for me.
You can still screw it up.
Now, having a password safe doesn't remove the need to continue to act responsibly.
For example, you asked about a key logger. I'll be more general: once you're infected with anything, all bets are off - whether or not you're using a password safe. Of course a key logger could intercept the strings that the password safe is "typing in" on your behalf. A password safe doesn't protect you from this.
But neither is it any riskier. In fact, I'd guess that you're slightly safer:
-
Without a password safe you use the same password (or just a couple) everywhere. A key logger comes in, captures it, and now has the password to several of your accounts.
-
With a password safe, you choose to use a different and complex password for each site. The key logger gets one password for only one account.
But with or without a password safe, malware is something that you need to avoid anyway - simply because once you're infected, all bets are off. You don't know what the malware is doing, capturing and compromising.
With or without a password safe, you must take steps and develop habits to avoid malware.
Finally, as you've pointed out, the password safe will typically keep its data in some kind of encrypted form. That means it's your responsibility to choose and remember one strong password to access that encrypted data. If you choose a simple easy guess password, someone could come along, guess the password to your password safe, and see everything inside.
But one complex password should be much, much easier to remember than a different one for each site.
Related:
-
RoboForm Password Manager and more With lots of accounts on the web, good security says their passwords should all be unique. Your computer can remember them for you with RoboForm.
-
What's a good password? Good passwords are hard to crack and hard to remember. As a result, many people don't use really good passwords, even though they should. We'll look at what makes a good password, and some ways to make them easier to remember.
-
TrueCrypt - Free Open Source Industrial Strength Encryption TrueCrypt provides a solution for encrypting sensitive data - everything from portable, mountable volumes to entire hard disks.
Article C3692 - April 1, 2009
One plug-in for Firefox which I've been playing with is PasswordMaker. This uses a "master password", the web address of the site, your user name, and any other information you want to use to generate passwords on-the-fly using a hash algorithm. I really like the idea of creating passwords like this -- no saved password lists in your browser, it just re-creates the password time after time.
Still haven't gone with it totally yet, though, for one very simple reason -- portability. Even though they have a website that can generate the passwords if you're away from your computer, it just not as easy to use as the plug-in. I'm still trying to work out a "best practice" for using it, but I think there's merit in the idea ...
Posted by: Dave Hartley at April 1, 2009 3:28 PMYou can check for your password strength here.
http://www.microsoft.com/protect/yourself/password/checker.mspx
Posted by: rammolo at April 1, 2009 5:20 PMIf you don't want to even chance someone hacking your computer for passwords, try cloakpass.com as nothing is stored and you can easily scramble your simple passwords. It's free.
Posted by: Dave at April 7, 2009 9:38 AMCloakPass.com is interesting because it's a totally different approach. It doesn't store your passwords in a vault that can be stolen or hacked... it doesn't store them online... It stores them in your own brain. It's not a web tool and it allows you to have passwords like %43kjl6^^@#K and not have to even type it in... It's a totally new approach to password management. www.cloakpass.com..... it's not a plugin.... so you can use it for ANYTHING (except logging into windows its self)
It does mean that you must have CloakPass installed to login to anything for which you chose to use it. They make it easy(ish) to "mail yourself" (as they put it) the program, but it requires .NET framework, so you're not going to use it from other platforms like Linux or Mac.
The idea is interesting, but I'm not at all convinced of its practicality for the average user.
08-Apr-2009
Leo,
I've been using KeePass password safe for a few weeks now. But I've always wondered if I am vulnerable to being hacked while KeePass is opened. In other words, is it important for me to keep the password safe locked when not in use, or can I leave it unlocked and on my taskbar? It's kind of a hassle to have to key in my master password every time I want to use the safe. But, my assumption is that while unlocked, I am vulnerable to any sort of online attack. Please advise.
Bottom line: a password safe is part of a strategy to stay safe, but it's no replacement for making sure that you don't get infected. Once infected, all bets are off.
08-Apr-2009
I think the best solution is the Wand facility from Opera browser, it's already integrated in the browser (no aditional problems with another, separate program like Roboform) and the data is very well encripted. Online sites like Gator or CloakPass are the absolute worst solution, it would be safer to put your passwords on a billboard and hope nobody reads them.
Posted by: Gigi at April 7, 2009 1:57 PMIf you use a password safe, one thing is guaranteed: one day, you will lose all your passwords. My preference is a file folder that is in a stack of file folders near my computer, with all my passwords written on the inside of the folder. And the really essential ones, on a slip of paper in my wallet when I travel, with hints as to what they are the password to, not the actual web site name.
08-Apr-2009
i just tried out LAST PASS and i like it better than roboform. it really is awesome.
Posted by: dave at April 7, 2009 8:34 PMDoes anyone know of a password keeper that uses Blowfish? I have just learned -- to my astonished dismay -- after years of contented usage, that the password manager which I *thought* used Blowfish, in fact uses nothing of the kind! Any suggestions for a new one?
Posted by: Glenn P. at April 8, 2009 5:20 AMAfter I had bought the new Norton AntiVirus 2009, I noticed another version of Norton AntiVirus that seemed to have a password vault included. Has anyone seen this? Is the product any good?
Posted by: Ken Crook at April 11, 2009 10:47 PM