Helping people with computers... one answer at a time.
Utilities that remember and enter passwords for you are helpful and convenient, but are they secure? When used properly: absolutely.
Leo, do programs (I'm thinking of browser helpers in particular) which memorize and play back passwords/personal information really provide added security along with the their obvious convenience? Will a key logging program just record mouse clicks if I use the program to input my credit card info? Are there programs that will sniff (the credit card info) as it put into the order form? Does having the stored password personal information on my computer put me at risk (even though I assume it is encrypted)?
There is risk in everything, even getting out of bed in the morning.
The challenge is to choose those tools, techniques and habits that minimize your exposure to risk.
Using a password safe, using it in the right way, and using it in conjunction with habits you should already have to stay safe, is in my opinion much, much more secure than the alternatives.
I happen to use Roboform, but there are several alternatives and variations on the theme.
In general, the single biggest advantage that they bring to the table is that you can safely select and use multiple arbitrarily complex passwords that you simply don't need to remember. This is big. It renders you almost completely immune from people stealing or remembering your password manually, or guessing your password even through automated means.
Like I said, that's big.
It's the difference between common passwords of the form word-digit-word, and "e7J8VHaXe7". It's the difference between having one password you can remember and using it everywhere, and having a different complex password for every site you visit.
Did I mention that I think that's big?
A different, extremely secure password for every site that you visit. That's, by far, the biggest reason I recommend using these tools. Sure, there are other conveniences, and that's fantastic, but being able to use maximally secure passwords all over is what does it for me.
You can still screw it up.
Now, having a password safe doesn't remove the need to continue to act responsibly.
For example, you asked about a key logger. I'll be more general: once you're infected with anything, all bets are off - whether or not you're using a password safe. Of course a key logger could intercept the strings that the password safe is "typing in" on your behalf. A password safe doesn't protect you from this.
But neither is it any riskier. In fact, I'd guess that you're slightly safer:
Without a password safe you use the same password (or just a couple) everywhere. A key logger comes in, captures it, and now has the password to several of your accounts.
With a password safe, you choose to use a different and complex password for each site. The key logger gets one password for only one account.
But with or without a password safe, malware is something that you need to avoid anyway - simply because once you're infected, all bets are off. You don't know what the malware is doing, capturing and compromising.
With or without a password safe, you must take steps and develop habits to avoid malware.
Finally, as you've pointed out, the password safe will typically keep its data in some kind of encrypted form. That means it's your responsibility to choose and remember one strong password to access that encrypted data. If you choose a simple easy guess password, someone could come along, guess the password to your password safe, and see everything inside.
But one complex password should be much, much easier to remember than a different one for each site.
Comments on this entry are closed.
If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.
If you don't find your answer, head out to http://askleo.com/ask to ask your question.