One plug-in for Firefox which I've been playing with is PasswordMaker. This uses a "master password", the web address of the site, your user name, and any other information you want to use to generate passwords on-the-fly using a hash algorithm. I really like the idea of creating passwords like this -- no saved password lists in your browser, it just re-creates the password time after time.
Still haven't gone with it totally yet, though, for one very simple reason -- portability. Even though they have a website that can generate the passwords if you're away from your computer, it just not as easy to use as the plug-in. I'm still trying to work out a "best practice" for using it, but I think there's merit in the idea ...
If you don't want to even chance someone hacking your computer for passwords, try cloakpass.com as nothing is stored and you can easily scramble your simple passwords. It's free.
Posted by: Dave at April 7, 2009 9:38 AM
CloakPass.com is interesting because it's a totally different approach. It doesn't store your passwords in a vault that can be stolen or hacked... it doesn't store them online... It stores them in your own brain. It's not a web tool and it allows you to have passwords like %43kjl6^^@#K and not have to even type it in... It's a totally new approach to password management. www.cloakpass.com..... it's not a plugin.... so you can use it for ANYTHING (except logging into windows its self)
Since you didn't say what CloakPass is I went and looked. It's something you install in Windows that, on demand, lets you type in a plain text password that you would remember and converts what you type on the fly to more obscure characters. On the surface, an interesting idea.
It does mean that you must have CloakPass installed to login to anything for which you chose to use it. They make it easy(ish) to "mail yourself" (as they put it) the program, but it requires .NET framework, so you're not going to use it from other platforms like Linux or Mac.
The idea is interesting, but I'm not at all convinced of its practicality for the average user.
- Leo 08-Apr-2009
Posted by: Yoshi at April 7, 2009 10:07 AM
Leo,
I've been using KeePass password safe for a few weeks now. But I've always wondered if I am vulnerable to being hacked while KeePass is opened. In other words, is it important for me to keep the password safe locked when not in use, or can I leave it unlocked and on my taskbar? It's kind of a hassle to have to key in my master password every time I want to use the safe. But, my assumption is that while unlocked, I am vulnerable to any sort of online attack. Please advise.
It's as safe as any information on your computer. If your computer is infected with a keylogger, for example, where you store your passwords won't matter - the keylogger will capture your entry. I've not heard of any malware that actively hunts for password safes, though.
Bottom line: a password safe is part of a strategy to stay safe, but it's no replacement for making sure that you don't get infected. Once infected, all bets are off.
- Leo 08-Apr-2009
Posted by: Richard at April 7, 2009 11:38 AM
I think the best solution is the Wand facility from Opera browser, it's already integrated in the browser (no aditional problems with another, separate program like Roboform) and the data is very well encripted. Online sites like Gator or CloakPass are the absolute worst solution, it would be safer to put your passwords on a billboard and hope nobody reads them.
Posted by: Gigi at April 7, 2009 1:57 PM
If you use a password safe, one thing is guaranteed: one day, you will lose all your passwords. My preference is a file folder that is in a stack of file folders near my computer, with all my passwords written on the inside of the folder. And the really essential ones, on a slip of paper in my wallet when I travel, with hints as to what they are the password to, not the actual web site name.
As long as you back up regularly, there's no need to ever lose your password safe or its contents. Paper by the desk is notoriously unsecure.
- Leo 08-Apr-2009
Posted by: Gord Campbell at April 7, 2009 5:30 PM
i just tried out LAST PASS and i like it better than roboform. it really is awesome.
Posted by: dave at April 7, 2009 8:34 PM
Does anyone know of a password keeper that uses Blowfish? I have just learned -- to my astonished dismay -- after years of contented usage, that the password manager which I *thought* used Blowfish, in fact uses nothing of the kind! Any suggestions for a new one?
Posted by: Glenn P. at April 8, 2009 5:20 AM
After I had bought the new Norton AntiVirus 2009, I noticed another version of Norton AntiVirus that seemed to have a password vault included. Has anyone seen this? Is the product any good?
Comments
Read the article that everyone's commenting on.
Subscribe to the RSS Feed for comments on this article.
One plug-in for Firefox which I've been playing with is PasswordMaker. This uses a "master password", the web address of the site, your user name, and any other information you want to use to generate passwords on-the-fly using a hash algorithm. I really like the idea of creating passwords like this -- no saved password lists in your browser, it just re-creates the password time after time.
Still haven't gone with it totally yet, though, for one very simple reason -- portability. Even though they have a website that can generate the passwords if you're away from your computer, it just not as easy to use as the plug-in. I'm still trying to work out a "best practice" for using it, but I think there's merit in the idea ...
Posted by: Dave Hartley at April 1, 2009 3:28 PMYou can check for your password strength here.
http://www.microsoft.com/protect/yourself/password/checker.mspx
Posted by: rammolo at April 1, 2009 5:20 PMIf you don't want to even chance someone hacking your computer for passwords, try cloakpass.com as nothing is stored and you can easily scramble your simple passwords. It's free.
Posted by: Dave at April 7, 2009 9:38 AMCloakPass.com is interesting because it's a totally different approach. It doesn't store your passwords in a vault that can be stolen or hacked... it doesn't store them online... It stores them in your own brain. It's not a web tool and it allows you to have passwords like %43kjl6^^@#K and not have to even type it in... It's a totally new approach to password management. www.cloakpass.com..... it's not a plugin.... so you can use it for ANYTHING (except logging into windows its self)
It does mean that you must have CloakPass installed to login to anything for which you chose to use it. They make it easy(ish) to "mail yourself" (as they put it) the program, but it requires .NET framework, so you're not going to use it from other platforms like Linux or Mac.
The idea is interesting, but I'm not at all convinced of its practicality for the average user.
08-Apr-2009
Leo,
I've been using KeePass password safe for a few weeks now. But I've always wondered if I am vulnerable to being hacked while KeePass is opened. In other words, is it important for me to keep the password safe locked when not in use, or can I leave it unlocked and on my taskbar? It's kind of a hassle to have to key in my master password every time I want to use the safe. But, my assumption is that while unlocked, I am vulnerable to any sort of online attack. Please advise.
Bottom line: a password safe is part of a strategy to stay safe, but it's no replacement for making sure that you don't get infected. Once infected, all bets are off.
08-Apr-2009
I think the best solution is the Wand facility from Opera browser, it's already integrated in the browser (no aditional problems with another, separate program like Roboform) and the data is very well encripted. Online sites like Gator or CloakPass are the absolute worst solution, it would be safer to put your passwords on a billboard and hope nobody reads them.
Posted by: Gigi at April 7, 2009 1:57 PMIf you use a password safe, one thing is guaranteed: one day, you will lose all your passwords. My preference is a file folder that is in a stack of file folders near my computer, with all my passwords written on the inside of the folder. And the really essential ones, on a slip of paper in my wallet when I travel, with hints as to what they are the password to, not the actual web site name.
08-Apr-2009
i just tried out LAST PASS and i like it better than roboform. it really is awesome.
Posted by: dave at April 7, 2009 8:34 PMDoes anyone know of a password keeper that uses Blowfish? I have just learned -- to my astonished dismay -- after years of contented usage, that the password manager which I *thought* used Blowfish, in fact uses nothing of the kind! Any suggestions for a new one?
Posted by: Glenn P. at April 8, 2009 5:20 AMAfter I had bought the new Norton AntiVirus 2009, I noticed another version of Norton AntiVirus that seemed to have a password vault included. Has anyone seen this? Is the product any good?
Posted by: Ken Crook at April 11, 2009 10:47 PMTo post a comment on "Are password safes secure?", please return to that article's main page.