Helping people with computers... one answer at a time.
With lots of accounts on the web, good security says their passwords should all be unique. Your computer can remember them for you with RoboForm.
I think that I have about 80 - 100 passwords that I use on a regular or somewhat regular basis. I always remember my network and computer logon passwords, but beyond that I often have to check my a) Outlook notes on my PC at work, or b) when at home on my Mac, my little black notebook stuffed in the bottom of drawer.
Is storing my passwords on Outlook notes safe for my bank and tax filing accounts? Are online password managers or 'safes' secure? Do you have any suggestions for how best to manage the proliferation of passwords for online accounts?
•
I don't really have a good cross-platform solution for you, though I do have a couple of odd ideas.
However, I have developed a very strong recommendation over the past couple of months for a product called RoboForm - which happily includes a free version!
Let me touch on your first two questions first...
•
Keeping your passwords in Outlook notes scares me somewhat. Yes, your PST can be encrypted (make sure that it is if you continue to do this), and theoretically it should only be accessible when you're logged in. Hence, it's "safe" behind your login password. But ultimately Outlook wasn't designed for this, and I'd be concerned that if the PST ever fell into the wrong hands, it wouldn't be that hard to open it up and have access to whatever you have inside. So, theoretically it's an "ok" solution, but not particularly secure.
Online password vaults make me nervous as well. There are two issues: trust and connectivity. I'll admit, I'm a control freak, and the thought of handing over my passwords to some online service over which I have little to no control scares me. I'm sure that there are trustworthy ones out there, but I'm also sure there are some that are less than reputable. I don't want to be the one to find out the hard way. Online vaults also assume you can connect to the Internet and that you can connect to them. If the service goes down for some random reason, would you be blocked out of everything? If the answer is yes ... well, that's a deal breaker for me right there.
•
What I have been doing so far is keeping all this information (and more) in an Excel spreadsheet. (You could, of course, use a plain text file and Notepad, or whatever else you might like.) That, in and of itself, is incredibly insecure and dangerous. That is, until I place that spreadsheet - and a number of other sensitive files - onto a virtual drive using TrueCrypt. When the virtual drive is not loaded, the contents are securely encrypted and inaccessible to others. When it is loaded, the contents are simple visible as unencrypted files.
Now, I worked that way for accounts and passwords for perhaps a couple of years. It's secure and relatively convenient, except for the part about having to fire up Excel and copy/paste account names and passwords into the web pages that required them.
Then a colleague suggested RoboForm.
•
It's easy to think of RoboForm as simply "yet another password database", but it's much more. That thinking actually kept me from trying it long ago - I had a password database solution as I just outlined.
What makes RoboForm so much more than that includes:
-
RoboForm will capture passwords as you visit sites. That means creating the password database is not an extra maintenance step but rather a somewhat innocuous side effect of simply using the web. As you enter a username/password on a site, RoboForm doesn't already know about, it simply prompts you to save it:
(A side effect to this side effect, by the way, is that RoboForm can be used to recover passwords you've forgotten but that your browser's auto-fill feature continues to enter for you.)
-
Once RoboForm has the password for a particular site, you can use the RoboForm tool bar to go directly to that site, enter the login information and submit it, all with only two mouse clicks. On the toolbar is a dropdown menu:
Click on the site RoboForm knows about, and it automatically takes you there and logs you in with your credentials.
-
The RoboForm database is, of course, encrypted by default. RoboForm also handles the appearance and disappearance of the database gracefully. That means if you have RoboForm configured to look for its database on, say, a USB thumbdrive, simply inserting the thumbdrive will activate all of RoboForm's features; remove the drive, and RoboForm quietly notices.
-
While RoboForm is not truly cross-platform, it does include a viewer that can be installed on your Pocket PC or your Palm device. Your RoboForm database is automatically synchronized when you synchronize your device, and you can securely view your passwords on your hand-held device.
-
Since with RoboForm you actually don't need to remember passwords, you can actually switch to using significantly better and harder (even impossible) to remember passwords. And, naturally, RoboForm includes a random password generator for just this purpose.
-
RoboForm works with IE, including IE 7, and Firefox, including FireFox 2.
There's more, so I'll simply encourage you to check out RoboForm. The free version, naturally, has some limitations, specifically in the number of "passcards" that you can keep. But the Pro version does not and, in my mind, is worth every penny.
•
•
One addendum on how I use RoboForm today.
You'll note that I said RoboForm's database is encrypted by default. That means the first time you use RoboForm after logging into Windows, you'll need to supply the password to unlock the database. I actually skip that step and keep my RoboForm database unencrypted - because I still keep it on my encrypted TrueCrypt drive. RoboForm doesn't do everything - it's a solution for websites that require login, and it does that very, very well. However, I naturally continue to have other sensitive information that I keep on that encrypted drive - and even in my Excel spreadsheet. But since that drive is encrypted, and since I have to specify a password to mount it, there's no reason for me to place an additional layer of encryption with RoboForm, so I simply skip that.
And as I pointed out above, RoboForm gracefully notices when drives appear and disappear - meaning that as I mount, or unmount, my encrypted TrueCrypt drive, RoboForm "just works".
•
The one bugaboo that I haven't addressed is the cross-platform issue. As I said, I don't have a graceful solution for that just yet. RoboForm is Windows only, aside from the PDA readers I mentioned above. TrueCrypt is promising a Mac OSX version in the future and already has a Linux implementation, but even when that does arrive, it doesn't give you the features that RoboForm does.
I'm certain that there are good Mac solutions out there (I hear good things about 1passwd), but I'm not aware of one that interoperates with Windows.
So you're left with two solutions, IMO:
-
Use the RoboForm PDA solution to keep your password list with you and use that to manually read and type in your passwords on your Mac.
-
Use a Mac-based solution in addition to RoboForm on Windows. Yes, that means keeping two databases - one on the Mac, and one Windows. But building that database is really just a one-time thing on each platform. (And 1passwd indicates it can import from RoboForm, so perhaps there's a migration or synchronization path there.)
Article C2827 - November 2, 2006
Leo A. Notenboom has been playing with computers since he
was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed.
After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers
to common computer and technical questions. More about Leo.
I have used RoboForm for a couple of years. I have it installed on one desktop, one notebook and on a USB drive which I use for my netbook and on other computers.
RoboForm is simply great and I also use GoodSync PRO (also by SiberSystems) to synchronize my computers and the passwords between them.
One component of RoboForm that was not mentioned in this article is the "Safe Notes" which is also useful.
I completely enjoy reading the articles on Ask Leo. Keep up the good work!
Posted by: Anthony B. Barreto at March 17, 2010 8:07 AMRoboform is the best! I have the program on both my Desktop and my Laptop for over 2 years and rely on it completely. At age 72, I am very active on both my computers for business, research, shopping, as well as friends/family communication. It's a good buy, for what it does!
Posted by: PD Barlow at March 17, 2010 4:00 PMRoboForm also has a portable version which can be installed on a USB thumbdrive. I find it very useful for traveling.
Posted by: James at March 18, 2010 4:38 AMThe big thing that separates RoboForm from other password safes is it doesn't just remember the passwords, it installs as a browser toolbar and takes you directly to the website and logs you in with a single click--opening the site and filling in both user name and password. The portable version does this on any computer you stick the thumbdrive in.
As a bonus, it also generates secure passwords up to 511 characters long.
While Firefox 3.6 says it doesn't work with that version, I've had no problems.
What about password i use LoginTrap.It’s prog can capture every login events by using iSight.It really good prog.
Posted by: Benjamin at April 9, 2010 2:39 AMJust tried LoginTrap, thank you. Really good!!!
Posted by: Baby at June 3, 2010 7:28 AM