Tips for password management on a PC
This post is the 6th in an ongoing series about passwords. You may want to check out the other parts by clicking on tag: passwords.
[Photo by Vagamundos via Flicker]
In my last post on passwords, I made the argument that the absolute best way to balance password security and practicality is to use a password manager program.
As I discussed in the last post, you’re much better off using different passwords for all of your sites and keeping them in one secure location (the password manager program). If someone gets any one of your passwords, they can only access the one site it unlocks. On the other hand, if you use the same password for all (or most) of your sites, and that one password falls into the wrong hands, you’ve got a big problem.
A good password manager makes your life simpler.
Rather than having to spend time coming up with a creative, unguessable passwords, you can simply let the password manager program generate random passwords. And you don’t even have to remember them either! If you need a password, you simply go to your password manager, get it, and move on.
An added benefit of a password manager is that all of your passwords are organized in one location. In most households, one person does most of the bill paying. Spouses or other family members likely don’t know passwords to every important site. If something happens to the primary password “keeper,” then it can be very difficult for others to get access to important sites–like banks, medical records, and even email, where important information often resides.
Again, with a password manager, only one password is needed to access your “vault.” That password should be very strong and also written down in a secure location. Spouses and/or other family members should know where it is. I keep mine in a safe with some simple instructions on how to use it.
Recommendations
There are many options for password managers. In this post, I’m going to focus on those that work with PCs (Windows). Since I personally like the Mac way of doing things, I’ll cover Mac options in the next post (and end with a review of my favorite password manager).
KeePass
If you use Windows, one highly-rated choice is KeePass, a free program that actually works on other operating systems too, like Mac OS X and Linux. An additional app called Mono is needed to make it work on non-Windows systems, however, so I think KeePass is best suited for Windows users only.
KeePass is a free open source password manager, which helps you to manage your passwords in a secure way. You can put all your passwords in one database, which is locked with one master key or a key file. So you only have to remember one single master password or select the key file to unlock the whole database. The databases are encrypted using the best and most secure encryption algorithms currently known (AES and Twofish).
In other words, it’s safe.
My good buddy, Andy (AKA The Digitante), recently wrote a nice review of KeePass at his blog. Andy walks you through the basics of setting up KeePass and provides clear illustrations.
In addition to the general benefits of any good password manager that I mentioned earlier, pros of KeePass are:
- It’s free
- It comes with built-in strong password generator that also indicates the strength of passwords
- It’s portable and can be carried on a USB stick and used on any other PC
- Password lists can be exported to various file formats (good if you wanted to print a master list to store in a safe)
- Files can be “attached” and stored in the KeePass database
- KeePass lets you copy passwords to your clipboard so that you can paste them into password fields in your browser. It also clears the clipboard immediately after you paste a password or after 10 seconds (if sooner) to increase security.
- A search field lets you quickly find passwords
- Plugins are available that extend KeePass’s functionality even more
The biggest downside to KeePass is that it doesn’t have the level of web browser integration that other password manager applications have. If you’re at a website that requires a password, you must open KeePass, copy your password, then paste it into the browser. It’s not a big deal, and it’s probably quicker and easier than manually typing out a long password. It’s definitely a small price to pay for the security you’re gaining.
LastPass
Another well-respected and lauded password manager is LastPass, which has received acclaim from PC Magazine and other reputable online tech sources.
LastPass comes in free and “pro” (paid) flavors. The free version’s feature set is plenty for most people, in my opinion. It has pretty much all of the benefits of KeePass that I outlined above.
I recently downloaded and experimented with LastPass myself in Windows. Overall I was pleased with the setup process and its ease of use. The biggest selling point for LastPass is that you can access it anywhere you have an Internet connection. To make this possible, LastPass stores your passwords on its servers. They take great lengths to assure you this is safe on their FAQ page. LastPass uses a very strong encryption process to lock up your data:
AES utilizing 256-bit keys.AES-256 is accepted by the US Government for protecting TOP SECRET data. AES is implemented in JavaScript for the LastPass.com website, and in C++ for speed in the Internet Explorer and Firefox plug-ins. This is important because your sensitive data is always encrypted and decrypted locally on your computer before being synchronized. Your master password never leaves your computer and your key never leaves your computer. No one at LastPass (or anywhere else) can decrypt your data without you giving up your password (we will never ask you for it). Your key is created by taking a SHA-256 hash of your password. When you login, we make a hash of your username concatenated with your password, and that hash is what’s sent to verify if you can download your encrypted data.
The part in bold is the kicker. I personally like this approach. Let me attempt to put it in plain English. Just before LastPass synchronizes the password file on your computer with the info on LastPass’s servers, it makes a special “key” that it sends encrypted to lastpass.com. This key is not actually your master password, but rather a special key created from your master password.
Even if someone captured this special key in transit, it wouldn’t be of value to them.
On receiving this special key, the LastPass servers send your encrypted password file back to your computer, where it is unlocked and synchronized with the other password data stored on your computer.
The other benefit of this approach is that even if someone got a hold of LastPass’s servers and found your data file, they wouldn’t be able to do anything with it until they figured out your master password.
The only burden placed on you is to create a single, very strong master password (perhaps using one of the techniques I outlined in earlier posts in my password series.
As long as your master password is strong, you’re A-OK.
In my opinion, the biggest advantage LastPast can boast is its web browser integration. Unlike KeePass, which requires you to manually fetch your password when you want to log into a site, LastPass can auto-fill web forms. This means that once you log into LastPass on your computer, you can simply visit a site, and if you’ve told LastPass to remember that password, it fills it in automatically. I personally tested the form fill with LastPass in Firefox in Windows. I was pleased overall. LastPass also supports other popular browsers including Internet Explorer, Chrome, and Safari.
I’m a big fan of password managers that auto-fill passwords. For one thing, it’s really convenient. More importantly, it encourages you to create really strong, long, unguessable passwords by removing the burden to type them out each time you visit a site. Like KeePass, LastPass has a built-in strong password generator that tells you how weak or strong the password is.
If you use LastPass, feel free to let it create passwords as long as the web form will allow. I mean, who really cares how long a password is if you never have to type it in yourself?
LastPass also offers some nice options for accessing your passwords on-the-go with apps for iPhone, Blackberry, and Android devices. However, use of the mobile apps requires you to step up to the the paid version of LastPass. The pro version is only $1 per month, which is really not a lot to pay for the extra convenience offered by the mobile apps (if you use them).
So, the difference between LastPass and KeePass boils down to convenience. LastPass allows you easy access to your passwords anywhere you have an Internet connection, and it provides easy options for auto-filling web forms. In exchange for this convenience, you have to agree to store your data on LastPass’s servers.
Other options
KeePass and LastPass are certainly not the only choices for password management on Windows. Two other noteworthy options are Roboform and eWallet. Both of these come in paid-only flavors. They both have a fairly big online presence and have gotten good reviews online, but I have not personally used either.
Some people choose to let their browser remember passwords for sites. Many browsers, including Internet Explorer and Firefox, prompt you for this unless you turn it off. I would caution against letter your browser remember passwords because it makes it too easy for someone to access your sites if they ever got your computer. There is nothing locking down your passwords unless you secure them with a master password, but I just don’t think it’s worth the trouble or security risk to let a browser manage your passwords.
Next up
In the next post, I will write a full review of the password manager that I use and outline the features I like most about it.
Please let me know if you’re using a password manager in the comments or if you have any questions/comments on anything in my password series so far. I hope I’m helping you increase the security around your personal data a bit. But if I’m not, let me have it!