Password Management

Friday, September 25th, 2009 | 0 comments

I guess it was about two to three years ago that I simply gave up trying to remember every password I had. I just couldn’t keep up, and the passwords kept right on coming.

It was around that time that I stumbled across a program called RoboForm, and I’ve been an avid user of it ever since. It’s an efficient little program that runs in the system tray and does exactly what it advertises. It generates, stores, encrypts and auto-fills passwords. It works incredibly well, except for two small downsides. One is it’s price – you have to license each computer you’d like to use it on, and you could easily end up spending about sixty bucks on it for two desktops and a laptop (btw, this has been worth the price to me so far). The other Achilles heel of RoboForm is portability… it’s not an easy task taking your passwords everywhere with you. It can be done – there are ways to transfer/copy passwords from one machine to another – but none of the methods I’ve seen are totally ideal. I have yet to try RoboForm2go, but in light of current events, I may not have to…

A few weeks ago, good ‘ol Stan-tastic (a co-worker at KneeDraggers) approached me and said he was having the same problem remembering passwords. After initially suggesting RoboForm to him, I did some poking around online to see if there was anything else out there, and by the gods of Google – there was.

LastPass.com – is totally free, totally portable, and totally easy. The difference between LastPass and RoboForm is that LastPass is an online service. You have to have an internet connection to actively use it. There’s a mode to store your passwords locally or on a USB drive in case you’re offline, but I’ve yet to explore this option fully so I can’t really comment on it yet. That being said… after a few weeks of use by Stan and some other co-workers, I can safely say that the LastPass service has gotten rave reviews from everyone. It pretty much does everything that RoboForm does, and is dead-nuts easy. I’ve actually been very tempted over the last week or so to start using it myself. I’m not sure why I’m having so much difficulty giving RoboForm the boot – probably because I paid good money for it and it’s just what I’m used to. I keep telling myself, "Maybe I’ll switch…maybe."

For the goons out there who are concerned about security, password strength, and tin-foil hats – I’m one of you. I don’t trust a soul without doing my homework first. I don’t like the idea of storing my passwords somewhere either. But understand that both programs encrypt your passwords locally using AES-256, meaning that the data is damn near impossible to get at (unless someone knows your master password, or has access to your machine for several decades of brute force cracking). If you don’t believe me, do you own homework and read up on each program’s security. Make your own call. Relatively speaking, your shit is safe.

I’ve found that using these programs has the kill-two-birds-with-one-stone effect. They end up saving you a ton of time and aggravation while making your login data more secure. How? The programs can generate some seriously crazy, totally random, 64-character passwords that you simply don’t have to remember. Ever. You won’t even have to type them into form fields. That’s done for you, which removes the possibility of a keylogger or malware picking them up. These long, randomly generated passwords are also much more secure than 90% of those weak-ass passwords I’ll bet you’re using right now. You know the ones. The ones made of your birthday, a nickname or something easy to remember with a number slapped on the end. Right? You need to change those. The complex passwords generated by these programs that get stored on your drive are all encrypted as well, making them just about as bulletproof as it’s going to get. All you have to remember is your master password that unlocks everything. It’ll be one of the last passwords you’ll ever have to commit to memory. Just remember rule number one: Always, always, always make a decent backup of the encrypted password files somewhere safe in case things shit the bed on you, as they always will. After you’ve done that, feel free to lock the door and throw away the key – because being able to flush your memory of all your memorized passwords is quite a liberating feeling.

Anyway, I thought I’d pass word along to anyone out there that was having the same dilemma.