Password management methods: what do you use?
Last night I received a general question from jkOTR reader Steve about security and password management. Good timing because I was actually reading WebWorkerDaily’s "7 Ways to Manage Passwords" article when Steve’s note came in. First and foremost, I think security and password management approaches will vary by individual: we all have different risk-factors and likely prefer different methods. As I’ve said before, I’m willing to provide some personal data in order to gain from more personalized services; of course, I expect my personal data to be handled professionally and securely. Others may not want to share personal data of any type and that’s fine too.
In terms of password management, I’m still working my way towards the best solution for me. I have high hopes for Mozilla’s Weave project: a prototype we’ve covered here before. Essentially, I’ll store all of my passwords right in Firefox and Weave would sync them, as well as bookmarks, cookies and more, to other mobile devices I use Firefox on. James is a huge fan of Roboform on the PC side and I swear by 1Password for Macs. Since I use an iPhone, I appreciate how 1Password now has a free client for my handset ; it even syncs the passwords from my Mac, which reduces the amount of redundant data entry. From a Windows Mobile standpoint, I’ve used eWallet in the past: it’s great for keeping important account numbers safe and handy, but works fine to remember passwords as well.
These days I’m generally using a single computing device for my web-only challenge, so I’m still considering what strategy is best. A single device owner can probably get by with basic password management included in a browser (at least for web passwords) and/or a simple text file. I’d probably password it though. 
Multiple device owners face more of a challenge however, and if your devices run on different platforms, things can get complicated. Since the web is pretty ubiquitous across platforms, I’d again gravitate towards a web-based method. I haven’t yet seen an application that will offer password management across Mac, PC and all of the various mobile platforms like Windows Mobile, iPhone and S60, but that would be ideal.
How about it: what are you using for password management and why?
I use KeePass, since it has apps for Mac, Windows and WinMo. I haven’t tried the Linux, J2ME, BlackBerry or Palm versions, but I do think I’ll be installing the Linux one tonight.
I use my personal predictability. I just try to remember what mindset I was in, and the data to go with it, when I made the password. So basically I don’t remember passwords, I regenerate them.
I use the same password for all accounts because it is easy to remember.
I have been using KeePass. I recently though started to change back to using one strong password for most of the sites I use (Twitter, FriendFeed). I still use 20+ character passwords from KeePass for really secure sites (mint, home banking). I changed from using these long passwords for everything to make accessing the sites on my Blackberry (and LG Chocolate) easier.
The wand feature of Opera has always served me well.
I use Password Safe – http://passwordsafe.sourceforge.net/
It is open source and works very well.
I used it when I was system admin for a medium sized company – I would use the password generator feature to create very complex passwords for root and admin access then I would create users with slightly easier passwords. It was very effective.
For cloud computing you may want to try Clipperz: http://www.clipperz.com/
I use Password Manager XP. Passwords are encrypted. Same license can legally be used on multiple devices and memory cards by the same user. Syncs and installs on memory cards. Can generate passwords for you. Will even remind you to change passwords if you want, at refular intervals. Works well on both XP and Vista. I highly recommend it.
I use Password Manager Deluxe from Kristanix Software. I used Password Corral for a long time but PWD works very nicely and even includes Drag and Drop for putting usernames and passwords into websites.
I have eWallet to track my cards, numbers and accounts.
..wiley
NW Harris County
SplashID on my PC and Palm TX.
TrueCrypt
http://www.truecrypt.org/
all my machines are WDE (Whole Disk Encrypted) as well as my external data HDD’s. so all i have to do now is use a simple text file.
i would never trust an encryption program that isnt open source. too many possibilities of backdoors, improper coding security risks, or improper algorithm implementation.
but there are still many other open source encryption programs that are useless if they do not support not on-the-fly (means they create temp files on the disk) and/or if they dont encrypt the entire system will also page out the key to the swapfile.
I noticed two free apps for the iphone, iPassword and Lockbox. Does anyone recommend one over the other? Reasons?
SplashID on my phone. Always been with them since I used a palm many many years ago.
What keeps me with them is the fact that they support every known mobile OS out there pretty much so I can just email the db file to any other new device I get and be back up running quickly.
I never had any use for a desktop password manager. One on the phone is enough.
I am using Cryptocard, a freeware : http://www.pmmax.com.ar/
First for pocketPC world, a solution was build for Windows, which allow to sync thanks activesync …
What I appreciate with this solution, is you are able to create templates and then master your password as you want.
Unfortunetaly, as the developpment is over, there won’t be a version for S60 nor Mac OS.. and I need one to sync between all those platforms.
I had to look up my password in eWallet to log in here to post my reply.
I have used eWallet for a while, I have the PC and PPC versions. This is great since I can use the PPC on my Axim, which is with me most places I need it.
The PC is used while at home, and as the baseline backup for the database.
My wife does not like using the PC for passwords and account number and stuff, so eWallet has the feature to output a text file that I printed for her. We keep that in a secure location at home, but it has come in handy for her a few times.
I have a Garmin Palm OS based GPS, perhaps I should get a version of eWallet on that and teach my wife to use that (since it is usually at home).
This is a good discussion, good seeing what everyone else is using and doing.
eWallet, has a websync feature now (beta) and a version for the iPhone.
Easy to use and customize, the auto fill feature on a PC is handy, even if it seems to force you to use IE.
Up until last week I happily used SplashID on multiple PCs (synching across machines via Foldershare). Now have it on the iPhone, with a new Desktop version for the PC that will sync with the iPhone across any common network (wired or wireless).
PC: Identity Safe. Comes free with Norton. OK, I guess I have to answer “Why Norton?” A 3-PC license and all sorts of rebates makes all my household PC security costs < $20/yr. Plus it comes with Identity Safe.
PDA: SplashID. I use Palm OS (all such devices come with Infrared), so simply beam between devices.
Question: Is there any Password Management offering that doesn’t lock you in to their software? Any that export to some common format?
eWallet is now available for the iPhone, check the Apple App Store.
http://blog.iliumsoft.com/?p=423
+1 for Roboform. An excellent piece of software that not only remembers passwords, but also saves time by automagically completing forms.
I’m also using keepass.
http://keepass.info/
It supports a wide range of os and it is possible to use your file over webdav. So i keep my keepass repo in my sharepoint mysite which sync with outlook 2007. thats the way i’m having a offline copy, but most time i’m online using a umts device.
Maybee you give it a try… is free.
Ciao Marco
I have eWallet on my Q9 phone, but I really love the way that 1Password works on Safari, Firefox and Camino on the Mac – it feels more integrated than eWallet ever did on Windows. And I have a my.1password account now, too, so I can look them up online when I need to borrow another machine.
Where I live we don’t even have to lock our doors or close the windows, why would I need a password if my PC is here?
Seriously though, I have an SD card hidden behind a picture frame which has a Word file that’s password protected! I’ve also started using an encrypted folder on my OQO. The problem is remembering to keep them synchronised. Think I’ll take a look at this Keepass thingy.
roboform & 1password here, with weave doing the across platform syncing of bookmarks etc.
RSPM (really simple password management):
Use the same password for everything. Make sure it is genuinely random, contains both letters and numerals, and has at least 8 characters (you’ll remember it because you use it for everything). Don’t write it down anywhere and don’t tell it to anyone. Change it at least once per year; twice is more secure (but harder to do). That’s it.
I actually love the RoboForm software myself. I use it all of the time and it takes all of the menial everyday tasks that I have to perform on my computer daily and shortens them extremely! What once took me fifteen minutes to complete now takes me only one second because RoboForm does the same task with just one click. In fact I wrote a Report about a lot of RoboForm’s capabilities for use that aren’t even touched on in the User’s Manual for RoboForm. You can get that Report here:
http://www.booksbonkers.com/TheRoboFormReport!1.html
Sometimes this link gets broken and puts you on a 404 error page. If that happens, then just copy and paste the above link in a new web browser page.
Encrypted Excel file containing passwords. All important passwords are salted, so they’re all different. By remembering the salting algorithm, I don’t have to look them up very often.
My passwords come in 2 parts: a “root” password that remains the same combined with a pre- or postfix that depends on the site/application of interest.
I spent quite a bit of time generating a secure “root” password as follows:
- think of a good passphrase
- make it into a password by taking the initials of each word
- obfuscate it with l33t and gut-feeling.
This approach has served me extremely well. I only need to remember my original passphrase and the simple algorythm I use to append a pre- and postfix! Even if someone found out one of my passwords it would be useless since no 2 passwords are the same, even though they are built from the same root!
I cast another vote for KeePass! It has been my “catch all” for passwords, URL’s, personal info, etc. I have it shared via Foldershare between my work laptop and home based PC. A copy also stays on my USB drive.
My HP 2710P has a fingerprint reader but I’m not sure it is much of a time-saver. Why doesn’t James Bond have to swipe his finger multiple times to enter those secret labs?
I use SPB Wallet on my PPC. Works well and ensures that I always have my passwords with me since I’m never without my phone.
I use Phatnotes on both PC and Pocket PC and protect notes which contain sensitive data including passwords with the same master password. Pretty rare to be looking for more than one set of details at a time. Works well for me.
When a lightning surge took out my PC several weeks ago I decided to jump over to an iMac (and I’m very happy with that decision). Being a user of Roboform and ewallet on the PC, I needed similar apps for the Mac. After looking around I decided on 1Password. It was able to import both my eWallet and Roboform data. It also was able to export all this information into iPhone as Safari bookmarks (encrypted and secure). Soon they will be releasing an iPhone native app.
It’s a great solution for Mac OS X users. A great purchase.
You may take a look at ManageEngine Password Manager Pro. It is an Enterprise Password Management solution and offers clear segregation between enterprise passwords and personal passwords.
Enterprise passwords can be shared by the owners with others. Personal passwords remain purely personal – the way you want.
The product offers free edition too. For more info: http://www.passwordmanagerpro.com
Bala
For the workplace, Passpro is a handy solution. If employees forget their password, they just reset it themselves securely. No need for a helpdesk call that might cost $35 to $70 to reset the password. Check it out at
http://www.boonbox.net/passpro.htm
There’s also a great post on how pattern recognition might be the key to secure and easy-to-remember passwords at
http://www.pcis.com/web/vvblog.nsf/dx/would-you-give-me-your-password-for-a-candy?opendocument&comments#anc1
I travel a lot and often worry both about password security on my work/personal pc and when using public pcs. Want to be able to securely share passwords across my machines as well as have a way to log in on public machines without running the risk of keyloggers and other potential problems. Recently found out about a service that combines the strength and control of locally encryption – so the service doesn’t have access to my passwords – using a hash – and the ease of use of a web-based application – Lastpass.com. I think they are in beta but early comments i’ve read have been positive – so I think they may be onto something at lastpass, any one else heard of them/used them – http://www.lastpass.com