computerlocked

A little while ago, a friend sent me a link to Sean P. Aune’s list of
16 of the Best Password Management Tools for Firefox 3 on Mashable, and it made me realize that I really needed a better password management system. Like most things, once you start looking, you find a whole world of ideas, issues and opinions that you had never thought about before.

I’ve always had lots of accounts. Why? I like to try new things on the web, and I like to use amasur as my public persona wherever possible. So I have about 200 accounts at various places, and I’m creating new ones all the time. I also try to keep work and personal things separate–nothing work-related on my home PC and nothing personal on my work PC–but web accounts need to be accessed from both. Obviously, this is way too many to keep straight in my head, so I had to find an electronic solution.

My first solution was to keep list of all my passwords in a notepad file, which is about the most unsecure (or is it insecure?) thing you can do. But after about two days, it got too big to actually find anything. Then, I tried the IE and Firefox features to manage passwords, but they don’t sync across browsers, let alone PCs. So, I decided to just use an Excel file that I kept on a USB drive. It was practical, and a little better on the security side, because the file was password protected. For a long while, I carried my trusty little file around on my USB drive, and it was a decent solution.

Like most people, with so many accounts, I found myself using the same (or very similar) passwords for many sites, and I was bad about changing them frequently. Then, I saw an article (can’t find the specific URL, but there are several stories out there) about identity thieves that buy computers from bankrupt companies, and that, the security at those companies can be very loose–passwords and account information not always encrypted. Hmmm…since I create new accounts at the rate of several a week, and many of the sites I’m check out aren’t around a year later, I should change the way I manage passwords, right?

Where to start? What should you look for in a password manager? Here’s my list of password best practices:

  1. You SHOULD have a unique password for every site.
  2. You SHOULD have to remember only a single master password (or a few at most), and it (they) should be very secure.
  3. You SHOULD NOT store your passwords on a server or a website.
  4. You SHOULD be able to synchronize your passwords for use at multiple computers.
  5. You SHOULD have a way to get your passwords when you are using a public or friend’s computer.
  6. You SHOULD NOT create passwords that people who know you would guess.
  7. You SHOULD NOT answer “security questions” honestly. See Wired’s story on hacking Sarah Palin’s email account. If she had chosen to tell Yahoo! that she met her husband “at the summit of Mt. Everest,” she could have saved herself a bunch of headaches.

Now, back to that list on Mashable. Which one to use? It’s a tough call, and the criteria are often at odds with each other. For example, if you want to have a unique password for every site, you won’t be able to remember them all. So if you want to use them across mutliple computers, they have to be stored somewhere that all your computers have access to, right? Well, storing them centrally does make it possible for a really seamless user experience across multiple computers, but it also forces you to put a lot of trust in whomever wrote the tool to keep your passwords safe. I’m not that trusting, and you shouldn’t be either.

With most of the tools on Mashable’s list eliminated, I found that some tools don’t actually store your passwords anywhere, and decided this is the way to go. These tools rely on hash algorithms to actually recreate your password each time you need to log in to a particular site. Basically, they take a master password that you create (and only you know), and combine it together mathematically with information about the site you are creating an account for (usually the domain name) to come up with a unique password for that site on the fly. Here’s a picture to explain how this works:


passwordhash


This way, your passwords are not actually stored anywhere, and you only need to remember one, master password that you keep “super secret”. Aside from the obvious advantage of not having to worry about your password file getting into the wrong hands, the other benefit is that it’s a snap to keep multiple computers synchronized, because there’s nothing to really synchronize. You simply use the same hash algorithim and same master password on each computer, and you’re done. The theory is that even if you told someone what site you were logging in to, and what hash algorithm you were using (there are many), they would’t be able to determine your password unless you gave them your “super secret” master password.

There were a couple on the Mashable list that worked this way, but the one I ultimately chose is PasswordMaker (www.passwordmaker.org). This post is getting long, so I’ll dive into more detail about Password Maker later. Besides, the details of doing this are only for truly paranoid nerds. If you’re looking for something your grandparents can use, stick with what IE and Firefox do “out of the box.” It’s simple, and it works pretty well.

Let me know what works for you,

-Adam