GCN LAB REVIEW

Password apps vs. Post-it notes: Showdown in the lab

What works best?

Face it. It's difficult, if not impossible, for you to keep track of all your passwords. You probably have to change the passwords you use to access your work computer every three months, or even more often. Add to that your personal computer and all the various Web sites through which you conduct transactions and business, and it's easy to accumulate dozens of different passwords.

The experts tell you to make them hard to guess, with a mix of upper-case and lower-case letters, numerals and symbols. Make them long, don't use any words that someone who knows you could guess, such as the name of a pet or your spouse, use a different one for each log-in and never, ever write them down.

What? So how are you supposed to remember what your lengthy, random, impossible-to-guess passwords are, let alone which one goes with which system or site?

Security has started to fail us because its job is twofold. It has to keep out people who aren’t authorized. But it also has to let in those who are. The most secure building in the world would be one without any doors or windows. But it would be pretty hard to go to work there. And that’s what managing multiple secure passwords feels like these days.

To compensate, people have begun using weak passwords, as was evident in the GCN article about ten bad passwords people use. Or, people use one password for multiple sites, which is bad because if one gets compromised, they all could fall.


Related stories:

The top 10 awfully bad passwords people use

Strong passwords: You DO have better ideas!


But there is help available. Password management tools, a couple of which our readers mentioned when we asked for password tips, can help keep track of it all. What they all basically do is let you create one very strong password. Then you log into them and they handle everything else for you, logging into all your other systems as needed and perhaps even generating random passwords on your behalf. We took at look at several of these.

KeePass a free, open-source program for password management. It was created by people who had the very same problem that many over-authenticated feds experience: too many passwords for one person to realistically remember.

We downloaded a copy of KeePass in the lab and put it through its paces. We were impressed with its ease of use and also the security functionality. For security, it supports the use of physical keys. Instead of a master password, you can create a master key from a USB drive, or even a burnable CD. That key would be required to log into a system, whereupon the program would log you into other places and programs as needed. If you use that method, you can set the master key to change fairly often, which would make guessing it even more difficult.

It uses the 32-bit SHA-256 as the password hash, and all fields are encrypted, not just the password field. We don’t know of any programs that can break an SHA-256 hash at this time -- or we should say, in any amount of time. It would probably take several supercomputers thousands of years to brute-force it.

We were very surprised to find a free, open-source tool for password management, and were very pleased with how KeePass worked in terms of performance and ease-of-use. We would highly recommend it.

RoboForm a password manager and auto-form filler rolled up into one easy-to-use program. You can download a free trial of the software, or purchase it for $30. If you want it to run on a key drive, you have to buy a special RoboForm2Go license, which costs an additional $20.

The RoboForm program works like most password management tools in that you create a single password and then use the program to handle everything else. Everything is encrypted and you can have the program randomly generate passwords for you for every site you have access. So you don’t even have to know what your password actually is, other than the main one.

RoboForm also adds in-form completing. You can put all your personal information into the program, and use it to complete forms for you online. One major advantage to this is that if you use the RoboForm program, you won’t be in any danger of keyloggers. Data will be coming from the program, not typed out, so keyloggers won’t be able to capture any data.

RoboForm works great and is especially helpful if you fill out a lot forms online. It’s a bit expensive, but you do get tech support if something goes wrong, which most freeware programs won’t offer.

For those of you using Macs, 1Password is a program to give you the security offered by many of the PC password managers. It requires Mac OS X 10.5.8 (Leopard) or Mac OS X 10.6 (Snow Leopard). However, mobile versions are available that work with the iPhone OS and the Palm OS. You can try it for free, or buy a copy for $40.

It works very much like the PC-based programs, encrypting all your passwords and making it so you only have to memorize a single one. We really liked the clean interface of 1Password, which of course is designed to look like and act like most Mac programs.

If you use a Mac as your primary means of accessing a network or series of sites, 1Password should keep you safe.

LastPass is a password manager that is particularly well-attuned to Web browsing. It sits on your main PC and lets you automatically generate passwords for all the Web sites you visit.

This is a really the program to have if you do any amount of online shopping, or just visit outside sites that require passwords. You can configure how you would like your passwords to look quite easily with check boxes, selecting “Require Every Character Type” for a really strong password or “Avoid Ambiguous Characters” if you don’t want percent symbols and stuff like that in there, say, if the Web site does not allow them.

When you visit a site that has been logged into LastPass, you will be automatically logged in as yourself without having to really do much of anything. And you can easily change your passwords as much as you like or need to.

You can also put secure notes into LastPass, for things such as physical security. So you could tell it where you hid a key, or the combination to a door, and it will keep it safe.

There is a free version of the software that works well and provides basic functionality. Or you can buy the Premium version, which costs the very reasonable sum of $1 per month, billed annually. With Premium, you can make LastPass work with your Android, BlackBerry, Windows Mobile or iPhone.

Post-it notes are not really an electronic password management tool, but many people use them as one. I actually don’t discourage fellow labbies from using this method to keep track of passwords. Pen and paper can work, and actually be more secure than anything else, in some circumstances.

Given that hackers won’t be breaking into your office to rifle for your password, except in a remake of the “Sneakers” movie, a piece of paper is pretty secure. No program of any type is going to let a hacker in China read a piece of paper locked in your desk drawer.

I still wouldn’t frame a password on your wall or anything, but writing it down and putting it in a secure location, or simply hiding it in plain sight on a sheet with other seemingly non-essential notes, works for the most part. I know it’s against policy for most people to do that, but, ironically, this may be the most secure method of keeping passwords safe while making sure you can still use them when needed.

Reader Comments

Wed, Feb 9, 2011 Lisa

RoboForm is definitely top of the line here. It isn't an extra 20$ with Roboform to go on the USB (Siber has a discount). RoboForm also works with Mac now!!! Clearly the best.

Tue, Jun 8, 2010 Helen

I think you have missed the Sticky Password manager.

Mon, May 24, 2010 Concerned

I hope I read this right, did you really just suggest that people should write down their passwords? How did this article provide an alternative discussion, if you ended it with condoning the exact problem that these other tools solve? That would be like giving advice on how to get a job and ending it with how to rob a bank. Trust me, every info sec professional who read this rolled their eyes with that last suggestion. People don't need to "rifle through your office", especially if they are the cleaning staff, or if - what a shock - you don't have an office. Honestly, I can't believe you would even suggest this. You could have said "if all of these tools don't work, then the heck with it and keep doing what you are doing"... Wow.

Sun, May 23, 2010 RikkyTikky VA

I've been using Password Coral for several years. It's free, it works, it's simple.

Sun, May 23, 2010 Zar Los Angeles

These are some nice tools, but one more you should consider is Mitto (http://mitto.com), an online password manager. It's a lot less invasive than Last Pass, which reminded me of that annoying paperclip in Microsoft Office

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above