Password Managers
By Wayne Maruna
An article in the November, 2011 issue of The Atlantic Magazine by James Fallow detailed the travails that befell him and his wife when his wife’s Gmail account got ‘hacked’. It’s a long article but a worthy read. Here is the link: http://www.theatlantic.com/magazine/archive/2011/11/hacked/8673/
A staff member at Google, which provides the Gmail service, indicates that hacking attempts number in ‘probably the low thousands’. That’s per day, folks! The problem is not specific to Gmail. The same problem exists with Yahoo, Hotmail, or any ISP specific email account. Hackers are equal opportunity employers of malicious activity. They go after easy passwords thousands of times per day. It’s a criminal business.
The Atlantic article makes plain that every password you use should be unique. Why? Because security at all websites is not of equal strength. If a miscreant can steal your password from a less secure site, and you use that same password for your banking, you are exposed despite the fact that your bank’s website is more secure. The author says that if you use the same password for two places, it should no longer be considered secure.
Password taboos include using personal info like birthdates, anniversaries, grandchildren names, or any bit of data that might be available from public records. Any dictionary word should be avoided, because hacking software uses that lengthy list of words in an attempt to quickly and easily break through. The same holds true for common misspellings, words spelled backwards, or common number sequences (e.g. 12345678, 12121212). Even foreign dictionary words should be avoided. Consider that much criminal hacking emanates from eastern European countries where English is a foreign language.
Best practice is to use a different password for every website or need, to use at least 8 characters, and to employ a mix of numbers and letters while mixing upper and lower case letters. If the website allows, ideally you would include punctuation and symbols. This sounds very wise, but just how practical is it? No one wants to try and remember a long list of nonsensical passwords.
The New Bern Computer User Group dedicated its April, 2012 meeting to the subject of Password Manager Programs. These are applications that can generate unique passwords and store them for you in an encrypted fashion. Best of all, they make it easy for you to access those passwords for use when you need them. Five group members presented demonstrations using their favorite password manager program. The five programs included: KeePass, PasswordSafe, LastPass, Roboform, and Ascendo DataVault. The first three listed programs are free. Roboform and Ascendo are pay-for programs.
You can check out each program by going to its respective website:
http://passwordsafe.sourceforge.net/
http://www.ascendo-inc.com/DataVault.html
I presented on Roboform which I have been using for many years. Despite the fact that there is a cost associated with it, I find it so easy to use that I would not think of switching unless I could find an identical product. I first wrote about Roboform for the Tribune back in July of 2006 ( http://pages.suddenlink.net/wamaruna/passwords.html ). Since then the product has continued to improve. There are multiple versions of it, but my favorite is Roboform Everywhere. For an annual fee of $20 (the first year is discounted to $10), you have access to your stored passwords on every computer you own. The passwords are stored in bank-level encrypted form on Roboform’s website. Conversion to usable form takes place only on your computer, so the threat of having passwords stolen off the Roboform site is minimal. Any additions or changes you make on any one machine are reflected in your password file stored ‘in the cloud’ as the saying goes, and then gets pushed down to your other computers automagically. Usage could not be simpler. As an example, to log into one of my credit card sites, I go to the credit card website and Roboform automatically displays, within a web browser toolbar, a button I can press to automatically enter the appropriate user ID and password with one click. I can choose to further protect myself by requiring the use of a master password to open the Roboform password file if I choose. I can do this for all my passwords or only for select passwords.
With Roboform, I have stored over 200 unique passwords which I do not have to keep track of. It’s kind of like having Dustin Hoffman’s savant character in Rainman sitting right next to you. “It’s ‘5$Jf)9weF’. The password is definitely ‘5$Jf)9weF’. Time for Jeopardy.” OK, thanks Raymond.
Roboform has a free trial version which only allows for ten passwords, but that’s enough to get a taste of the product. Their website has great training tools including how-to videos to help you learn to use the program. Give it a try, or check out one of the other programs, and avoid getting your password(s) hacked. You’ll be glad you did.
You can download a copy of the PowerPoint presentation I used at the meeting by going to: http://pages.suddenlink.net/wamaruna/ . Find the entry for Password Manager Programs, right-click it, choose “Save Target As” and download it to your desktop. You will need Microsoft PowerPoint or PowerPoint Viewer or Open Office Impress to open and view the file.