/>
X

Six Clicks: How do you keep track of all your passwords?

If you have just one password for everything it's easy to remember, but we all know that isn't safe. So how do you keep track of a large number of them - and not have to worry about it?
|
larry-seltzer-thumb.jpg
|
Topic: Security
0xkcd.png
1 of 6 Larry Seltzer/ZDNet

Worst: Your own internal memory

Passwords are the great curse of the modern Internet user. The more you use the Internet, the more you rely on passwords, and the harder it gets to use them properly.

To use passwords properly you need to make them complex, not reuse them on different sites and change them periodically. Not many people really follow through on all this, but some password management methods make it easier than others.

The first one, the one everyone uses at first, is to remember them. This has the benefit of simplicity, but it's not really sustainable. If you have 50 different sites with passwords, can you really remember 50 different complex passwords?

So people come up with tricks to remember them. One is to use one password and attach a site-specific prefix or suffix, e.g. fl00rb0ard.FB and fl00rb0ard.Twitter. This helps a little, but if one of your passwords is compromised, all of them are.

There are more complex ciphers that some people use to make the specific password less obvious, but the more you obscure the result the more you give yourself to remember.

The image nearby, a well-known XKCD cartoon, illustrates some of the issues with password ciphers, but the cartoonist misses one point: It's just one password. What about the other 49?

And if you need a strong and unique password, you can generate one at correcthorsebatterystaple.net.

Previously on Six clicks

Simple and time-saving Google search tricks

 Can your browser do these tricks?

Dead software we loved

1-pieceofpaper-v1.jpg
2 of 6 Larry Seltzer/ZDNet

Barely there: A piece of paper tacked up next to your desk

This one depends on your physical surroundings. If you use your passwords from one private location, this could be a good solution for you.

The fact is that the threats to most users' passwords are online threats, not physical threats. Another advantage of this technique is that normal people can relate to the risks more clearly than they can to the risks of using passwords online.

On the other hand — obviously — anyone who can see your list can read it, take a picture of it, etc.

Image courtesy Dan at TheDailyPrep.com

2securedocument.jpg
3 of 6 Larry Seltzer/ZDNet

Old school: An encrypted document (Word, Excel, etc.)

Many applications provide strong encryption support for their files, and it may be a good option to store passwords in those files. Microsoft Office has long had such support, but prior to recent Office 2007, the encryption was crackable with reasonable effort. With current versions attackers have to use brute force or at least know something about the password.

There are also plenty of data formats with password support where the encryption is trivial to break. ZIP files are a good example. One way to research is to look at the feature set for PassWare, a set of professional password cracking tools. (Note that Passware can recover or remove passwords in encrypted Office documents instantly if run on a system with the document open.)

There are also some dedicated offline programs with local, secure password storage. One good example is Bruce Schneier's Password Safe.

Combined with cloud storage, like Dropbox, you can make your document-stored passwords accessible anywhere. You also have the option of storing the passwords on a USB drive, potentially a hardware-encrypted one.

You have one password to access the password store on the site. You really want to be careful about this password. It should be strong and you should use it nowhere else. On the other hand, you may need to enter it a lot, so consider all your devices and whether the password will, for instance, be unbearable on an iPhone.

Passwords in image courtesy Random.org Random Password Generator.

3-onlinestorage.jpg
4 of 6 Larry Seltzer/ZDNet

Could be a lot worse: Secure web site

There are many services which provide secure storage online, and many of these provide specific support for passwords. They are not complete password managers because they don't fill fields; you have to copy the password and paste it into whatever program it is used for. Most will have a built-in strong password generator. Typically, password managers include these capabilities as well.

Examples include Masterlock Vault, which has a free version and a series of paid services. SecureSafe has a free version and iOS and Android apps. KeePass lets you drag passwords from it to other programs. Clipperz is open source and only accepts Bitcoin for payment.

You have one password to access the password store on the site. You really want to be careful about this password. It should be strong and you should use it nowhere else. On the other hand, you may need to enter it a lot, so consider all your devices and whether the password will, for instance, be unbearable on an iPhone.

We didn't find any that supported two factor authentication, but it's a possibility with such services.

4-autocomplete.jpg
5 of 6 Larry Seltzer/ZDNet

Good, but limited: Saved by the browser

Since remembering passwords is a pain, browsers have offered to remember them, and other form fields, for many years.

In HTML this is called autocomplete. A site used to be able to disable this feature by putting "autocomplete=off" in the field, but for passwords this isn't really an option anymore. Johannes Ullrich of the SANS Technology institute reports that Chrome and Safari no longer honor the setting for passwords, and Microsoft has documented that Internet Explorer no longer supports it for passwords as of IE 11.

There was a time when this was a sloppy feature and, in fact, a good way to lose your password, because you had no way to view it in the browser. Browser password storage has come a long way in the last few years. It's not as sophisticated as a good password manager and it's limited to use in the browser itself. But all the major browsers now allow you to gate access to the password store through a separate login, to your Microsoft account, your Google account or your Mozilla master password. All of them synch the usernames and passwords to all your devices and at least attempt to keep that data strongly encrypted.

They're not full password managers but, within their own domains, they are most of the way there.

One other thing to think about with respect to browsers is that they are among the most-attacked programs. Talented researchers the world over put considerable effort into taking control of web browsers. An attack that gains "remote code execution" capability within the browser may have access to your usernames and passwords. A separate password manager is a much more difficult target for an attacker.

5passwordmanager.jpg
6 of 6 Larry Seltzer/ZDNet

State of the art: Password manager

The gold standard for password management is a password manager built for the purpose. They have many of the features of the other techniques discussed here: For instance they provide secure cloud storage of your passwords and they can auto-generate passwords. But they go further, filling in the passwords where possible and automating the login. They detect changes to logins for the site you're on and they offer to create or save the login for new sites.

The best ones have the widest device support and support for USB storage, two factor authentication and other features allow a user to be as careful/paranoid as they want to be.

Some platforms create problems for these programs. Apple iOS is the most famous, but other mobile platforms and Windows 8.x Modern UI programs are also an issue. The password manager has to be able to plug into the application in order to fill username and password fields and, for legitimate security reasons, these mobile platforms don't allow it. (LastPass recently figured out a hack to get these techniques to work, usually, on Android.)

Apple began adding password management and synching the iCloud Keychain in recent versions of iOS and OS X. It has almost all the key features of the major password managers. Its use is limited to the Apple ecosystem. iOS and Mac developers can build support for it into their programs.

You have one password to access the password store on the site. You really want to be careful about this password. It should be strong and you should use it nowhere else. On the other hand, you may need to enter it a lot, so consider all your devices and whether the password will, for instance, be unbearable on an iPhone.

There are many good products in this category. Here are some of the better-known ones:

Related Galleries

Yubikey Security Key C NFC
Security Key C NFC

Related Galleries

Yubikey Security Key C NFC

First look at the YubiKey Bio
YubiKey Bio

Related Galleries

First look at the YubiKey Bio

iVerify (version 17)
iVerify for iOS and iPadOS

Related Galleries

iVerify (version 17)

OnlyKey hardware security key
OnlyKey

Related Galleries

OnlyKey hardware security key

SoloKeys Solo V2
Solo V2

Related Galleries

SoloKeys Solo V2

iVerify: Added security for iPhone and iPad users
iVerify

Related Galleries

iVerify: Added security for iPhone and iPad users

iStorage datAshur BT hardware encrypted flash drive
iStorage datAshur BT

Related Galleries

iStorage datAshur BT hardware encrypted flash drive