Search
  • Videos
  • Windows 10
  • 5G
  • CES
  • Best VPNs
  • Cloud
  • Security
  • more
    • AI
    • TR Premium
    • Working from Home
    • Innovation
    • Best Web Hosting
    • ZDNet Recommends
    • Tonya Hall Show
    • Executive Guides
    • ZDNet Academy
    • See All Topics
    • White Papers
    • Downloads
    • Reviews
    • Galleries
    • Videos
    • TechRepublic Forums
  • Newsletters
  • All Writers
    • Preferences
    • Community
    • Newsletters
    • Log Out
  • Menu
    • Videos
    • Windows 10
    • 5G
    • CES
    • Best VPNs
    • Cloud
    • Security
    • AI
    • TR Premium
    • Working from Home
    • Innovation
    • Best Web Hosting
    • ZDNet Recommends
    • Tonya Hall Show
    • Executive Guides
    • ZDNet Academy
    • See All Topics
    • White Papers
    • Downloads
    • Reviews
    • Galleries
    • Videos
    • TechRepublic Forums
      • Preferences
      • Community
      • Newsletters
      • Log Out
  • us
    • Asia
    • Australia
    • Europe
    • India
    • United Kingdom
    • United States
    • ZDNet around the globe:
    • ZDNet France
    • ZDNet Germany
    • ZDNet Korea
    • ZDNet Japan

Six Clicks: How do you keep track of all your passwords?

5 of 6 NEXT PREV
  • Worst: Your own internal memory

    Worst: Your own internal memory

    Passwords are the great curse of the modern Internet user. The more you use the Internet, the more you rely on passwords, and the harder it gets to use them properly.

    To use passwords properly you need to make them complex, not reuse them on different sites and change them periodically. Not many people really follow through on all this, but some password management methods make it easier than others.

    The first one, the one everyone uses at first, is to remember them. This has the benefit of simplicity, but it's not really sustainable. If you have 50 different sites with passwords, can you really remember 50 different complex passwords?

    So people come up with tricks to remember them. One is to use one password and attach a site-specific prefix or suffix, e.g. fl00rb0ard.FB and fl00rb0ard.Twitter. This helps a little, but if one of your passwords is compromised, all of them are.

    There are more complex ciphers that some people use to make the specific password less obvious, but the more you obscure the result the more you give yourself to remember.

    The image nearby, a well-known XKCD cartoon, illustrates some of the issues with password ciphers, but the cartoonist misses one point: It's just one password. What about the other 49?

    And if you need a strong and unique password, you can generate one at correcthorsebatterystaple.net.

    Previously on Six clicks

    Simple and time-saving Google search tricks

     Can your browser do these tricks?

    Dead software we loved

    Published: May 9, 2014 -- 12:00 GMT (05:00 PDT)

    Caption by: Larry Seltzer

  • Barely there: A piece of paper tacked up next to your desk

    Barely there: A piece of paper tacked up next to your desk

    This one depends on your physical surroundings. If you use your passwords from one private location, this could be a good solution for you.

    The fact is that the threats to most users' passwords are online threats, not physical threats. Another advantage of this technique is that normal people can relate to the risks more clearly than they can to the risks of using passwords online.

    On the other hand — obviously — anyone who can see your list can read it, take a picture of it, etc.

    Image courtesy Dan at TheDailyPrep.com

    Published: May 9, 2014 -- 12:00 GMT (05:00 PDT)

    Caption by: Larry Seltzer

  • Old school: An encrypted document (Word, Excel, etc.)

    Old school: An encrypted document (Word, Excel, etc.)

    Many applications provide strong encryption support for their files, and it may be a good option to store passwords in those files. Microsoft Office has long had such support, but prior to recent Office 2007, the encryption was crackable with reasonable effort. With current versions attackers have to use brute force or at least know something about the password.

    There are also plenty of data formats with password support where the encryption is trivial to break. ZIP files are a good example. One way to research is to look at the feature set for PassWare, a set of professional password cracking tools. (Note that Passware can recover or remove passwords in encrypted Office documents instantly if run on a system with the document open.)

    There are also some dedicated offline programs with local, secure password storage. One good example is Bruce Schneier's Password Safe.

    Combined with cloud storage, like Dropbox, you can make your document-stored passwords accessible anywhere. You also have the option of storing the passwords on a USB drive, potentially a hardware-encrypted one.

    You have one password to access the password store on the site. You really want to be careful about this password. It should be strong and you should use it nowhere else. On the other hand, you may need to enter it a lot, so consider all your devices and whether the password will, for instance, be unbearable on an iPhone.

    Passwords in image courtesy Random.org Random Password Generator.

    Published: May 9, 2014 -- 12:00 GMT (05:00 PDT)

    Caption by: Larry Seltzer

  • Could be a lot worse: Secure web site

    Could be a lot worse: Secure web site

    There are many services which provide secure storage online, and many of these provide specific support for passwords. They are not complete password managers because they don't fill fields; you have to copy the password and paste it into whatever program it is used for. Most will have a built-in strong password generator. Typically, password managers include these capabilities as well.

    Examples include Masterlock Vault, which has a free version and a series of paid services. SecureSafe has a free version and iOS and Android apps. KeePass lets you drag passwords from it to other programs. Clipperz is open source and only accepts Bitcoin for payment.

    You have one password to access the password store on the site. You really want to be careful about this password. It should be strong and you should use it nowhere else. On the other hand, you may need to enter it a lot, so consider all your devices and whether the password will, for instance, be unbearable on an iPhone.

    We didn't find any that supported two factor authentication, but it's a possibility with such services.

    Published: May 9, 2014 -- 12:00 GMT (05:00 PDT)

    Caption by: Larry Seltzer

  • Good, but limited: Saved by the browser

    Good, but limited: Saved by the browser

    Since remembering passwords is a pain, browsers have offered to remember them, and other form fields, for many years.

    In HTML this is called autocomplete. A site used to be able to disable this feature by putting "autocomplete=off" in the field, but for passwords this isn't really an option anymore. Johannes Ullrich of the SANS Technology institute reports that Chrome and Safari no longer honor the setting for passwords, and Microsoft has documented that Internet Explorer no longer supports it for passwords as of IE 11.

    There was a time when this was a sloppy feature and, in fact, a good way to lose your password, because you had no way to view it in the browser. Browser password storage has come a long way in the last few years. It's not as sophisticated as a good password manager and it's limited to use in the browser itself. But all the major browsers now allow you to gate access to the password store through a separate login, to your Microsoft account, your Google account or your Mozilla master password. All of them synch the usernames and passwords to all your devices and at least attempt to keep that data strongly encrypted.

    They're not full password managers but, within their own domains, they are most of the way there.

    One other thing to think about with respect to browsers is that they are among the most-attacked programs. Talented researchers the world over put considerable effort into taking control of web browsers. An attack that gains "remote code execution" capability within the browser may have access to your usernames and passwords. A separate password manager is a much more difficult target for an attacker.

    Published: May 9, 2014 -- 12:00 GMT (05:00 PDT)

    Caption by: Larry Seltzer

  • State of the art: Password manager

    State of the art: Password manager

    The gold standard for password management is a password manager built for the purpose. They have many of the features of the other techniques discussed here: For instance they provide secure cloud storage of your passwords and they can auto-generate passwords. But they go further, filling in the passwords where possible and automating the login. They detect changes to logins for the site you're on and they offer to create or save the login for new sites.

    The best ones have the widest device support and support for USB storage, two factor authentication and other features allow a user to be as careful/paranoid as they want to be.

    Some platforms create problems for these programs. Apple iOS is the most famous, but other mobile platforms and Windows 8.x Modern UI programs are also an issue. The password manager has to be able to plug into the application in order to fill username and password fields and, for legitimate security reasons, these mobile platforms don't allow it. ( LastPass recently figured out a hack to get these techniques to work, usually, on Android. )

    Apple began adding password management and synching the iCloud Keychain in recent versions of iOS and OS X. It has almost all the key features of the major password managers. Its use is limited to the Apple ecosystem. iOS and Mac developers can build support for it into their programs.

    You have one password to access the password store on the site. You really want to be careful about this password. It should be strong and you should use it nowhere else. On the other hand, you may need to enter it a lot, so consider all your devices and whether the password will, for instance, be unbearable on an iPhone.

    There are many good products in this category. Here are some of the better-known ones:

    • LastPass
    • RoboForm
    • 1Password
    • Norton IdentitySafe
    • Dashlane
    • PasswordBox
    Published: May 9, 2014 -- 12:00 GMT (05:00 PDT)

    Caption by: Larry Seltzer

5 of 6 NEXT PREV
Larry Seltzer

By Larry Seltzer for Zero Day | May 9, 2014 -- 12:00 GMT (05:00 PDT) | Topic: Security

  • Worst: Your own internal memory
  • Barely there: A piece of paper tacked up next to your desk
  • Old school: An encrypted document (Word, Excel, etc.)
  • Could be a lot worse: Secure web site
  • Good, but limited: Saved by the browser
  • State of the art: Password manager

If you have just one password for everything it's easy to remember, but we all know that isn't safe. So how do you keep track of a large number of them - and not have to worry about it?

Read More Read Less

Good, but limited: Saved by the browser

Since remembering passwords is a pain, browsers have offered to remember them, and other form fields, for many years.

In HTML this is called autocomplete. A site used to be able to disable this feature by putting "autocomplete=off" in the field, but for passwords this isn't really an option anymore. Johannes Ullrich of the SANS Technology institute reports that Chrome and Safari no longer honor the setting for passwords, and Microsoft has documented that Internet Explorer no longer supports it for passwords as of IE 11.

There was a time when this was a sloppy feature and, in fact, a good way to lose your password, because you had no way to view it in the browser. Browser password storage has come a long way in the last few years. It's not as sophisticated as a good password manager and it's limited to use in the browser itself. But all the major browsers now allow you to gate access to the password store through a separate login, to your Microsoft account, your Google account or your Mozilla master password. All of them synch the usernames and passwords to all your devices and at least attempt to keep that data strongly encrypted.

They're not full password managers but, within their own domains, they are most of the way there.

One other thing to think about with respect to browsers is that they are among the most-attacked programs. Talented researchers the world over put considerable effort into taking control of web browsers. An attack that gains "remote code execution" capability within the browser may have access to your usernames and passwords. A separate password manager is a much more difficult target for an attacker.

Published: May 9, 2014 -- 12:00 GMT (05:00 PDT)

Caption by: Larry Seltzer

5 of 6 NEXT PREV

Related Topics:

Security TV Data Management CXO Data Centers
Larry Seltzer

By Larry Seltzer for Zero Day | May 9, 2014 -- 12:00 GMT (05:00 PDT) | Topic: Security

Show Comments
LOG IN TO COMMENT
  • My Profile
  • Log Out
| Community Guidelines

Join Discussion

Add Your Comment
Add Your Comment

Related Galleries

  • 1 of 3
  • iVerify: Added security for iPhone and iPad users

    I'm usually wary of security apps, but iVerify by Trail of Bits is different. It comes highly recommended and offers a lot of features in a small download. ...

  • iStorage datAshur BT hardware encrypted flash drive

    FIPS 140-2 Level 3 compliant storage drive with wireless unlock feature and remote management. IP57 rated for dust and water resistance.

  • Netgear BR200 small-business router

    The Netgear BR200 Insight Managed Business Router has been designed to be easy to set up, and features a built-in firewall, VLAN management, and remote cloud monitoring, and can be ...

  • YubiKey 5C NFC: The world’s first security key to feature dual USB-C and NFC connections

    The YubiKey 5C NFC can be used across a broad range of platforms -- iOS, Android, Windows, macOS and Linux -- and on any mobile device, laptop, or desktop computer that supports USB-C ...

  • Apricorn Aegis Secure Key 3NXC

    The new Aegis Secure Key 3NXC builds on Apricorn's Secure Key 3z and Aegis Secure Key 3NX, taking the same proven form-factor and physical keypad, and adding something that users have ...

  • YubiKey 5Ci Clear Limited Edition

    Transparency in security.

  • Certo AntiSpy iPhone Spyware Detection

    Certo AntiSpy is not an app. Instead, it is a utility that you download and install on a Windows or Mac, and you use that to scan a backup of your iOS or iPadOS for subtle signs of intrusion. ...

ZDNet
Connect with us

© 2021 ZDNET, A RED VENTURES COMPANY. ALL RIGHTS RESERVED. Privacy Policy | Cookie Settings | Advertise | Terms of Use

  • Topics
  • Galleries
  • Videos
  • Sponsored Narratives
  • Do Not Sell My Information
  • About ZDNet
  • Meet The Team
  • All Authors
  • RSS Feeds
  • Site Map
  • Reprint Policy
  • Manage | Log Out
  • Join | Log In
  • Membership
  • Newsletters
  • Site Assistance
  • ZDNet Academy
  • TechRepublic Forums