Computer Help forum

General discussion

2/24/06 Questions about storing and managing passwords

by Marc Bennett CNET staff/forum admin / February 23, 2006 4:05 AM PST
Question:

When logging in to a secure Web page, the browser will often have an option to save my password. Or the Web site will ask if I want to store my password. Are these the same? Where and how are these passwords saved? How secure is it to do this? Are the passwords stored in an encrypted format, and if so, can they be hacked? As a precaution, I never store passwords anywhere in electronic form. I don't trust password managers because there is no way to know what they are doing with the information. What is the safe way to manage passwords?

Submitted by: Gary H.

*******************************************************

Answer:


Well, Gary H., your question starts out simple, but goes quite a bit deeper into online security. Let's start with the difference between the browser's "remember my password" vs. a Web site's "keep me logged in" option.

Your browser actually saves your login name and password info, encrypted, on your hard drive, and fills the fields when you pull up that certain Web page again. However, how it saves it depends on the browser's actual implementation.

By contrast, the "remember my password" option on a website actually saves a special cookie (think of it as a marker) that's unique to you that when come back to the website, it shows that you're user so-and-so and logs you in. That cookie likely will NOT actually contain any password info for any one to unscramble, but rather is just something the website itself understands, but, again it depends on actual implementation. It's probably similar to your local supermarket handing you a membership card. By loading that number, they know it was you using the card, since no one else has that number. The website's "remember my login" would probably work along similar lines.

Neither is technically "secure" since any one who can physically access your computer (i.e. sit down at your table) can get into those websites, either way. Assuming your home is reasonable safe from intruders, that leaves external hack attempts.

The best defense against external hack attempts is a hardware firewall, and regular security updates for your operating system, probably WinXP.
Windows is already setup to warn you and/or to apply the updates automatically so all that remains is a hardware firewall, esp. if you are on broadband connection to the Internet. If the hackers can't reach your PC, they can't hack it. You can of course, not connect the PC to the outside at all, but that would be rather drastic.

On the other hand, is there anything on those websites that you really need to protect from hackers? Or, if you are more worried about the stuff on your PC, why? Hacking individual people's PC's consumes time, with very little chance of payback for the hackers. Think of it this way... let's say they are after... Credit card numbers. How many credit cards is one likely to own? Maybe 2 or 5. Would their numbers be stored on the PC? If so where? It's impossible to say. It could be in Word documents, Excel spreadsheets, Quicken, MS Money... etc. Choices are endless, and searching through it all would be time consuming. Hackers would be far more likely to get lucky with Phishing or Pharming scams, most of that can be automated and takes almost no time at all on the part of the scammer. It's easier to ask you for the password than to dig it out of you (or your PC), so to speak.

As for trustworthiness of password managers... I personally use one. I have no qualms about using one. Your firewall should automatically block traffic from unauthorized programs, which is how you know which program is not doing what it?s supposed to. However, it is quite difficult to "prove" security. In a way, it's like defending against terrorists. We have to be 100% effective, they just have to be 0.0001% effective...

If you are so worried, get a cheap PDA and put your passwords on those, and keep the PDA with you at all times. But then you have to worry about the PDA getting lost and all that...

The entire idea of security is balancing risk vs. convenience. Password managers increase convenience, but also increase risk by offering a central location to lose ALL of the passwords at once. Firewalls decrease the risk of external hacks, but also decrease convenience by requiring various config of port forwarding and such. It is all about trade-offs, and what is acceptable to me may not be acceptable to you. Ultimately, you will have to decide if the risk of using a password manager outweighs the convenience of having one and having it remember stuff for you.

Submitted by: Kasey C. of San Francisco, CA
Post a reply
Discussion is locked
You are posting a reply to: 2/24/06 Questions about storing and managing passwords
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: 2/24/06 Questions about storing and managing passwords
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Honorable mentions
by Marc Bennett CNET staff/forum admin / February 23, 2006 4:09 AM PST
Answer:

Gary:

Passwords and the way people use them are as different as the people themselves. Thus you will get varied answers. My usage of passwords are what I would consider to be fairly secure, others might not, so let me just put forth a few simple things to do to keep yourself safe as possible.

The difference between saving your password and storing are often confused by even web sites themselves. Saving your password is suppose to be basically a site cookie that is kept in your cookie(s) file and every time that site asks for a password the cookie gives it usually before you even see any popup appear.

Storing a password is where a web site actually saves your password in their site. I can remember a few older sites that did this, but most sites do not (or ones that I'm aware of) the sites that do this are usually secure, but like everything else, any thing is only as secure as the person/ people that maintain the site.

If by some chance you might be referring to storing something like a credit card number, then my recommendation is "Only if you feel for sure this site can be trusted". I have only two sites I allow to keep my credit card information (one being Amazon.com) and only after doing business with them for several years.

Password software is ok I guess, but like anything else there is no definitive answer. Yes most IS encrypted, but then again which program do you trust? Basically a program allows you to enter a site, when the login & password comes up, you enter it into your PW (password) program where it is encrypted and stored. When you come to the site from then on the program will do one of two things.
1. Automatically log you on.
2. Ask you for the programs password, which in turn will log you on.

I've tried them both and finally decided to just keep a "rolodex" near my PC with all the logon, email addresses, passwords, etc. I've found most PW programs lacking as I like to keep notes and uses various email addresses depending upon how save I feel the site is and/or how often I feel I may do business with them.

As you sound like you are security conscience, let me offer one more bit of advice (assuming you haven't thought of it already) I've used this little trick for years and haven't any problems as of yet. Think about getting a credit card for use on the internet! I have one I use exclusively on the web with a limit of $300.00. This takes care of all the smaller transactions with sites I'm not sure of, or have never done business with before. Why? Well, I've found in the past, some sites tend to store your credit card info, just like they do other info like passwords and transactions.

The safest way to store passwords? Keep them off your computer or at least keep the program you store them in backed up.

Why do I keep mine on a Rolodex? I have over 125! I change the passwords about twice a year to about 3 or 4 months (depending on the site and how secure I feel it is)and it's much easier to shred a Rolodex card and jot down the new info rather then search through a data base.

Submitted by: Hawk

***********************************************************************

Answer:


I quote:
"I don't trust password managers because there is no way to know what they are doing with the information."

That is true of closed-source software, such as Internet Explorer. I use open source software exclusively (Linux operating system, Firefox web browser, Thunderbird mail client, etc...) so I _do_ know exactly what my software does with the information. And I can therefore decide whether or not to trust it.

The first step in managing passwords starts with the password itself. My passwords always meet these requirements:
1) no less than 8 characters
2) numbers, lowercase letters, and uppercase letters. At least one of each!
3) no dictionary words.
4) no more than 6 months without changing

This is easy to do if you just remember some catch phrases. I recommend thinking of a big news story and devising a password from it- that way you can easily change them every six months. For instance, you could devise a password from the headline: "Killer hurricane kills 20, leaving thousands homeless". My password would then be "Khk20ltH", or "khk20LTH", or "KHK20lth", or countless other variations.

Now, as for an answer as to the 'safe way' to have software manage your passwords for you, I use KDE wallet. This open source utility has been subject to enough peer review that although I do not personally understand it's methods, the best computer security experts the world over have approved it. That is enough for me! And if a flaw _is_ discovered, it will most likely be patched by the thousands of KDE volunteers who develop the software much faster than the hackers will be able to get to me. I trust KDE that flaws are openly disclosed immediately, thus shortening the flaw-to-patch time and raising awareness. I do not trust that close-source software companies will openly discuss flaws in their software openly, especially before a patch is available. Track record proves this.

Remember: passwords are like underwear. You don't share them, you don't leave them in places where they are easily found, and you change them often.

Submitted by: Dotan C.

***********************************************************************

Answer:


Like everything, there are pros and cons.

I like to use Autocomplete to store my passwords. Since few people have access to my computer at my end, there is very little risk. Visitors using my computer, could become a risk, I suppose, since they would be able to go to certain websites I access where username and passwords are saved. That?s the obvious downside to using Autocomplete.

The upside is, if spyware, including keyloggers, have invaded my system, the criminals are unable to detect the password and username. (I?m sure there are other means they have to try and steal our info). But, I find the Autocomplete (or saved passwords, in other browsers) to be safer than keying this info. (While more painstaking, copying/pasting from an app like Word may be a useful substitute for the unlikely more-paranoid-than-me crowd).

Websites offering "Remember me" use cookies to remember your info. Some sites I do this with. Typically, not, however. I tend to keep 5-10 typical cookies stored on my computer. While most websites are of no concern, I am extra paranoid with my info, and prefer limited access to info, so, I typically block cookies, and enable them for session use only. And then, only 1st party cookies. 3rd party cookies are ALWAYS disabled.

Cookies are helpful, but, I have never believed them to be privacy-safe.

Submitted by: Batman

***********************************************************************

Answer:


Web sites to my knowledge store passwords in encrypted fashion. Like anything, even this is not 100% secure as T-mobile just recently had a huge fiasco dealing with loss of member passwords and information from their database. Storing them on your computer carries the same risks as storing them anywhere else. Others may beg to differ, but in my opinion the only safe place to store passwords is by writing them down and keeping them in a secure location such as on your person at all times or in a safe.

Alternatively you can store your passwords simply in a text file located on your desktop or elsewhere and use a 3rd party application to encrypt the file that stores your passwords. I personally use Blowfish Advanced CS which uses the Blowfish encryption algorithm and is very difficult to crack. Even better keep the encrypted file on a USB/Keychain flash memory drive for even added security.

Submitted by: mustangmanfivoh

***********************************************************************

Answer:


They are NOT the same, Windows saves the passwords in a file or the site can ask windows to save your password, or the site can save your password and match it to your computer via a cookie. Windows does encrypt it's file but since it fills the password any time you revisit the site as does the site when it finds it's cookie, THEY ARE NOT SECURE.

If you want security, use a password program (I use RoboForm) and secure it with a password. Another way is to put your passwords in a word document and secure it with FolderLock.

Submitted by: maddog

***********************************************************************

Answer:


The two forms are totally different.

In the condition where browser asks for the password, it is actually getting stored on your machine either in the registry or may be a file which is in encrypted form. This password will be present only on your machine. If you have saved any password in browser, next time you login into same account from different machine, you need to resubmit your password. The security issues related to this are storing password on your computer, check it is completely safe unless and until you are only using the computer. And no spy ware is installed on your computer.

Now as you asked for the site, these passwords are kept safe by the site servers. Well, now even if you change the machine from where you are accessing the account, your password won't have to be submitted. The security issues along with this depends upon the site you are logging into. Like if save your password on to yahoo account, it depends on how much you trust yahoo mail.

Submitted by: Subodh K.
Collapse -
RoboForm
by Richard36 / February 23, 2006 10:01 PM PST
In reply to: Honorable mentions

Highly recommend RoboForm as a password manager. To submit this reply I had to enter a master password to enter RoboForm and then just clicked on a saved login entry that was encrypted by RoboForm when I first saved the CNET login email and password entries.

Collapse -
Convenience versus Memory
by MattSC / February 24, 2006 12:18 AM PST
In reply to: RoboForm

I guess it a boils down to the convenience of a program like Roboform versus using your memory to remember usernames and/or passwords.

The advantage of Roboform is that it saves both along with the URL in what they call passcards. All you have to do is click "Login", find the name of the site you want to go to, click on that and you're in. This information is all saved on your PC. Even if you have more than one user on the same computer in your house, they can't get to this stored infromation because it is password protected.

The disadvantage is how the technical world of today has made us all a bit lazy. For example, when someone can't find the remote control to the television they will spend 15 minutes looking around and trying to find it. When the most simple resolution would be to remember that there are buttons on the front of the television itself to change channels also.

The same applies to a program like Roboform. It's great as long as you're using the PC you have the software on. The problem is, what if you lose that information or you're at a friend's house and can't log into a site you have access to because you don't remember the username and password. Roboform has been doing the work for you all this time.

Again, technically the brain isn't a muscle. Theoretically, it is. If you don't exercise it, it's not going to become strong. Just like going to that fastfood place that has nothing but computerized cash registers and most of the employees have used nothing but that type. So if my total is $6 and I hand them $10, and then pull out another $1 and hand that to them so they can save some one dollar bills and simply hand me back a five dollar bill, they will looked at me all confused and say, "I'm sorry sir, I already entered the amount you gave me." Makes me chuckle sarcatically everytime.

Another advantage of Roboform is that it's encrypted. Computer encryption is based on the science of cryptography, which has been used throughout history. Before the digital age, the biggest users of cryptography were governments, particularly for military purposes. The existence of coded messages has been verified as far back as the Roman Empire. But most forms of cryptography in use these days rely on computers, simply because a human-based code is too easy for a computer to crack. Anyway, that can be saved for another discussion.

The choice is yours. Use Roboform if you're going to be using the same PC all the time. It will do the work for you. In my opinion, you should learn to remember them yourself. Write them down on a piece of paper that no one can find but you. Soon you will know all the information by memory. The only disadvantage to that might be good for another discusssion. "Keylogger viruses."

Collapse -
Portable roboform
by ThinkerT / February 24, 2006 4:04 AM PST

Good post, MikeSC. Another option is to use Roboform's Pass2Go (I think it's called). It's a version of Roboform you can install on any USB portable drive - then you have your passwords with you anywhere you go, although it won't help with your memory. Happy

Collapse -
Sorry, MattSC
by ThinkerT / February 24, 2006 4:06 AM PST
In reply to: Portable roboform

I guess if I'm going to compliment someone, I should get their name right...

Collapse -
Portable password manager
by Riss333 / July 28, 2009 3:31 PM PDT
In reply to: Portable roboform

Handy Password is not bad especially installed to USB key and I can login from any PC without Administrator?s rights
Site: http://www.handypassword.com/

Collapse -
Makes sense
by Liz7188 / February 24, 2006 6:22 AM PST

I agree completely about the non-portability of password management software. In fact, I do have my most frequently used log-in info memorized - both personal and work-related.

It's just all those PWs I don't use very much (or just don't need to add to my allready taxed brain) that I list hints for on 3X5 cards.

The cards also serve as places to add other info as well including the page links at the site to get to where I usually want to go. There's no end to the site-specific navigation variations. One big help is the phone number with the exact voice mail options to get to the exact dept I need.

Possibly some of the PW apps mentioned in this thread allow for those things as well. But I bet I could beat most people in a card versus program use challenge. Wink

Collapse -
Simple Secure Way to Never Lose or Forget Passwords.
by MikeG55 / February 26, 2006 3:21 PM PST

Use a system to generate the password from the website name.
A simple example might be - type the name of the website backwards and add your date of birth on the end.
The system is very easy to remember and gives you a unique password every time, but no need to remember the password.
For security.... never tell anyone your system.

Collapse -
Useful idea IMO
by Liz7188 / February 27, 2006 6:02 AM PST

'Nough said. Happy

Collapse -
storing pass words
by rugbug1 / February 27, 2006 11:31 AM PST
In reply to: Useful idea IMO

I am getting messages from you. I fixed the above. Please do not send me any more messages about the above

Collapse -
Convenience versus Memory
by MattSC / February 24, 2006 12:19 AM PST
In reply to: RoboForm

I guess it a boils down to the convenience of a program like Roboform versus using your memory to remember usernames and/or passwords.

The advantage of Roboform is that it saves both along with the URL in what they call passcards. All you have to do is click ''Login'', find the name of the site you want to go to, click on that and you're in. This information is all saved on your PC. Even if you have more than one user on the same computer in your house, they can't get to this stored infromation because it is password protected.

The disadvantage is how the technical world of today has made us all a bit lazy. For example, when someone can't find the remote control to the television they will spend 15 minutes looking around and trying to find it. When the most simple resolution would be to remember that there are buttons on the front of the television itself to change channels also.

The same applies to a program like Roboform. It's great as long as you're using the PC you have the software on. The problem is, what if you lose that information or you're at a friend's house and can't log into a site you have access to because you don't remember the username and password. Roboform has been doing the work for you all this time.

Again, technically the brain isn't a muscle. Theoretically, it is. If you don't exercise it, it's not going to become strong. Just like going to that fastfood place that has nothing but computerized cash registers and most of the employees have used nothing but that type. So if my total is $6 and I hand them $10, and then pull out another $1 and hand that to them so they can save some one dollar bills and simply hand me back a five dollar bill, they will looked at me all confused and say, ''I'm sorry sir, I already entered the amount you gave me.'' Makes me chuckle sarcatically everytime.

Another advantage of Roboform is that it's encrypted. Computer encryption is based on the science of cryptography, which has been used throughout history. Before the digital age, the biggest users of cryptography were governments, particularly for military purposes. The existence of coded messages has been verified as far back as the Roman Empire. But most forms of cryptography in use these days rely on computers, simply because a human-based code is too easy for a computer to crack. Anyway, that can be saved for another discussion.

The choice is yours. Use Roboform if you're going to be using the same PC all the time. It will do the work for you. In my opinion, you should learn to remember them yourself. Write them down on a piece of paper that no one can find but you. Soon you will know all the information by memory. The only disadvantage to that might be good for another discusssion. ''Keylogger viruses.''

Collapse -
I object
by stephenschwake / February 25, 2006 10:35 AM PST

Your statement about looking for the remote shouldn't say that people are too lazy to use the buttons on the front of the tv. They are getting much needed exercise while looking for the remote and lets face it if they are that worried about the remote, they need the exercies anyway.

Collapse -
Roboform - Hiding passwords
by MARTINCAM / February 24, 2006 12:31 AM PST
In reply to: RoboForm

I use Roboform as well. I realize you can password protect your entries, that is, make Roboform ask you for a master password before filling in a password field, but how do you keep the password from displaying when editing a passcard in Roboform?

I've tried the option to display the password as stars, but someone could easily toggle that option to redisplay the password.

Collapse -
Hiding passwords on Roboform
by fpc99 / February 24, 2006 9:04 AM PST

I had the same problem with Roboform... I loved it overall until I left the browser window open for a few minutes. My 14 year old memorized my master password from Roboform and went back later to see what he could find. Fortunately he thought it funny to report to me that he knew all my passwords, rather than clean out my PayPal account or go to town on Ebay.
I wonder if the portable version mentioned on these boards that I could keep on my zip drive would address the lapse in security by leaving my desk for a minute... At least I rarely leave my zip drive sticking out!

Collapse -
Passwords: Guess I'm not getting it
by katiebug57 / February 23, 2006 10:19 PM PST
In reply to: Honorable mentions

When I access my bank, the first window that pops up doesn't have the little padlock on the bottom. They require you to put your social security number in and then (the bank?) saves it somehow.

The spot where you put your SS# says "use saved online ID."

I'm assuming from the answers I've read so far, this is saved somewhere on my bank's site and NOT accessible to others?

The real problem I have is the possibility of identity theft.

The question is: when I first enter that social security number (and subsequently as well, I suppose), can someone else access it not just the first time, but other times as well, since it was entered on a non-secure web page?

Thanks,
Katiebug

Collapse -
Guess I'm not getting it
by jevenew / February 23, 2006 10:53 PM PST

I'm really having trouble with this one. Your bank should probably have a different way to login other than your SSN.
I have been using Online banking from the beginning, and have never been asked for SSN online.
As for the padlock, I believe you have to enter sites into the Trusted Zone in Internet Options for that to show.

Collapse -
Secure the website.
by jesusleon / February 24, 2006 12:57 AM PST

What i do when i enter my info into my bank account i add a ''S'' right after http and hit go and then i get the padlock and then i enter my information,try it, it works for me.I do this with I.E

Collapse -
It's a 2-part answer
by kschang / February 24, 2006 2:25 AM PST

1) The padlock in the status bar means your browser is talking with the bank server in SSL, which encrypts the traffic in between, so even if somebody was able to intercept the traffic, they won't be able to understand it.

2) "Use saved ID", as I've explained, likely uses a special cookie with a number that is only assigned to you, and the bank will read that number back and figure out that it's you. Only the bank would know what that number/marker actually means. I seriously doubt they actually save your SSN as the marker. It's not that hard to check, actually.

If you use Internet Explorer on WinXP, the cookies are stored in

C:\Documents and Settings\(your username)\cookies

Substitute (your username) with your actual username.

See if you see your bank's cookie there, and open it in Notepad... You'll get some gobblygook (basically a VERY long number).

Collapse -
It is on the banls system
by Themisive / February 24, 2006 3:25 AM PST

But try to remember the nuimbers they give you, it's by far the best way of combatting identity theft.

Collapse -
Stop the Madness
by Big_Owl55 / February 24, 2006 7:17 AM PST

I have two concerns with the online banking that you have described. First, the lack of a padlock indicates that you are not secure. One respondent mentioned adding an s to http which would manually take you to an SSL secured site (if available), but that should not be required. Second, the use of a social security number as an identifier is an unacceptable risk, whether online, over the phone or in person.

I strongly recommend exchanging sensitive information only via SSL secured sites as indicated by the https instead of http and the padlock in the lower left. I also recommend questioning every request for your social security number. Many businesses are getting the message and providing an alternative to using your full social security number.

Regarding both concerns, you should not blindly trust the technology you use everyday. The same people that you entrust with your sensitive information brought you Y2K.

Collapse -
Even without the padlock the password may be sent encrypted
by rlively / February 24, 2006 9:40 AM PST
In reply to: Stop the Madness

There is one other thing to be aware of about the issue of not seeing the secure padlock icon on the login page. It is generally true that if you don't see the icon then it is an indication that the site is not secure and your userid and password is sent in cleartext across the internet.

However, it is also possible to make the target of the login form on the web page point to a secure page from an insecure page. In that case, the originating page was not secured, but when you click the "Login" button the form is submitted to "https://..." (notice the "s" for secure) which would make the browser first request a secured connection BEFORE submitting your userid and password.

The problem comes in not knowing if this is the case or not for any given site. Browsers do not currently have any indication that a form on an insecure page will be submitted to a secure page. The only way to tell that I know of is to look at the HTML source of the site and find the "Login" form. If the ACTION is set to "https://...", then the form will post to a secure site and your userid and password should be safe to submit. e.g. on Bank of America's website home page, which is http://www.bankofamerica.com - not secured, the form is:

<form name="frmSignIn" action="https://onlineid.bankofamerica.com/cgi-bin/sso.login.controller?noscript=true"

The action of the SignIn form points to a secured page, so even though the current page is not secure (meaning that the contents of the home page were sent without encryption - not a big deal since there's no personally identifying information on the home page - the form's contents will be sent encrypted back to the Bank's website).

Hope this helps clear it up.

Collapse -
interesting problem
by tantitha / February 24, 2006 9:37 AM PST

this must be a problem in the US. I live in Canada where it became illegal for any company to use an SIN (our equivalent to the SSN), as a record key. We are also advised stronly never to give out our SIN to anyone except a government request such as for tax or passport reasons.

Collapse -
What I do
by BinaryLove / February 27, 2006 10:24 PM PST
In reply to: Honorable mentions

I found interesting every single post here. So I'll let my suggestion too. Better than saving or storing a password, is to consider how you create it. I share Dotan C Idea, in fact I usually use two words and 4 or 5 numbers to create my password, one more thing, I try to do so in a foreing but yet comprehensible language. I.E. I'm Spanish Speaker, but I can speak and understand english, too. So I always think about something in english, then add another object to that something and a number I can remember, so my password could be a "bird", then I think of "ice", and then the 4 last numbers of my mother's ID number, with that i create sort of a subject and an adjective: frozenbird1200. Is just an example, so hackers, don't think of it as a REAL password =p! Now I have my password I save it in my mobilephone's wallet, far away from my computer. That way I can have a save, easy to remember password, and I can carry it always with me =D. Of course, as Gary said, the risk is now of getting my phone lost or something. So I alway back my passwords up in a little notepad back home. And that's what I do =D.

Collapse -
Other suggestions from our members
by Marc Bennett CNET staff/forum admin / February 23, 2006 4:09 AM PST
Answer:

Most web sites are using cookies to store your passwords on the system you are using. There are other ways, but cookies are typically used on a lot of web sites. To test this, just store a password someplace, go back to the web site and see if the password is stored. Next delete your cookies and go to the site again. Chances are you will be prompted for your username and password. Cookies are commonly used to store information about a user preferences at a web site.

If you are curious as to what the information looks like, you can find most cookie files under \Documents and Settings\%username%\Cookies. You will find a number of text files that are cookies for the various web sites you have visited. If you open one of the files, you will more than likely find some readable information, such as espn.com, and a lot of a series of numbers separated by some type of delimiter. It is conceivable that this information could be used to determine username and password for a site.

A way to store passwords that is very safe is to use a Smart Card and a Smart Card Reader. You can use a free program called SmartCache found at http://www.smartcache.net. With this software you can read and write username and password information on smart cards. You just need to find a supported smart card reader, which SmartCache has listed on their web site, and a blank smart card, which can be purchased on many web sites. You can easily find supported readers on eBay for under $10 and the Smart Cards themselves can cost as little as $2 if you know where to look.

If you ever had one of those credit cards with the smart card chips on them and the credit card company provided you with a reader, you now have a reason to use the reader again. If you still have the old credit card, you can use the SmartCache software to read and store your passwords on the credit card, even if it is expired.

When you need to get a password, you just open the software and place the card in the reader connected to your PC via USB, Serial, or PCMCIA connection. The software will prompt for a password to retrieve the card information. The card will be read and your username and passwords will be revealed. You can even store the associated web URL to which the username and password is related to.

In addition, you can back up the usernames and passwords to an encrypted file that you can store on a floppy. You can place the floppy, or any removable media for that matter, in a safe place. So if the card is damaged or lost you can still get to your passwords using the backup file and the SmartCache software.

Now you never have to worry about your passwords being stored on your system. The only password you have to remember now is the one used to unlock your card.

Submitted by: Ralph D.

***********************************************************************

Answer:


Hey Gary,

When your computer system asks you to save your passwords in chat accounts and hotmail, it saves it to a temporary file known as TEMP. These passwords can be erased with a simple click. To erase them you open an Internet explorer page and click on TOOLS, CONTENT tab and then click AUTO COMPLETE under Personal Information. Then you have to click on CLEAR PASSWORDS under Clear Autocomplete History. If you want to stop Windows from asking you to save your password, you click on the box next to USER NAMES AND PASSWORD FORMS so that the green tick is not visible.

Storing and Saving a password is the same thing and I find it not needed to save passwords. It is not very secure to be saving passwords on a family computer/laptop as they can access it. But if it is your own laptop/computer you can save passwords as secure as possible. I agree, password managers actually send your passwords to other people as well so that is not good. The most easiest way to save your passwords are to write them down on a piece of paper or in a diary/note pad.

I hope this helps.

Submitted by: Joshua W.

***********************************************************************

Answer:


Storing or Saving Passwords:

In my opinion, the only ?safe? place to store passwords is in your head. Never write them down. Never share them with anyone. Never use one that a friend or colleague can guess.

Create a password or passwords that mean something to you personally. Like something from your childhood. Never use pet names, family member names, license plate numbers or anything that someone can figure out. Make it cryptic by alternating between upper and lower case, or add numbers after a personal phrase.

After that, remember it! Then change it frequently and remember it. This is the best password protection policy on the planet. I would have to be tortured before I would reveal my password. You can?t find it under my keyboard, in my desk, taped to my printer or anywhere in sight, and I won?t reveal it to anyone. Even my mother who is 1,500 miles away. It is as valuable as your bank PIN number. Create it then remember it!

Submitted by: Bennie C.

***********************************************************************

Answer:


Unfortunately in my "young" computering days, I used a password manager - Gator - which ended up dumping all sorts of unsavory stuff in my computer, which took forever to get rid of. I have found the best was to store my passwords is an Excel spreadsheet, password protected (with a password I won't forget). I use the internet for paying bills, personal and business, business taxes etc. I feel fairly secure using the spreadsheet because no one can get to it but those on my computer and then it's password protected. This works great for me.

Submitted by: Bea

***********************************************************************

Answer:


My name is Elie and I am from Israel. I am using a very simple technique to keep my passwords. I use an Excel file which you can open only if you know the password for it. In this file I manage columns according to the name of the application for which I need the password, the user name for this application and the date when I changed the password. In the cell where I put the date I add a note (By clicking shift+F2) and I write there the password. I like it because you can see the password only if you stay with the pointer of the mouse on the cell, and you choose the one with the latest date. I use one row for each application.

Submitted by: Elie F. of Israel

***********************************************************************

Answer:


If you never store passwords anywhere, then you are pretty safe. However, asking the question does suggest you would like to. I think you should not worry about the technology and should follow basic rules:

? Use different passwords for trivial, moderately interesting and important sites like financial accounts.
? Allow windows, or the site, to store passwords to trivial sites which you really wouldn?t mind if someone else used your id. Lots of sites insist you register but really have no security implications.
? Only store access details to moderately interesting sites on a computer which is totally under your control and then only if you wouldn?t suffer serious loss by impersonation. (thefts do happen)
? Never store or record passwords to financial or any other sites where crooks could make of with your identity or your money.
? Even ?trivial? sites may contain name and address details and other clues to your identity in your ?account details? so be careful even with these.

Submitted by: Paul S.

***********************************************************************

Answer:


Gary,

I am a computer technician that goes to peoples homes and small business. My advice is NEVER store passwords on you local machine. I have a little utility that will tell me all the passwords that are kept one your local machine in less than 30 seconds. Any hacker, that gains access to your machine can do the same.

Antispyware and antivirus programs rely on "signature files" to detect malware. A lot of spyware made today is simply out to get passwords and user names to empty out bank accounts, and sell shares that don't belong to them, and is sponsored by criminal organizations.

Unfortunately when a new bit of nasty ware comes out the companies must get the nasty ware and analyze it then figure out a signature for it, incorporate in there definition files, and then the end user has to update those files. This can sometime take a few weeks for this whole process to be completed, during that time the end user is vulnerable.
As for passwords stored on the web pages server is no less secure. All anyone needs to do is find your user name for that web page and they have access to whatever you have stored there. User names are usually not usually encrypted.

Submitted by: Jim F.

***********************************************************************

Answer:


Gary,

It has been said that the easiest way to hide something is to leave it in plain sight. I don?t trust password managers or ?wallets? either. My method is to carry a small Excel file in my PDA called ?Logs?. This file contains three columns, Site, Log-In, and Password. The Site is self explanatory. The Log-in uses code phrases like ?home email? or ?work email? etc. The password column also uses code phrases, and while it does require the ability to memorize, your actual passwords are never written down anywhere except in your memory.

I have five passwords, with the code phrases, alpha, alpha-numeric, numeric, old phone, and first email. One of these passwords will fit the requirements of almost any site I have ever visited in terms of syntax. They are all completely random combinations of letters and or numbers, therefore very difficult to guess, no family names, pet names, or birthdays, etc. Using my file I don?t have to guess what I used for the log in or password to that site I visited a year ago. Hope this helps.

Submitted by: Dave M.

***********************************************************************

Answer:


That, I believe, is the wisest way to go - I don't trust password managers either. I write down on paper all the passwords I use, and never use any other form of storage for this type of data. I also have Auto complete facilities disabled. As a user of internet banking services I never store banking login pages in the Bookmarks facility of the Browser - just use Google to locate these pages every time I need to login.

All the best.

Submitted by: Frank M.

***********************************************************************

Answer:


Re password option

I NEVER let the web site save my password. If you do, you give away whatever modicum of protection against a fraud that you have. They get your e mail and your password at the same time if they snoop the web site.

Submitted by: Robert K.

***********************************************************************

Answer:


The way I understand it, passwords are stored by your browser in a special database. Are they safe? As safe as your browser!

For instance: I will not store any passwords on Internet Explorer. Rather, I use RoboForm on my PC, and store the data on a removable disk. At home however, I do store passwords on my iBook, running Safari. Somehow, I trust Apple more that I trust Microsoft.

When in doubt, keep your passwords elsewhere.

Submitted by: Hans W.

***********************************************************************

Answer:


Hi Gary,

I'm with you, I allow some sites to remember passwords, only those that have no further information about me usually. I know some web sites try to keep your info secure, but nothing is infallible.

You could keep a small book, or if you prefer, save them as an Archive on your mobile phone.

Hope that helps.

Submitted by: Deb of Australia
Collapse -
Use Keychain
by marquesalan / February 23, 2006 7:27 PM PST

I have used Keychain to store all of my passwords for about 15 years with not trouble of hackers. I back up the file to a remote server so I have them all if I need to reinstall any of them or I forget what my login info was.
For more info about how cool and easy this interface is:
http://www.apple.com/macosx/features/security/

Collapse -
I use pass2go for PC's
by robertjvan / February 23, 2006 10:31 PM PST
In reply to: Use Keychain
Collapse -
Passwords don't work
by johns123 / February 24, 2006 2:44 AM PST

I have software that can crack or delete any
passwd. I do it all the time for users who
move to different computers, or users who have
simply forgotten their passwds. The original
intent of passwds was personal privacy. That is
long gone in the workplace, or on the net. Every
company is now snooping its employees, using
excuses like, "We own these computers." Passwds
are old Unix hack, and suggesting that they
provide any level of protection from a determined
criminal .. or boss .. is just naive. There are
much better ways, and they will gather "evidence"
that will warn you .. and that is real protection.
Here's a brief list:
Disk Imaging .. keep that computer plain vanilla.
Hibernate .. turn it off after 30 minutes.
Levels of filtering and firewalls .. on everything.
Proxy on Browser .. supported by remote company.
Personal Laptop .. with data transfer USB cable
.. that shares in and shuts down.
Thumb drives, USB drives .. keep your personal stuff.
Remote accounts .. have a valid remote account, and
enable it locally. Run Postini
on the remote account.
Passwds .. will keep your mother off Happy

Collapse -
I use a Winzip-encrypted text file
by charodon / February 24, 2006 5:20 AM PST

I've tried dedicated password storage tools, but frankly I've found a simple solution to be the best: I keep my sensitive passwords in a plain vanilla text file, then I zip and encrypt it using Winzip. Whenever I can't remember a password I just open the file and look it up. Other password programs eat up memory, slow down startup, or interfere with browsing by popping up at annoying times.

Collapse -
Smart...
by firerant / February 25, 2006 12:16 AM PST

I also use a zipped/passworded text file, its about the easiest way. You already have the text editor in Notepad, and most people will have Winzip or some other archiving tool capable of creating a passworded archive (or should).

In the text file I sometimes group similiar usernames & passwords, such as dicussion forum logins, but I mostly just pile 'em in there. I format a line:
|domain/forum name|<tab>|user name|<tab>|password|<return>

That way they line up nicely. Since they aren't in any particular order I usually do a Find <ctrl-F> and search on the domain or forum name to find the right entry. Simple.

I also have a shortcut to the zipped file in my tooltray, this is the fastest way to access it. One click on the shortcut, doubleclick on the text file name in Winzip, enter archive password, and Notepad appears with the password file displayed. No headaches. And a paper copy is just a copule clicks away if I want one.

Of course if you have Excel or some other spreadsheet you could use that instead of a text file, but Notepad is about the fastest application with the smallest footprint you could use.

Collapse -
Nice
by charodon / February 25, 2006 2:15 AM PST
In reply to: Smart...

The link in the QuickLaunch tray is a nice idea. I put my passwords in alphabetical order in the file by website, that way I can find them easily.

Popular Forums
icon
Computer Help 47,885 discussions
icon
Computer Newbies 10,322 discussions
icon
iPhones, iPods, & iPads 3,188 discussions
icon
Security 30,333 discussions
icon
TVs & Home Theaters 20,177 discussions
icon
HDTV Picture Setting 1,932 discussions
icon
Phones 15,713 discussions
icon
Windows 7 6,210 discussions
icon
Networking & Wireless 14,510 discussions

CNET Forums

Looking for tech help?

Whether you’re looking for dependable tech advice or offering helpful tricks, join the conversation in our forums.