2/24/06 Questions about storing and managing passwords

I use a freebie program called Whisper 32 which produces an encrypted file that can be stored on a floppy disk. I have used it for years and find it useful because you can store the answers to the multiple questions (quite reasonably) asked nowadays to get onto secure websites. Where you store the floppy is your personal choice.

I am terrible with numbers and passwords so I use a Timex Data Link. That way the information is always on me and it is also password protected in case it is lost or stolen. The Timex also syc's with my computer using Outlook and enters my contacts in the watch. Love it.

I use Mozilla FireFox to store my passwords as you can have them all stored and encrypted but they are only accessible using a master password. When you set up the master password, FireFox even gives you a scale to show how secure your chosen password will be. Even viewing the saved passwords requires you to enter the master password, so as long as I remember to either log off of my computer, or close FireFox, after having entered my master password, nobody else can use my saved passwords! That is unless somebody finds a way to hack into the FireFox password management system!!

I have over 135 passworded logins. I save the website name, username, and passwords in an excel workbook with 31 day sheet for bills and alphabetical sheets for all the rest. I save the workbook to a removeable disk and print copies after each update and shred the old ones. I don't want any password information saved on my computers or on the network.

Now for me I keep passwords to mathematical simplicity - I have only one!.

Why! well if your 68 y.o. it's likely you're down to two working brain cells, which probably means that what you found out at 8 o'clock you've forgotten at 5 mins. past (more than one password!! I'd need a brain transplant.

What I do as a consequence of this memory deficiency is to use virus and anti-spyware overkill. I have as my main security Symantec/Norton 2005 and 4 # purchased antiSpyware downloaded programs and one on-line scanner.

Additionally I only go to trusted and large Company URL's thus, I believe, strickly limiting Internet intrusion.

I know I'm tempting fate here, but I seem to be avoiding problems - so long as I regularly update my protection features.

I have different passwords for different groups of sites. Depending on the sensitivity of the information I enter at the site, I may use a lame password (to get to some free info site that requires you register and login) or up to a very complex, mixed case, alphanumeric password with more than 8 characters. There is no way I can remember them all. I used to keep a cheat sheet in my wallet (right along with my credit cards, drivers license and other written info that shouldn't be lost.)

Now, I use Password Safe, which is a free utility that is available from Bruce Schneier. http://www.schneier.com/passsafe.html

This program provides a secure place to store all my passwords, it has a function to generate a random password for me to use when I register at a new site, and it has a function to copy the password to the Windows clipboard so I can paste it into a login field. The whole thing is protected with a pass phrase, and the data is encrypted. Since Mr. Schneier is a noted authority on cryptography, I trust that the crypto is implemented correctly.

The two risk areas with using this application are: the passphrase used to open the application and database might be guessed (is someone gets my computer), so I use a 15 character, mixed case alpha-numeric phrase; a trojan or other malware on my computer could capture either my keystrokes opening the application or capture one of my passwords while it is in memory in the clipboard (so I keep my A/V software updated regularly.) Overall I am satisfied with this level of risk.

I don't store the passwords either on my computer or via the website for websites where money can be spent. Mostly because I have teenagers in the house and because in the past a not-so-tech-savvy visitor bid on some auction items online mistakenly assuming they were using their own account. Doh. I use the internet a lot for research and news, so those passwords I will store.

The passwords range from passwords I don't care about which would be six characters and easy to remember to maximum security passwords of 14 or more characters. Also, depending on my opinion of the security needed for the account, when I'm recording the password info I may list the whole password or I may use hints/reminders instead of actually recording the password. So the hint may look something like this:

give favorite tv evenly divided integer sequence aunt's maiden exponetial alphabet

In the hints, some of the words actually refer to numbers and some of the words that seem to be referring to numbers refer to alphas, etc.

I store the passwords on flash media. This media doesn't travel - stays in the same place always until needed. When I need a password, I pop the media in a slot and copy/paste. Of course I also keep a hard copy printout and another external digital backup of the data. I also use the same media system for licenses/activations of software I've downloaded and related emails.

When travelling, I used to rely on the password retrieval systems from the websites when I couldn't remember a password. But I think it's time to invest in some security enabled flash media.

PS. The above example of a password hint is completely fabricated and has nothing to do with passwords I actually use.

Another great tool with a nice interface for protecting all your passwords with one master password is a shareware program called Access Manager.

http://www.accessmanager.co.uk

I believe using Roboform is a great advantage for people who have alot of passwords and have memory lapse as I seem to have

I have used Roboform for many years which encrypts your passwords. You only have to remember one password to get into Roboform. Sure your passwords are all in one place, on the pc but you can back up Roboform's contents to a floppy or usb key etc. incase of computer failure and you just need to restore from your floppy etc. Just remember to back up regularly.

I use a biometrics authentication card (a fingerprint reader) from APC. It uses a OmniPass to remember all my passwords. You can use it at different levels of security as your needs desire. It allows you a couple of options: 1. Once you log onto your pc you can have unlimited access to your passwords. You can also set it to automatically hit "enter" or "login" or whatever and it inputs your passwords, and logs in you, no human intereference needed. Option 2. You can require fingerprint authentication for every password it inputs. This means every time you come to a site you would swipe your finger and it then would input your password. This is somewhat more secure as it requires you to physically swipe your finger at each website login, not just at the computer logon.

3. You can also take more darastic measures like "force authentication" by requiring a finger print read on all windows logons and or website logins. This is an option, because if not enabled (which it's not by default) you can still manually enter a password and gain access. If you set this on it requires you to swipe your finger to gain access. You cannot type in a password. The caveat to this is if the device would be stolen or otherwise malfunction you wouldn't be able to gain access to your stuff.

The program also has a section to encrypt your hard drive.

The device is avaliable in a USB pod, a usb mouse with the device built-in, or a much pricier card for a PCMCIA slot on a laptop (which is what I use).

It works pretty well with most sites. I have found a few that because of the ambiguities of the site design it doesn't work well with, but very very few, maybe 2 out of the 50 or so sites I have accounts on. Also when I boot my computer I have to remove and reinsert the card for it to work. I don't know if this is just my pc or if its the card or drivers. I have the latest versions. This is not a major problem with me because I rarely reboot my system. It works fine coming out of standby and hibernation, which is what I mostly use.

It does support multiple users. The right account is pulled up based on logon authentication.

I'm sure there are several other similiar products from simliar companies, I just chose this device because I needed something slick I could use with my laptop because I'm on the go.

http://www.apc.com/resource/include/techspec_index.cfm?base_sku=BIOCB40 - pc card retail $150

http://www.apc.com/resource/include/techspec_index.cfm?base_sku=BIOM34 - mouse retail $60

http://www.apc.com/resource/include/techspec_index.cfm?base_sku=BIOPOD - usb pod retail $50

I need to be able to take my passwords with me when I travel so I keep my printed on index cards, which I update by pencilling in changes. I update the file and reprint the cards periodically (maybe once or twice a year. On the card, if possible I don't list the actual password but something to remind me what it is.

Of course I keep the cards secure when at home and in my purse when travelling.

I have a terrible memory and do not like to use the same passwords for different sites. Most of my passwords are variations on one or two "themes" that I use.

I use Norton's Password Manager mainly because it came with Systemworks a few years back (now it is a stand alone). It works fine with me here at home. It has a separate profile for every desktop so you have to first get onto my desktop (which is pw protected), then get administrative priledges through a time management program I use for limiting my children's time online called Enuff, then they have to sign into Password Manager. If they can do that (then God bless em' I won't have to worry about paying for college), then they can get access to my passwords.

I think that I am fairly well protected but I still change the passwords every 3 months or so and agree with the person who said to use at least 8 characters and mix them with numbers, symbols, upper and lowercase letters, and no real words (at least English words).

Password manager also stores my credit card information and the one thing that I like about it is that is allows you to drag and drop the numbers into the boxes online. This way, if anyone has enough time on their hands to be tracking my keystrokes without me knowing about it, they don't get the card numbers. As another person said, on websites that I trust and have a lot of business with, I will let them store my credit card numbers.....but only a few (Amazon is one for me too).

I have had a card hacked 2 times in the 10 years or so I have been doing all my banking and a lot of my shopping over the net. I check every card EVERY day and make sure all the charges are legit. When I see something that I (or my wife) don't recognize, I call the credit card company and they take care of thing. I remember one time about 5 years ago, the card company cancelled my card because someone had gotten ahold of it and was charging to all kinds of porno sites. Their security department (then Bank One, now Chase....need to give them a thumbs up!)tracks your purchases (and let's not get into a discussion about big brother and all that...I have nothing to hide!) and when they say all these charges (I think they cancelled after 5) they cancelled the card and called me. Another time I was making a lot of purchases from the same website and they called me that day and asked me if they were legit charges. I told them they were and that was that. The last time a card number was stolen was about 3 months ago. This guy/gal was sneaky, making small, infrequent, charges but by checking every day, I caught it immediately and had to change account numbers.

I think that my instances of theft were done by small companies that I may have ordered something from. I have no clue as to whether they were caught or not.

This is long so finally, I have a word processing file where I keep some important passwords (like how to log onto my desktop and the one for password manager) but I use my own code. I can get to them from my wife's desktop if I forget mine and hers is easy and there is nothing stored in password manager under her account. She would have no clue how to buy something over the net anyway.

I do have Norton Internet Security also so I have a good (IMO) firewall up and running all the time and I need it for parental controls (the computer is in our family room where we all spend out time but you never know with a 15 and a 9 year old!!!). I noticed that Norton must be changing the way they monitor because the other day I got a warning while working online (I have cable so I am always online) about a possible threat. Now I know they warn when there are other computers trying to access yours but this was a virus warning (and I get definitions sent to me sometimes 4 times a day) which never occurred before. It wanted to scan immediately and I let it. It found what it was looking for and destroyed it. I see a lot of bad mouthing about Norton products but they have been good to me for many, many years but that is another story.

I didn't plan on writing this much but I hope it helps some of you. I am disabled and on a lot of pain meds so my memory is effected and I need my own system to remember all those passwords and such. One last thing, remember, if you are using a site like Yahoo for forums or whatever, you don't need to be as worried about your passwors and usernames and with a site such as Vanguard (although the great thing about them is that even if someone gets my passwords and cleans out my account, they will only transfer money to my bank account or send a check only to my address).

Take care and again, I hope some of this helps,
Mike

I have a terrible memory and do not like to use the same passwords for different sites. Most of my passwords are variations on one or two "themes" that I use.

I use Norton's Password Manager mainly because it came with Systemworks a few years back (now it is a stand alone). It works fine with me here at home. It has a separate profile for every desktop so you have to first get onto my desktop (which is pw protected), then get administrative priledges through a time management program I use for limiting my children's time online called Enuff, then they have to sign into Password Manager. If they can do that (then God bless em' I won't have to worry about paying for college), then they can get access to my passwords.

I think that I am fairly well protected but I still change the passwords every 3 months or so and agree with the person who said to use at least 8 characters and mix them with numbers, symbols, upper and lowercase letters, and no real words (at least English words).

Password manager also stores my credit card information and the one thing that I like about it is that is allows you to drag and drop the numbers into the boxes online. This way, if anyone has enough time on their hands to be tracking my keystrokes without me knowing about it, they don't get the card numbers. As another person said, on websites that I trust and have a lot of business with, I will let them store my credit card numbers.....but only a few (Amazon is one for me too).

I have had a card hacked 2 times in the 10 years or so I have been doing all my banking and a lot of my shopping over the net. I check every card EVERY day and make sure all the charges are legit. When I see something that I (or my wife) don't recognize, I call the credit card company and they take care of thing. I remember one time about 5 years ago, the card company cancelled my card because someone had gotten ahold of it and was charging to all kinds of porno sites. Their security department (then Bank One, now Chase....need to give them a thumbs up!)tracks your purchases (and let's not get into a discussion about big brother and all that...I have nothing to hide!) and when they say all these charges (I think they cancelled after 5) they cancelled the card and called me. Another time I was making a lot of purchases from the same website and they called me that day and asked me if they were legit charges. I told them they were and that was that. The last time a card number was stolen was about 3 months ago. This guy/gal was sneaky, making small, infrequent, charges but by checking every day, I caught it immediately and had to change account numbers.

I think that my instances of theft were done by small companies that I may have ordered something from. I have no clue as to whether they were caught or not.

This is long so finally, I have a word processing file where I keep some important passwords (like how to log onto my desktop and the one for password manager) but I use my own code. I can get to them from my wife's desktop if I forget mine and hers is easy and there is nothing stored in password manager under her account. She would have no clue how to buy something over the net anyway.

I do have Norton Internet Security also so I have a good (IMO) firewall up and running all the time and I need it for parental controls (the computer is in our family room where we all spend out time but you never know with a 15 and a 9 year old!!!). I noticed that Norton must be changing the way they monitor because the other day I got a warning while working online (I have cable so I am always online) about a possible threat. Now I know they warn when there are other computers trying to access yours but this was a virus warning (and I get definitions sent to me sometimes 4 times a day) which never occurred before. It wanted to scan immediately and I let it. It found what it was looking for and destroyed it. I see a lot of bad mouthing about Norton products but they have been good to me for many, many years but that is another story.

I didn't plan on writing this much but I hope it helps some of you. I am disabled and on a lot of pain meds so my memory is effected and I need my own system to remember all those passwords and such. One last thing, remember, if you are using a site like Yahoo for forums or whatever, you don't need to be as worried about your passwors and usernames and with a site such as Vanguard (although the great thing about them is that even if someone gets my passwords and cleans out my account, they will only transfer money to my bank account or send a check only to my address).

Take care and again, I hope some of this helps,
Mike

I use Winzip which I have password protected for all my important passwords, banking etc...
For most Web sites I let my Browser(Firefox)remember them and also keep a copy on my hard drive.