2/24/06 Questions about storing and managing passwords

I do use a Palm handheld with SplashID software for storing my personal log on info. It's password protected. However, I have found that for day to day use at home and work, a card file was the best solution for me.

I have hundreds of registrations at publisher web sites for work and dozens for various online news, shopping and entertainment sites at home.

There are so many variations on what sites require for access. In addition, since I've been doing this, all the experts warned to use lots of different passwords, never the same one. Lately I have been happy to take advantage of Firefox's password manager whenever I can.

I do use a free Yahoo email account for registering at sites that may generate spam. This, in addition to changes in my work email address have resulted in additional complications with registration information.

I've found it just easier to use a plain old 3X5 index card file.

I keep the boxes right out on my desk!

However, there's no danger of anyone stealing either my name or passwords. I use mnemonics to let me know which name and password I've chosen for a site. Thus a card may say: ID:''Old work email'' and PW: ''Mom +SS'' which is my mother's maiden name plus the last four digits of my SS #.

When I set up a registration I want to use at home as well, I make out two cards.

I freely admit this might be cumbersome to many. I am still trying to reduce the variations in passwords or log-in IDs where possible, but it will take time. Meanwhile, I have a quick flip-file to aid my aging memory.

What password manager do you recommend? And thank you for the information on passwords.

I've tried many different solutions, but the software solution from Palcott (Natural Login Pro) gets my vote for easiest to use.

Rather than try and do it justice, I just cut and pasted their description:

Natural Login Pro can secure the computer when a user steps away, while even allowing the user to avoid having to enter a password to gain access. Natural Login Pro does this by linking a user's authorization to physical devices a user carries every day, such as USB or MP3 flash storage drives. When a user leaves the computer, taking the personal storage device secures the computer against intruders. Version 1.10 now supports most removable storage devices, such as USB drives, MP3 players, memory cards and digital cameras.

They have a free trial at http://www.palcott.com/trynbuy/try-natural-login.php?idl=n

Hi,

I presently stick with using a very small address book one can buy at a grocery store for storing passwords. I may be using one of several machine with several types of OSs. Is there any password managers that are that flexible and inherently able to backup or transfer its info base to another machine's copy.

Sincerely,

Gregory D. MELLOTT

Use a Flash drive - basically it's a non-moving parts removeable hard drive, and keep ANY sensitive info on there, including passwords, bank details pin numbers and the like.

What happens is tha you can access this drive via your own computer's system, but whatever you do SO NOT connect it whilst the internet connectioon is on. At least this way you can keep your security to the maximum.

I have a personal finance programme, all the backup details are on this drive, as are encrypted bank card details. in addition, I have a large number of passwords, that consist of all types of character, these are also stered there, along with the files they relate to.

In short, though it will cost some money - mine's about 512Mb - this varis according to the type of drive, also you can keep sensitive detail this way and not leave it open to attack from the 'net.

I am directing this query to Kasey C. Which password manager are you using to store your passwords? I use Password Plus by DataViz. Do you know of any password managers that once on a certain web site will input your username & password automatically when asked to do so? Thanks.

I used to keep notes on the back of punch cards. When passwords came along I ''Kept the tradition.'' Now I feel the insecurity of historical pressure - like when the caveman moved out and left his writing on the wall!

Who would have predicted that the caveman's personal data would be secure for centuries or that archeologists would re-record these rock paintings, plus a password, on silicon(sand)! PROGRESS? Rock - Paper - Password! That is the question.

Trend Micro Intenet Security 2005 has a security feature I like called Private Data Protection. It shuts down my internet connection when it detects private information in an outgoing data stream.

Store any four sequential characters of a login, password, phone number, credit card, bank account, email address... into a password protected area of the program and relax. Just checked, Google desktop didn't find it.

Trend Micro Log shows fifteen blocks during the past month. Most are when I forward or return an email and forget to erase my email address link in the text of the message. The rest are for a few sites where Trend Micro detects something unusual in what appears to be a normal login procedure to me. I won't use those sites till the problem is resolved.

Thanks for a good answer. I never understood this before. I feel a lot safer on my PC now. I use a firewall, Spybot and Adaware but I never knew if "they" could get to me anyhow or not! Jan in FL

I have found that the easiest way to store passwords is simply by writing them down on a piece of paper. I don't write the entire password, just a hint that only I would understand so that if someone finds the list, they won't be able to figure out what the passwords actually are. I keep my list near my computer because it is convenient, but if you wanted to really be sure that no one sees it, a more secure way would be to keep the list locked in a safe or in a really good hiding place. I don't like to store passwords on my computer because I sometimes let other people use it.

I dont really want to store passwords in the browser, in case my pc is ever stolen or compromised. I have stored my passwords for years using password maintenance because it stores pwd data outside of the pc (diskette or usb), I like the security but I guess Im picky on that stuff. I originally downloaded my <a href="http://www.softdd.com/password-manager/index.htm">password program</a> here.

Hello, I do agree with Kasey on many key area. The hacker will not feel motivated to waste their time to hack into your harddrive to get what they want; providing that you have the following security in place:

1) software firewall (i.e. ZoneAlarm is a good one)
2) hardware firewall (i.e. router - any is fine.)
3) adware/malware/spyware/virus protection (this is more complicate because you need to install multiple software and learn how to use it)

For more info re #3 above, there's a good article at:
http://reviews.cnet.com/5208-10149-0.html?forumID=7&threadID=157574&messageID=1749181&tag=nl.e497

Hackers will rather prey on someone who is an easier target. Or they'll rely on social engineering tricks to try and steal the info from you.

In general, you should not trust the Internet except for several legimate site that you can reasonably trust (i.e. banks). You need to make sure that they have their own security policy in place and that you can see the lock symbol BEFORE you can trust to send your login info on their website.

Personally, I use a password management utility called ''PassCrypt'' (www.seamistsoftware.com). It is an excellent software to use because of its compact size, ease of use, and is secure (448-bits). I have been using it for a long time now and I've not had any problem with it. And best of all, you can communicate directly with the person who have designed the software.

Some words to those people who use the Excel spreadsheet to manage their password, I strongly recommend that you do NOT USE this method!! It is _very_ easy to hack into Excel even with the password protection in place! I have conducted some test myself by hacking into my own Excel file and I've succeed within minutes. Obviously, a better solution is need.

What is the main reason that software developers use to market their password management utility software? It's because their password management utility software use "encryption" to protect the data (contained in a file) which Excel does not do!

Perhap this is one area that people need to be educated on.. simple password protection and file encryption are not the same thing! IOW, what you really want is.. you want to find a utility that offers _file encryption_ protection for your password management need.

HTH

Cheers,

Devin

Okay...so call me low-tech, but my password management system consists of a file box and file cards arranged alphabetically by company name. Works great.

I store my passwords on a Disc. I do it alphabetically, according to site, and that makes it easy to add new ones.

I also thought about storing them on my PDA, which I keeped locked and can only be accessed by using a password. The only trouble with that is if the PDA is lost, you're stuck. My name and cell phone number is visible before signing on, so hopefully, if I would lose it, it would be returned.

I like this program and 64mb usb drive. With it I can use anybodies pc (key loggers do not work the only thing I type is the master password) When I pull my usb drive out of a computer all traces are gone.

Hi, i have been using a program called "keywallet" for
some time and it stores all my passwords. The only problem i have had is that when i installed and ran
a program called "hijack this", my windows XP machine
crashed!!! for the first time when i tried to open keywallet. When i uninstalled highjack this, the
problem went away.

I can't remember all my passwords, so I put them on an Excel spreadsheet and save them on a 3.5 inch floppy disk, which I can hide easily in my office, AND carry easily if I'm traveling. They are NOT copied to my hard drive.

I enjoyed the reply to this question as it is a concern for just about everyone using the internet today. The author of the reply gave a detailed response, and also admitted using a password manager, but does not say which one. I would be VERY interested to know which one he trusts (I use one as well -Roboform - and I do sometimes worry about the security of this method as would many readers I guess)and what he thinks of the imbedded Microsoft Wallet with XP?

I am founder of a nonprofit Native American advocacy organization, SENAA International. As such, my computer is and has been the target of several "special interest" hackers who have attempted to nuke and otherwise hack this machine, both directly and via e-mail, as well as denial of service applications and other tactics. One particular "special interest" group, which I call the DP (Donut People), has gone so far as to reroute my Internet access to a bogus IP.

It was only through the use of firewalls (hardware and software) and the encryption of sensitive data that I have foiled attempts to gather information from my system.

Make no mistake about it. Although it may seem time consuming for a hacker to go through all the possible hiding places for credit card and usable personal info, any hacker worth his salt who has this as his or her goal will know the most likely places to find such information and will also look for text, Word, Excel, Access, and other files with names that suggest the presence of personal or financial information. Knowing the likely locations of such data and common tricks used by people to try to conceal such data, a good hacker will know exactly where to look and will be able to locate such information quickly. Passwords are important targets because they provide access to encrypted or password protected information that could be the victim's undoing.

Needless to say, I do not trust any application for storing passwords that resides on the hard drive. If there is reason to believe that someone might gain access to your home and your computer, it is very important to store passwords--and any sensitive data, for that matter, on removable storage devices, either on CD, DVD, floppy disk, or a jump, or "flash", drive.

I personally opt for flash drives. They plug into your PC's USB port, require no drivers for Windows 2000 and above, and can be slipped into one's pocket, purse, or in the case of Corsair's Flash Voyager, put on one's key ring or on a cord or chain and worn as a necklace underneath one's shirt or blouse. Flash drives come in memory sizes from 128 MB to 4 GB. Their size is approximately 3/4" wide, 1/4"-1/2" thick, and 3" long, and weigh approximately 1/4-1/2 ounce. Most flash drives come with a 10 year warranty. If you have a USB port, you can use a flash drive--and virtually every computer that is still functional has a USB port.

The flash drive is superior to, and is fast replacing the floppy drive. In fact, some of the newer computers do not have floppy drives.

I have had problems with floppy disks becoming corrupted. The reason is that the stylus that reads the floppy disk actually comes into contact with the disk, which is a mylar base with magnetic dust attached to it. It is the magnetic material that stores the information. Since the stylus is in contact with the disk, wear is constantly occurring, and in the case of a floppy disk, flaking will occur over time, degrading and eventually rendering unusable the floppy disk. Even with infrequent use, floppy disks will degrade over time. Magnetic materials are also subject to corrosion--rust--and to the moisture content of the air. Some of my older disks have some files that are unrecoverable, even though I have stored the disks well away from any magnetic fields, such as speakers and other electronic devices. Floppy disks are just not a good idea any more. Flash drives do not depend upon magnetic film for storage, so they are not as susceptable to damage as floppy drives. In the case of Corsair's Flash Voyager, the case and the protective cap are covered with rubber, so they are moisture resistant, which further protects the data it contains. Prices for flash drives range from $24 to right around $100, depending on manufacturer, retailer, and storage capacity, with the 1-4 GB drives being the most expensive. However, given their versatility, warranty, and portability, they are worth every cent.

I also use PGP (Pretty Good Privacy) to encrypt all data related to SENAA International, including the names and addresses of members and supporters. I keep both the public and private key, along with other sensitive data, stored on a flash drive on my key ring. The pass phrase for those keys, which is as hard to crack as I could possibly make it, is not stored on any electronic device or paper. It is committed to memory. Whenever I am away from my computer, all access to any SENAA related information--and much of the information itself--is also away from my computer. The only way for anyone to access those documents that are on the hard drive is to get my keys out of my pants pocket and somehow extract the pass phrase from my brain--and that won't happen.

What if I lose my key ring and the flash drive? I won't. In the impossible event that I did lose my key ring and the drive, anyone who found it and tried to access the information it contains would have to know my pass phrase, because the folder containing the information is encrypted as a self-extracting PGP file.

Whenever I have to modify or create documents containing hacker-usable information, I wipe the file from the hard drive using PGP after I have saved the file to the flash drive or to CD or DVD.

By using CDs, DVDs, and a flash drive, no hacker usable files are left on the hard drive.

I am not a representative of the company, but I recommend Corsair's Flash Voyager, which can be seen at http://www.corsairmemory.com. They are, in my book, one of the top-end flash drives.

A word of warning: when I last tried them, the PNY brand flash drives would not work on USB ports located on the front of the computer case. Most newer computers have USB, firewire, and sometimes digital camera memory card ports on the front of the case for easy access. PNY, for whatever reason, did not work well on front ports. Corsair and SanDisk flash drives work very well on front ports. In fact, they were built with the front port in mind for convenience's sake.

For those who do not have front USB ports, Corsair's Flash Voyager comes with a shielded (to keep signals inside the cable) 25" cable that is long enough to connect to the rear USB port and provide access from the front. Corsair also provides a mini CD containing a utility that can be used to encrypt the flash drive so its data can only be accessed from the user's computer using the user's access key.


So, the bottom line is that the absolutely safest method of storing and protecting your passwords so they are easily accessible is to use a flash drive and keep the drive with you.

The low-tech alternative is to buy a paper memo pad, write all your passwords in it, and keep that memo pad with you or in a different location from your computer until you need it.

That's my two-cents worth.

Al

The writing talent seen in this young person's post is most evident. Can we see an evolving communication ability developing before our very eyes as chatting and emailing are replacing piano lessons? One draws the user, while in the other situation, the user is drawn sometimes kicking and screaming against being drawn. (I personally, love to type while playing CD piano music; it feels like I am playing the music.) This is all meant to say, great answer!

Whats all the fuss about !
Create an Excel Spreadsheet, with 3 main fields
1. Site or software 2. Username 3. Password
Protect the whole thing with a password and your home and dry

I have read all posts here. It?s very interesting how different people deal with the passwords problem.

It?s clear that if you want security you need to follow three simple rules:
- Create secure passwords (> 8 chars , capital and numeric letters, etc.)
- Use different passwords for each Web site.
- Don?t save passwords in browser

However, if you observe all of them, you will face the usability problem. It is almost impossible to remember that large number of secure passwords. So, we are back to the main topic - what is the safe way to manage passwords? Keep in mind that you need a solution not only secure but convenient also.

Reading this thread, I figured out three ways to achieve this:
- To store passwords on your PC ? encrypted and locked ;
- To store passwords on an external device ? Mobile device, SmartCard or USB drive ;
- Don?t store passwords on any electronic device ? write them somewhere on a paper.

Third way is least acceptable to me. It?s not secure, not durable and not really convenient.

If I had my login information on a flash or mobile device that would be great. However, I could lose the device or damage it, so I need a backup device. That leads me to more security questions ? for example where to keep it? Moreover, I need to synchronize it every time I add new account or make any changes.

It?s obvious that stored encrypted passwords could be a solution at some point. But what if some young hacker from Zimbabwe steals them? He definitely will break the encryption.

So, what is the solution?
For me that would be a tool that does not store my passwords anywhere! It generates them on-a-fly every time I login. Roboform isn?t the case , however.
A tool should support auto-login so I won't have to type my login details every time. Also it has to be mobile so that I could use it from any PC without any external devices.