Hi,
One way to protect is to buy a cheap (low capacity) USB memory stick and to store all your sensitive data (and maybe other useful data such as software keys etc)on that. You simply plug in when you need the information and remove it at other times. Its small and very portable also which can be an added convenience.
To protect against losing it you should ensure that you do not store any information on it which can provide anyone with your name, address, etc so that the information they can access on it is useless to anyone finding it. If worried about the inconvenience of losing it and your passwords, then use a second backup one which you never carry around but leave in a secure place at home (something so small is easy to hide well away from burglars etc).
Vic
 | Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years. Thanks, CNET Support |
General discussion
2/24/06 Questions about storing and managing passwords
When logging in to a secure Web page, the browser will often have an option to save my password. Or the Web site will ask if I want to store my password. Are these the same? Where and how are these passwords saved? How secure is it to do this? Are the passwords stored in an encrypted format, and if so, can they be hacked? As a precaution, I never store passwords anywhere in electronic form. I don't trust password managers because there is no way to know what they are doing with the information. What is the safe way to manage passwords?
Submitted by: Gary H.
*******************************************************
Answer:
Well, Gary H., your question starts out simple, but goes quite a bit deeper into online security. Let's start with the difference between the browser's "remember my password" vs. a Web site's "keep me logged in" option.
Your browser actually saves your login name and password info, encrypted, on your hard drive, and fills the fields when you pull up that certain Web page again. However, how it saves it depends on the browser's actual implementation.
By contrast, the "remember my password" option on a website actually saves a special cookie (think of it as a marker) that's unique to you that when come back to the website, it shows that you're user so-and-so and logs you in. That cookie likely will NOT actually contain any password info for any one to unscramble, but rather is just something the website itself understands, but, again it depends on actual implementation. It's probably similar to your local supermarket handing you a membership card. By loading that number, they know it was you using the card, since no one else has that number. The website's "remember my login" would probably work along similar lines.
Neither is technically "secure" since any one who can physically access your computer (i.e. sit down at your table) can get into those websites, either way. Assuming your home is reasonable safe from intruders, that leaves external hack attempts.
The best defense against external hack attempts is a hardware firewall, and regular security updates for your operating system, probably WinXP.
Windows is already setup to warn you and/or to apply the updates automatically so all that remains is a hardware firewall, esp. if you are on broadband connection to the Internet. If the hackers can't reach your PC, they can't hack it. You can of course, not connect the PC to the outside at all, but that would be rather drastic.
On the other hand, is there anything on those websites that you really need to protect from hackers? Or, if you are more worried about the stuff on your PC, why? Hacking individual people's PC's consumes time, with very little chance of payback for the hackers. Think of it this way... let's say they are after... Credit card numbers. How many credit cards is one likely to own? Maybe 2 or 5. Would their numbers be stored on the PC? If so where? It's impossible to say. It could be in Word documents, Excel spreadsheets, Quicken, MS Money... etc. Choices are endless, and searching through it all would be time consuming. Hackers would be far more likely to get lucky with Phishing or Pharming scams, most of that can be automated and takes almost no time at all on the part of the scammer. It's easier to ask you for the password than to dig it out of you (or your PC), so to speak.
As for trustworthiness of password managers... I personally use one. I have no qualms about using one. Your firewall should automatically block traffic from unauthorized programs, which is how you know which program is not doing what it?s supposed to. However, it is quite difficult to "prove" security. In a way, it's like defending against terrorists. We have to be 100% effective, they just have to be 0.0001% effective...
If you are so worried, get a cheap PDA and put your passwords on those, and keep the PDA with you at all times. But then you have to worry about the PDA getting lost and all that...
The entire idea of security is balancing risk vs. convenience. Password managers increase convenience, but also increase risk by offering a central location to lose ALL of the passwords at once. Firewalls decrease the risk of external hacks, but also decrease convenience by requiring various config of port forwarding and such. It is all about trade-offs, and what is acceptable to me may not be acceptable to you. Ultimately, you will have to decide if the risk of using a password manager outweighs the convenience of having one and having it remember stuff for you.
Submitted by: Kasey C. of San Francisco, CA
Discussion is locked
91 - 120 of 102 Posts
- Collapse
- Collapse -
- Collapse -
I like this idea and have used it for a while but I wonder if there is a way to Password protect the flash drive. If so, loss or theft would not be as bothersome. While I am at it I would love to password protect my older version of my maxtor for the same reasons.
Any suggestions?
RC
- Collapse -
Probably not I guess
Which is why I tend not to record the full password but use an abbreviation which only I (hopefully) will understand!
- Collapse -
I've read that the government has trouble detecting hidden communications when they were in a graphic form. I think I will upgrade my simple method by moving my bitmap to Adobe Photoshop and hiding my passwords under layers of other images.
I only use this at home, but if needed I'm also going to try to encrypt the file. Or would this add attention to it?
- Collapse -
Hi,
I also keep the list of my passwords in the Excell.
Here's a free software for keeping encrypted Word document, Excell tables and Power Point presentations.
access by password entry via special Save\Open buttons in Office toolbar.
Encryption Pack for MS Office 2000/XP 1.3
http://www.download.com/3000-2092-10418553.html
- Collapse -
I'm one of those who keeps a paper card file per registered site with log-in and PW hints on them as my password ref tool. Seemed a perfectly secure way to do it and I was puzzled why this didn't seem to fit the bill for most of the posters here.
DOH! Belatedly it occurred to me that there are probably a lot of people who wish to keep secret some of the sites they are registered at. (I'm not making any judgement calls there, honest! 
These days just being an activist in certain political circles might be a job threat, and certainly could result in government monitoring.
That does impact where someone would store info about more [ahem] personal registrations.
There aren't going to be any absolutely secure methods.
In fact, (thinking of the purloined letter), I wonder if using the most elaborate online tools might make serve to create a more tempting target for hacking?
In any case, the few possibly "sensitive" registrations I have can include mnemonics in the URL also.
- Collapse -
In addition to hiding your card file from prying eyes, a person must be careful on web pages that say ''click here'' and enter your password. Karen's URL Discombobulator can code (not encrypt) web sites for your card file and decode(discombobulate) those ''click here'' links that may be phishing schemes.
Here is an abreviated example showing that the 'original' URL for the message I am responding to is 'real,' there are no 'redirections,' plus one 'equivalent' URL to use in your card file.
---------------------------------------------------
Karen's URL Discombobulator v1.8.2
http://www.karenware.com/
Original URL: http://reviews.cnet.com/5208-6142-0.html?forumID=7&threadID=159167&messageID=1766867
Real URL: http://reviews.cnet.com/5208-6142-0.html?forumID=7&threadID=159167&messageID=1766867
....
Redirections: none
URLs equivalent to the original (some shrouded or obfuscated):
http://reviews.cnet.com%2F%35%32%30%38%2D%36%31%34%32%2D%30%2E%68%74%6D%6C%3F%66%6F%72%75%6D%49%44%3D%37%26%74%68%72%65%61%64%49%44%3D%31%35%39%31%36%37%26%6D%65%73%73%61%67%65%49%44%3D%31%37%36%36%38%36%37
-----------------------------------------------------
This can keep the casual observer from speed reading your URLs(barcodes can too).
I admit, this is pretty long substitute URL for card file use, but this utility saved me from a bank phishing scheme and may have helped track the culprits.
- Collapse -
As mentioned by others, I would have to think anti virus and firewall protection and operating system security updates are the primary rule of thumb for protecting against malicious access to our home computer, or any other personal information in that case, as Kasey C. of San Francisco, CA advised. However, when typing in passwords or accessing accounts or websites online, any program designed to invade and steal such information only needs a second or two at the right time to hijack said information. All too often, you're a bit late on finding out that such a situation has occurred, and have to suffer a system clean and virus check. Most sites have encryption for protecting your password as far as storage at their end, but if stored in a cookie on your end, it leaves it open to malicious programs other than what your own security walls and protection programs try to protect and defend. More often than not, identity theft of passwords is due to your own home computer being invaded, unless a company has a major hack break in that you have seen rarely or on a more uncommon note, on the news. Storing your passwords on your home computer, then selecting ''do not remember me'' or NOT choosing ''remember my password'' on each specific web site is 'probably' the best thing one can do for not allowing a password the ability to 'float around' online. I merely keep my information in a file in a notepad format, creating said file in SAFE MODE, then I use a program such as 'PDL Hider' ( a file and folder privacy converter ) to alter my files over to a slightly more secure format. A home user can then simply place them in a better location on their computer, ''off station'' of the normal operating system hard drive ( I use two hard drives on my home computer ), or one can store them on a partitioned area of your drive ( even using an external 'ThumbDrive' can be practical ). This way I can feel a bit more secure in not having important files on the main operating system hard drive which may get viewed, monitored or 'violated'. Further, in that I'm not going to try and make this sound as if I'm promoting certain products or brand names, I take a couple of extra steps to feel a bit more safe, and simply put to use additional security programs. So just for an example and using my own personal experience here at home, I've found that a program such as ''Security Task Manager'' in my own case, helps a lot. It?s a system process analyzer, but here for our main point, it includes a sub-program called ''Spy Protector'' which allows the user to select modes where you can prevent keyboard monitoring and other program monitoring such as macros (user activities) mouse activities, starting and ending or use of personal programs, and keyboard inputs (internal messages). This prevents other users if the case, or malicious programs, from accidentally or otherwise malevolently accessing your private info. Activating blocks at these points of access will disable any monitoring of your input to sites from your end. When you need that information to use on a site, simply unlock your concealed password and information file with the .pdl type converter, then as a further safety measure, never 'type in' your information, simply copying and pasting the required field in to complete any information. This is saved to your clipboard at the time of course, but is blocked from being monitored at the time. For later, an easy to use cleaner program such as ?WindowWasher? in my case and its frequent use is 'always' a smart recommendation for normal system cleanup, and washes any all information from that end, including storage cookies. I may have a loophole or two on that process line and way of thinking so feel free to correct me if you wish, as I can take polite corrective criticism most of the time *smiles*. Hope some of this helps. Drew
- Collapse -
Another thing is the problem of deleted file recovery. Any saved password file can be deleted and recovered until it is overwritten. With a lot of empty disk space files can be recoverable for years. I just checked my 256MB USB Cruzer and found 32 recoverable files. The oldest one was two years old. I routinely analyze my hard disk free space for recoverable files and write over all free space whether there are recoverable files or not. Had forgotten about my USB drive!
There are utilities to "securely delete" or "incinerate" or "overwrite" files. These are somewhat useful, however, you have to tell the utility which file to delete. If you simply delete instead of incinerating a password file you wrote in Word or Notepad or Excel you have a problem - It is recoverable. I let System Mechanic http://www.iolo.com/ overwrite all free space - Problem solved.
- Collapse -
Doesnt it bug you when websites force you to change your passwords too regulary
I reckon this is more likely to force some people (ie the millions who have not read these forum posts) to backing up your passwords in a manner that is unsafe and thus degrading security!
- Collapse -
My suggestion requires no outlay of cash for password management as opposed to purchasing a PDA (which for many is essential but for others another electronic toy). I use RoboForm and I love it. I have been using it for years and it is free if you are only storing a few passwords. Over 10 and it is a lot less costly (I believe the license is somewhere about $30)than a PDA. It is well worth the money and I never have to remember a password, it signs you on to the website and also has an autofill feature so you don't have to fill out online forms ad nauseum. I would recommend that you back your passcards to a floppy, cd or zip drive however.
- Collapse -
How refreshing it was to read some inside information regarding password management and your system. I too have often wondered about the same issues as Gary H. I do the pencil and book route. I keep my hard to remember my ''silly'' passwords and the most important ones, marked down in ''several'' small books (simular to a personal pocket, adress book). I do however, allow my own system to record the most frequently used sites that require a password. Banking passes are kept in a special place... my head. You learn to condition yourself to remember pass combinations like these. We as humans learn the ''how to's'' and prefer to depend on ourselves over technology (at times). Something as delicate as a password, should be treated like a new born baby, so in a sense, so should your own personal pass-words. IF you back up or ''burn'' your most important onto disc (multi session), including your important documents, then kudos. As for the hackers aspect, a good Firewall would help that works in tandum with a virus program; plus help from Cnet. News boards like this one, will catch the attention of people like myself and subjects like this. My suggestion and personal experiances have taught me the ''how to's'' and brain food never tasted so good!
CNET Forums
Operating Systems
Software
Electronics & Gadgets
Hardware
Tablets & Mobile Devices
General Help
Roadshow Autos
Chowhound
Comic Vine
GameFAQs
GameSpot
Giant Bomb
TechRepublic