Password apps vs. Post-it notes: Showdown in the lab

Featured eBooks
Changes in State and Local Government Workforces
NASCIO Special Report 2024
A New Era of Social Media Regulation
Insights & Reports
Unlocking digital potential: Strategies for modernizing government services
Presented By Adobe
Download Now
Unlocking public sector potential
Presented By NTT DATA
Download Now
By John Breeden II
 

Connecting state and local government leaders

By John Breeden II

|

The GCN Lab tries out four password management applications -- and one old-school method -- to see how well, and how securely, they keep track of all those passwords people have to use.

Face it. It's difficult, if not impossible, for you to keep track of all your passwords. You probably have to change the passwords you use to access your work computer every three months, or even more often. Add to that your personal computer and all the various Web sites through which you conduct transactions and business, and it's easy to accumulate dozens of different passwords.

The experts tell you to make them hard to guess, with a mix of upper-case and lower-case letters, numerals and symbols. Make them long, don't use any words that someone who knows you could guess, such as the name of a pet or your spouse, use a different one for each log-in and never, ever write them down.

What? So how are you supposed to remember what your lengthy, random, impossible-to-guess passwords are, let alone which one goes with which system or site?

Security has started to fail us because its job is twofold. It has to keep out people who aren’t authorized. But it also has to let in those who are. The most secure building in the world would be one without any doors or windows. But it would be pretty hard to go to work there. And that’s what managing multiple secure passwords feels like these days.

To compensate, people have begun using weak passwords, as was evident in the GCN article about ten bad passwords people use. Or, people use one password for multiple sites, which is bad because if one gets compromised, they all could fall.

Related stories:

The top 10 awfully bad passwords people use

Strong passwords: You DO have better ideas!

But there is help available. Password management tools, a couple of which our readers mentioned when we asked for password tips, can help keep track of it all. What they all basically do is let you create one very strong password. Then you log into them and they handle everything else for you, logging into all your other systems as needed and perhaps even generating random passwords on your behalf. We took at look at several of these.

KeePass a free, open-source program for password management. It was created by people who had the very same problem that many over-authenticated feds experience: too many passwords for one person to realistically remember.

We downloaded a copy of KeePass in the lab and put it through its paces. We were impressed with its ease of use and also the security functionality. For security, it supports the use of physical keys. Instead of a master password, you can create a master key from a USB drive, or even a burnable CD. That key would be required to log into a system, whereupon the program would log you into other places and programs as needed. If you use that method, you can set the master key to change fairly often, which would make guessing it even more difficult.

It uses the 32-bit SHA-256 as the password hash, and all fields are encrypted, not just the password field. We don’t know of any programs that can break an SHA-256 hash at this time -- or we should say, in any amount of time. It would probably take several supercomputers thousands of years to brute-force it.

We were very surprised to find a free, open-source tool for password management, and were very pleased with how KeePass worked in terms of performance and ease-of-use. We would highly recommend it.

RoboForm a password manager and auto-form filler rolled up into one easy-to-use program. You can download a free trial of the software, or purchase it for $30. If you want it to run on a key drive, you have to buy a special RoboForm2Go license, which costs an additional $20.

The RoboForm program works like most password management tools in that you create a single password and then use the program to handle everything else. Everything is encrypted and you can have the program randomly generate passwords for you for every site you have access. So you don’t even have to know what your password actually is, other than the main one.

RoboForm also adds in-form completing. You can put all your personal information into the program, and use it to complete forms for you online. One major advantage to this is that if you use the RoboForm program, you won’t be in any danger of keyloggers. Data will be coming from the program, not typed out, so keyloggers won’t be able to capture any data.

RoboForm works great and is especially helpful if you fill out a lot forms online. It’s a bit expensive, but you do get tech support if something goes wrong, which most freeware programs won’t offer.

For those of you using Macs, 1Password is a program to give you the security offered by many of the PC password managers. It requires Mac OS X 10.5.8 (Leopard) or Mac OS X 10.6 (Snow Leopard). However, mobile versions are available that work with the iPhone OS and the Palm OS. You can try it for free, or buy a copy for $40.

It works very much like the PC-based programs, encrypting all your passwords and making it so you only have to memorize a single one. We really liked the clean interface of 1Password, which of course is designed to look like and act like most Mac programs.

If you use a Mac as your primary means of accessing a network or series of sites, 1Password should keep you safe.

LastPass is a password manager that is particularly well-attuned to Web browsing. It sits on your main PC and lets you automatically generate passwords for all the Web sites you visit.

This is a really the program to have if you do any amount of online shopping, or just visit outside sites that require passwords. You can configure how you would like your passwords to look quite easily with check boxes, selecting “Require Every Character Type” for a really strong password or “Avoid Ambiguous Characters” if you don’t want percent symbols and stuff like that in there, say, if the Web site does not allow them.

When you visit a site that has been logged into LastPass, you will be automatically logged in as yourself without having to really do much of anything. And you can easily change your passwords as much as you like or need to.

You can also put secure notes into LastPass, for things such as physical security. So you could tell it where you hid a key, or the combination to a door, and it will keep it safe.

There is a free version of the software that works well and provides basic functionality. Or you can buy the Premium version, which costs the very reasonable sum of $1 per month, billed annually. With Premium, you can make LastPass work with your Android, BlackBerry, Windows Mobile or iPhone.

Post-it notes are not really an electronic password management tool, but many people use them as one. I actually don’t discourage fellow labbies from using this method to keep track of passwords. Pen and paper can work, and actually be more secure than anything else, in some circumstances.

Given that hackers won’t be breaking into your office to rifle for your password, except in a remake of the “Sneakers” movie, a piece of paper is pretty secure. No program of any type is going to let a hacker in China read a piece of paper locked in your desk drawer.

I still wouldn’t frame a password on your wall or anything, but writing it down and putting it in a secure location, or simply hiding it in plain sight on a sheet with other seemingly non-essential notes, works for the most part. I know it’s against policy for most people to do that, but, ironically, this may be the most secure method of keeping passwords safe while making sure you can still use them when needed.

NEXT STORY: CA unveils new name and cloud products

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.