A problem with online security is that there’s no standards for passwords. You may come up with the silly simple single password you use for all site. This works well, until you encounter a site that wants one that is, say, 2 characters longer than the one you use. What then? Or, maybe you’re a bit better and use a scheme where you “encrypt” the domain name into your password. Again, this works fine until a site forces you to break this scheme, and then you’re shit out of luck. The net result is that you either A) have extremely simple passwords or B) forget the passwords often or C) write them down next to your computer.
In case you didn’t think so, options A, B and C suck. Don’t do it. Be smart and be safe.
The way to do this involves some pain in the ass security, which I’ve said before different levels are acceptable. I feel that protecting your passwords are critical, so I’m willing to accept a somewhat higher PITA level. My PITA of choice for passwords is KeePass. Being an open source project (W00T!), some of the execution of the user interface is left to the developer, so you may find some ports are better than others. However, the vanilla OS X and Windows flavors I use at work and home respectively, simply rock. The Android port I use is the icing on the cake. I can download a copy of my password file and have all my passwords on the go.
KeePass, much like TrueCrypt, has really thought about how to store passwords. Here’s a list of some of the great features:
- generate a secure password based a given site’s rules (8+ letters, 1+ number etc.)
- hot keys to quickly copy username and password
- android version puts the username in alert menu so you can easily copy and paste it into a web form
- encrypt notes for extra info like security question you also won’t remember and wrote down next to your password
- ported to just about every platform, including iphone and android
The net result of this is that you never forget a password, you use secure passwords and no one can get at your passwords. This is secure and this is how you should do it! For the forward thinking, store your password file on a USB cary with you or, if you’re like me, you’ll put it on your dropbox account, and then you can seamlessly use it on all your computers. Doubly handy!
Is dropbox the weak link here? Drop box does not seem very secure to me. What would stop someone from hacking dropbox and then they have your password file?
Mike – Thanks for the comment! DropBox is a known quantity, not specifically a weak link. Let’s assume they’re a so-so company and their security is only so -so (I think they’re great though!). This “so-so” security is totally OK because KeePass implements real encryption way above and beyond what DropBox will ever provide. For us, DropBox is less secure storage and more a rich man’s rsync between our work computer, home computer and smartphone. It even has a web interface so we can use it on a friends computer with out installing anything. A very rich man’s rsync, indeed!