Password Management

[dthomsen8]

Any advice about password management? Lots of free and commercial management packages out there. Too many for me to choose right now.

[terrie]

I know there are some out there and there's one that is touted as being quite good but, of course, I can't remember the name. I'll post back when/if it comes to me...'-}}

Ahhh...google is your friend...it's LastPass and also KeePass...not used either myself...

Terrie

[Steve Rindsberg]

I just started playing with KeePass again. Awful name but impressive software. Easy enough to use on the surface but with features to a depth that'd keep any hardcore geek happy.

And it requires no install; just unzip it to any convenient folder (even on a thumb drive) and use it.

And free.

[annc]

Quote:

Originally Posted by dthomsen8

Any advice about password management? Lots of free and commercial management packages out there. Too many for me to choose right now.

I've used ForgotIt for many years and find it very good. They even require a very secure level of password to open the data file itself when you log in. Price is good and I've only ever had to pay for one upgrade, which was a major one.

It has four different data files, all kept in the one database: Passwords, Credit Cards, Serial Numbers and Notes.

Currently USD14.95 which is pretty reasonable.

[Howard Allen]

I've been using 1Password for a couple years. $US50. Very highly rated and no complaints from me. There is a mobile version that syncs with the desktop version, making it very convenient to have your passwords wherever you may need them.

[LoisWakeman]

I have an obscurely named notepad file hidden in a system folder. It hasn't let me down yet!

[terrie]

Quote:

lois: I have an obscurely named notepad file hidden in a system folder.

I use a hidden WordPerfect file (backed up by a .rtf and a pdf and then also backed up to a portable drive)...'-}}

Terrie

[Steve Rindsberg]

Hmm. What's that they say in the security biz? Security through Obscurity is no Security at all? Something like that.

I'm guessing that it wouldn't take too long for even a free search tool like Agent Ransack, or even Windows' own search feature, to unearth a file with email addresses, urls and passwords.

That assumes that the bad guy has some sort of access to your computer that'd allow running a search tool, of course. But if you can assume that that'll never happen, there's no real need to hide the passwords in an obscure place to begin with. Just use a passworded login and set the screensaver to kick in (and force a new login) after a reasonable period of inactivity so that houseguests/visitors can't get at the password file.

Which is more or less what I've been doing all this time. Which is why I decided to give KeePass a serious try. ;-)

[terrie]

Quote:

steve: Hmm. What's that they say in the security biz? Security through Obscurity is no Security at all? Something like that.

Yeah...I know...living on borrowed time...'-}}

Terrie

[Franca]

I had a pretty darned good "system" that I used before I got LastPass. I had a non-dictionary "word" made up of letters (caps and lc) and numbers to which I would append something to do with the site itself. Then I had a file that did not contain the actual passwords but simply a pre-determined reminder code for each site. So a double layer of obscurity. A simple search would not turn up any actual passwords. Someone would have to figure out the "word" for starters.

However, my concern with that system was not that someone might find my passwords on my computer but that a hacker online who collected a bunch of passwords might somehow be able to see my actual password on one site, figure out from that what my "system" was and perhaps be able to get onto multiple sites using it. But on the theory that the burglar will choose the house without the Rottweiler and the alarm system first, I figured it was a reasonably secure method for awhile, given how many utterly ridiculous passwords people still use on every single site they visit. A password manager is simpler than my old system, though, and far more secure so I finally saw the light. I just have to finish going through and purging the remaining passwords created under the old system.

Man, I hate sites that don't provide an easy and secure way to change your password. Some don't have the option at all on site. You have to "forget" your password and wait endlessly for a link sent to your email (crossing fingers that email address isn't the old compuserve one) and some don't even have that option; you have to contact them by form, email or phone and say, "What the heck - why can't I change my password??" Some have the option but make you jump through endless death-defying hoops, and some make you go through all the hoops only to barf up the new password without explaining why. (Frequently this is because the site failed to tell you what the password creation limitations are.) Which is why I always make sure I hang onto the old password until I've successfully logged out and back in with the new one. LastPass keeps track of the password history if it's a site you've already got in your vault, but if it isn't .... There are still a lot of very poorly designed web sites out there.