For someone who’s been using the internet almost since its inception, I’ve collected quite a large assortment of usernames and passwords over the years. I think something on the order of 150+ of them, not including the ones that have gone defunct, or actual local network passwords.
How does a professional geek handle hundreds of passwords? Here’s a quick primer on how I do it, with a few suggestions on general password security, too. I’ve used two programs in the last year to get a handle on my password/username combos; LastPass and KeePass. One is a web-run business; the other is a free, open-source program. I’ll explain a bit about each one, and how I decided to use them.
This is actually a cloud-based web service, much like Dropbox or Evernote. You install the LastPass plugin in your web browser, create a master password, and then start collecting and storing passwords to the cloud. It’s very easy to set up, it’s free (for basic functionality), and has lots of tools for collecting passwords, especially for “difficult to capture” websites. I’ve used it now close to a year and I have to admit I’m pretty impressed with it. It’s not perfect, and I’ll get to that in a minute, but overall it’s much better than using nothing at all.
Some of the features I like about LastPass:
- Security Check – it will scan your passwords and give you a “Security Score” based on how complex your passwords are, and if you have any duplicates.
- Save All Entered Data – it allows you to store credentials for websites that don’t use blanks named “username” or “password” or have other blanks (some banking sites do this). All you have to do is fill out the form once, click “Save All Entered Data” and it makes a new record with everything saved.
- Password Generator – a very easy to use generator, with plenty of options. The default settings are a little weak, but it’s easy enough to change.
- Password expiration – you can schedule passwords to expire, and it will remind you to change them.
- Multi-factor Authentication – Makes it more difficult to hack your account.
- Has a “Secure Document” feature (which I’ve never used)
- Email Alerts if any of your entries are changed
Some things I *don’t* like about LastPass:
- The mobile app version isn’t free
- The desktop standalone version doesn’t do much more than the website
- The desktop version requires an internet connection for initial setup
- Some multi-factor options and features are only available for paying users (but to be fair, Premium is only $12/year)
The LastPass “Pocket” desktop app:
This is a free and open source program, not a service. It runs locally on your machine, and is extremely secure as well. You can use it as a standalone password vault, but the real fun comes when you use plugins to extend its flexibility. It imports several password vault formats, so switching to it is very easy. If you use a third-party cloud storage solution (like Dropbox or Google Drive) or a portable version on a thumb drive, it becomes cross-platform as well. I eventually switched to KeePass for the simple reason that I wanted to be able to use it on all my devices, and I didn’t want to tie too much information into LastPass in case they had a server breach or something like that. Really, I just wanted to be able to do it myself.
My KeePass setup looks like this:
KeePass Portable installed on my computers (Linux and Windows)
Database synced with Dropbox
ChromeIPass plugin installed in Chrome browser
KeePassHTTP plugin installed in KeePass, to talk between the two.
KeePass2Android on my tablet (also synced with Dropbox)
With this setup, I can manage and use all of my passwords on any device, and if at some point I want to use two-factor authentication like a physical key, or a QR code, or something, it supports that. It did take some playing with it to get everything set up, but it works perfectly.
Things I like about KeePass:
- 100% Free (and OSI certified)
- Cross-Platform
- Password generator – several options through plugins (I use a readable passphrase generator plugin)
- Works with cloud sync and/or physical keys
- NSA-proof encryption
- Multi-factor authentication
- Database is multi-user capable
- Passwords can be scheduled to expire
- Once you get it working, pretty easy to use
- Mobile app has some cool features like sharing password entries via QR code, and secure keyboard for copy/paste
Things I don’t like about KeePass:
- It takes add-ons to really realize its potential, and third-party providers may or may not be trusted.
- For the web plugin to work, the database has to be running in the background.
- Since it’s not a web service, per se, you are responsible to manage your password system. No tech support.
- Takes some work to get everything working together, including finding and installing plugins.
The KeePass desktop app:
The KeePassDroid app:
Conclusion:
None of these solutions are perfect. We live in a time where information is worth more than anything, and so for us to protect ourselves, we have to take measures to keep our information private. Using a good password management system is the next best thing to a photographic memory.
Still, even a good password management system needs to be used correctly for it to be effective. The whole point of using one allows you to create long and difficult passwords without having to remember each one. Using two-factor authentication gives you an extra layer of security, and if you use a cloud sync system that also uses 2-factor, then you’ve effectively got four layers of security to get through before someone can access your passwords.
Primarily, I’d like to just encourage you if you haven’t started thinking about online security, now is the time to do it. (You can read my thoughts on securing email and files here)
It’s not as important what system you use, as much as it is important that you use one.
Happy hacking!