Tuesday, September 22, 2009

Password Managers: Your Key to Safe Surfing

Passwords that are at least eight characters long and are a combination of letters, numerals, and symbols are the best. One common tip these days for creating secure passwords is to think of a sentence you're unlikely to forget -- such as "I was born in 1945" -- and then create a password consisting of the first letter of each word.

Take all of the antivirus, anti-spyware, and anti-phishing software in the world. None of it can protect you if you surf the Internet with weak or weakly-protected passwords.
Just imagine the consequences if hackers were able to obtain one or more of your passwords. Would they be able to access your bank accounts, online shopping accounts, credit cards, and more? Even one compromised password could be big trouble.

Most people know this. Yet many, recent reports suggest, continue to use the same password for most if not all of their online accounts.

A recent study by U.S.-based communications firm @www found that over 60 percent of Internet users employ the same password for all of their online accounts. Other recent studies resulted in similar findings. So what's the solution?

Password Managers

Password managers can be a great solution to the problem of trying to create and remember passwords. There are dozens on the market, but two stand out on most people's lists as best-of-breed: RoboForm and Lastpass.

Roboform (http://www.roboform.com) has been around for many years. It has evolved from a first-class form filling application -- with a free version as well as a commercial "pro" version -- into a combination password-form filler that integrates into your browser by means of a toolbar. It's fast, easy to use, and contains no annoying pop-ups or adware.

The main knock against Roboform has been that the process of synchronizing your passwords on one machine with those on another is less than elegant. An add-on product, RoboForm2GO, is required to take your password and form filling data with you to another machine. And yet another associated product, GoodSync, can help to keep passwords, form data, and other common application data in sync automatically, assuming the computers are connected or that you carry around a flash drive with the latest updates.

What's really missing, though, is the ease of use that would come with being able to synchronize passwords, form data, and other data over the Internet. Such a system uses the Internet as an intermediate storage location. That way, when you log on with your second or third computer, you can quickly and easily synchronize your passwords by accessing the synchronization file online.

The programmers at SiberSystems, makers of RoboForm, are addressing this shortcoming with the introduction of RoboForm Online (https://online.roboform.com), currently in beta. RoboForm Online works its magic by allowing you to store your passwords and data on servers supplied by SiberSystems. That way, no matter where you are or which computer you're using, RoboForm Online will automatically keep your passwords up to date by fetching the latest passwords and other data from the server online.

RoboForm Online is no doubt a welcome enhancement for veteran RoboForm users. But RoboForm Online is actually playing catch up to relative newcomer Lastpass (https://lastpass.com), also available for free.

Lastpass was built from the ground up with easy synchronization in mind. Essentially a Web-based application, Lastpass stores an encrypted copy of your passwords and other Internet data in your online Lastpass account. Go to a new computer, and all you have to do is log in to your Lastpass account to get your passwords installed on the new machine.

Lastpass, like RoboForm, attempts to do much more than just store passwords. It's also a form filler, allowing you to create multiple identities for different types of form filling activity. RoboForm's form filling capabilities are a bit more robust than those of Lastpass. RoboForm allows the creation of unlimited custom fields that the program should automatically recognize and fill, for example. But Lastpass's form-filling features are enough for most, and the program's ease of use and elegant synchronization method stand out.

Security Issues

While online password synchronization is clearly an important feature -- and the direction in which password managers are going -- many might justifiably be concerned about how safe their password data is on someone else's server.

Both Lastpass and RoboForm state that no unencrypted password or personal information is ever sent over the Internet through their applications or stored on their computers. The only way for a third party to be able to see your data is to have an unencryption key, which is something you create and is never transmitted along with your encrypted data. Now, if you don't want to be one of those who tests the veracity of one these companies' claims, then you may want to stick with the less portable RoboForm -- or even create your own passwords.

Do It Yourself

If the idea of a password manager doesn't appeal to you, you can create secure passwords that are tough to crack. But you need to follow some guidelines.

First, avoid creating passwords that are common names, years (as in year of birth), or words that can be found in the dictionary. Also avoid names -- especially the name of your spouse, your kids, or your pet.

Passwords that are at least eight characters long and are a combination of letters, numerals, and symbols are the best. One common tip these days for creating secure passwords is to think of a sentence you're unlikely to forget -- such as "I was born in 1945" -- and then create a password consisting of the first letter of each word, and include any numbers. So for the example above, your password would be "iwbi1945." Experts suggest mixing numbers or symbols in-between letters for extra security.

Once you have a secure password, use it for one site -- and one site only. Remember that if you tend to use the same password for everything, a skillful hacker could get into all of your online accounts by guessing just one password. You'll want to avoid that at all costs.

Finally, don't write your passwords down. You'd be surprised at just how many people live with passwords written on sticky notes that are close to their computer -- there for anyone to uncover.

But if creating and remembering multiple, secure passwords seems to you to be a daunting task, that's because it is. These days, a password management add-on is really a necessity.