Why I've started using a password manager
Posted on 9 Nov 2012 at 13:20
Jon Honeyball is impressed by encryption software that generates hardened passwords and manages them in one secure location
Ladies and gentlemen, it’s time to face facts – your internet use isn’t safe. I’m not talking about malware, viruses or nasty drive-by websites here (although they might well be a factor in this affair). No, I’m referring to that most humble of things: the password.
Back in the good old days, we had but two passwords to worry about – the first of which logged us into our ISP when we instructed our modem to dial the service. This username and password wasn’t any big deal because it was used only when dialling out. The second username and password was for our account at CIX – a UK version of COSY, which also underpinned The Well in California and Byte’s BIX bulletin board. CIX was (and still is) a great social medium that predated the World Wide Web by several years, let alone lesser upstarts such as Facebook. But I digress.
In the modern internet era it seems to be necessary to log in separately to almost every website
Usernames and passwords used to be simple, but today this is no longer the case. In the modern internet era, where you go e-shopping at a wide range of sites, from Amazon to your local specialist butcher, it seems to be necessary to log in separately to almost every website. This drives me nuts. When I want to purchase something from an e-shop, the only information I should need to hand over is the shopping basket contents, a delivery address, and my relevant credit card information. It’s taking a liberty to force me into registering on a website, to which I often have absolutely no desire to come back to – I went there for one specific purchase and that’s it. I really don’t believe that doing business in this way gives anyone the right to demand that my information be placed on their marketing database.
The same thing happens in real life, too, of course. Go into PC World, make any purchase and ask for a VAT receipt. This immediately makes you a “worth capturing” target, and the sales assistant will start demanding all kinds of information, such as your address, postcode, inside leg measurement and preference in vintage champagne. Their excuse if queried is that this is required for the warranty, but it would be hard to imagine a more blatant misuse of the Sale of Goods Act. It’s tempting to give the company’s own headquarters as your postal address, and the email address of its managing director as the contact mailbox.
Anyway, back to the virtual world. Each website demands its own username and password, although often the username will be an email address, but that doesn’t have to be so. It isn’t too surprising that many of us use the same password for these sites: “Who’s going to know?” goes the thinking. Maybe we’ve been clever and use a few different passwords, but it’s genuinely rare to find anyone using a truly hardened password. There are many reasons for this: first, they’re difficult to remember; second, they can be complicated to type, especially when you’ve included punctuation marks and you find yourself using a non-UK keyboard. Worse still, the passwords that are easiest to remember are also often the easiest to crack: dictionary attacks apply the logic of real words to help guide the crack effort in the right direction.
Maybe we’ve been clever and use a few different passwords, but it’s genuinely rare to find anyone using a truly hardened password
After scouring a dictionary, the cracker will turn to the more obvious social-engineering attacks: name of parent, name of house, name of first-born, first names of first and second children, date of birth coupled to name of dog, and so on. A great deal of this information can be discovered out there on the web, especially if you’re an enthusiastic user of sites such as Facebook. I’ll confess that I’m rarely surprised nowadays at the amount of personal information that some people quite happily scatter across their Facebook pages, then allow it to be visible not only to friends but to friends of friends, thus increasing the browsing population by an almost geometric factor.
I've been using LastPass for the pass few months and I think it's great.
By KryptosSol on 9 Nov 2012
Yep, I've been using it for a couple of years. Excellent service.
Security Now's Steve Gibson did an in-depth look at the encryption they use and described how the system works. I'm very comfortable using it.
By big_D on 9 Nov 2012
+1 for LastPass
I've been a happy user for a couple of years. It just gets better - now incorporating two-factor authentication using the Google Authenticator app, which can also be used to secure your Google account. I'd be lost without it.
By milboro on 9 Nov 2012
Question for those using password managers
I read this article with interest and have a genuine question, given this has been on my mind for a while and have been thinking about taking up such a service.
Are you worried that you will be storing your passwords with a company that you don't really know anything about?
Isn't this a case of all your eggs in one basket?
Like I say - it's a genuine question. I'm on the verge of doing it myself. I just worry that we are at the mercy of the security of the company/people who write the software.
By metalmonkey on 9 Nov 2012
+1 for LastPass
I've just started using Last Pass in the last few days and although the smartphone apps are rudimentary, to have access to passwords from so many potential devices is great. And the ability to share passwords with other users, with sync, is also very useful.
By PsYcHoTicTac on 9 Nov 2012
Password Protection in the cloud but not of the cloud
I've been using KeePass for quite a while now, in conjunction with Dropbox. Not only is it free, it has corresponding apps on Windows 7, Android and iOS 6.
It means that the password file is both securely encrypted with a passkey that only I know, synchronised across all my machines (since it uses Dropbox), backed up to the cloud, yet Dropbox have no ability to open the file.
So for @metalmonkey, there are other solutions out there that allow you to have similar functionality but without giving up supposed control to a third party.
By MCunliffe on 9 Nov 2012
+1 for KeePass
I also like the way only I know the master password. A slight worry is that a keylogger usr might be able to get hold of the file and passwords, so I will look into Last Pass.
big_D thanks for the reference will I take a look.
By tirons1 on 9 Nov 2012
The passwords are encrypted on your local machine, before being sent to LastPass (Pre-Internet Encryption) and LastPass cannot decrypt your passwords.
You need a strong master password, which is your key to encrypting / decrypting your passwords.
Steve Gibson was given access to the technology behind LastPass and gave it a clean bill of health for integrity and strength of the encryption they use.
By big_D on 10 Nov 2012
Do any of these apps integrate with a Fingerprint scanner?
I was using Protector Suite which worked great, but I don't want my passwords stored on the internet. Held locally is just find, I can do my own backups.
By kingct on 10 Nov 2012
The question about ""why should I trust this software?" is a very valid one.
You have to consider this as a shades of grey problem. Software like LastPass (Which I have heard good things about and would consider) or 1Password are from companies who only do this. Its not some corner-of-the-office team at a bigger company.
I think its less likely to have my master password broken than it is for me to set up an insecure password on a site, or to reuse one too often. I would be happier still if 1Pasword had a two-factor authentication -- maybe SMS based, or some other factor. That would make it even more secure
As it stands, I am happy with the *balance* of risks that I am taking using 1Password.
By JonH_ on 10 Nov 2012
Been using for a while and it is great, bit expensive if you want it on different devices to sync. I use it under crossover or wine in Ubuntu and it runs perfectly!!
By monotok on 10 Nov 2012
After much recent criticism from many (including me), about PCPro losing its way (e.g. articles about cycling), I wanted to compliment this particular piece of work. I've now started using LastPass. Thanks all.
By mppreece on 10 Nov 2012
Given that the fingerprint readers have just been shown to have a very bad security hole, I wouldn't want to link them anyway!
They store the master Windows password in an open area of the registry and use 64-bit encryption (2048-bit is the recommended minimum at the moment).
By big_D on 11 Nov 2012
Splash ID Safe
Aside from user convenience and easy sync features, it has a more flexible or customizable record keeping system for securing even non-password data that are frequently needed on the go for personal or business use.
By Deandre on 11 Nov 2012
Hi, I've used Roboform for years. It can generate random passwords, stores them in the cloud and can fill in web forms/passwords for you. I've also got it on my Android smart phone.
By jgordon on 12 Nov 2012
I got an ebook on Amazon that describes using a password manager. Cheap and right to the point. Just search for "practical security passwords" and you'll find it.
By JamesT1865 on 12 Nov 2012
+1 for Lastpass ( but what about Win RT)
I have used Lastpass for several years, with the google chrome addin and the IE addin it is an excellent solution. I pay the notional fees to get access from my smartphone for when I am out and about. Just waiting for a Windows 8 RT solution though....
By Tallfish1 on 13 Nov 2012
+1 for LastPass and OneLastPass
The only problem I've had with Lastpass is that they were apparently hacked last year (June 2011). Since they store all your passwords in the cloud, a breach like this can lead to to big security implications. After that, I moved to OneLastPass (
By sergvolkov00 on 9 Dec 2012
+1 for SplashID Safe
SplashData's SplashID Safe is great. I enjoy the new pattern-lock master key feature. More convenient than the usual character key input requirement.
By Aaron1 on 27 Jan 2013
Local Machine Failure.
If the master password is stored locally on your machine, what happens if the local machine breaks (happens from time to time). You then lose access to all your passwords?
I wouldn't trust anything to the "cloud".
By smartermind on 22 Aug 2013
I can't believe it's just me!
I have tried using 1password before and gave up. On seeing Jon Honeyball still praising it in his recent article I thought I'd give it another go. What a mistake. I installed the mac version and also the iOS version on my phone and iPad. I initially tried it on a few non critical sites (thank god). It is hopeless. Try changing your password on your eBAy account for example. The site requires that after you request a password change you re log in, in order to complete the process. But 1Password doesn't pick up on this form and automatically fill in the password, and since you don't know know the password it has generated you are stuck. Quite useless. I can imagine people who are not technically savvy getting in a right mess with this program. I have uninstalled it and will not be retrying it.
By hellsfish on 12 Jan 2014
- Windows Server 2012 R2: how the Datacenter edition could change SMBs
- Invoices and VAT: how to set up your documents correctly
- Nexus 5 vs Samsung Galaxy S4 Active: the best phone for avoiding screen burn
- How much is a social user worth?
- The key to choosing a secure password
- Thunderbolt Bridge: a fast Mac migration tool
- Should you advertise on Twitter?
- How to track a lost smartphone
- Self-publishing success: the best way to sell your book
- 1.6TB SSD: why would you need one?
- Move over Delia: IBM Watson is cooking tonight
- Eric Schmidt on the double-edged smartphone: friend and foe
- Getty joins the race to the bottom
- Hour of Code: five steps to learn how to code
- Sony Xperia Z2 Tablet review: first look
- Sony Xperia Z2 review: first look
- Samsung Galaxy Gear 2 review: first look
- Nokia XL review: first look
- Samsung Galaxy S5 review: first look
- Nokia X review: first look
- IDC: iPad intertia opens door for Windows tablets
- Office 365 goes social with "Oslo" news feed
- Windows XP: upgrading 30,000 PCs in 30 days
- LibreOffice: ignore Microsoft's "nonsense" on government's open source plans
- Intel Xeon E7 v2 servers support 6TB of RAM
- Microsoft promises video calls between Skype and Lync
- Office for iPad due before July
- Windows 7 on business PCs gets an extension
- Windows apps land on Chromebooks with VMware
- Office 365 gets two-factor authentication