Why I've started using a password manager
Posted on 9 Nov 2012 at 13:20
Jon Honeyball is impressed by encryption software that generates hardened passwords and manages them in one secure location
Ladies and gentlemen, it’s time to face facts – your internet use isn’t safe. I’m not talking about malware, viruses or nasty drive-by websites here (although they might well be a factor in this affair). No, I’m referring to that most humble of things: the password.
Back in the good old days, we had but two passwords to worry about – the first of which logged us into our ISP when we instructed our modem to dial the service. This username and password wasn’t any big deal because it was used only when dialling out. The second username and password was for our account at CIX – a UK version of COSY, which also underpinned The Well in California and Byte’s BIX bulletin board. CIX was (and still is) a great social medium that predated the World Wide Web by several years, let alone lesser upstarts such as Facebook. But I digress.
In the modern internet era it seems to be necessary to log in separately to almost every website
Usernames and passwords used to be simple, but today this is no longer the case. In the modern internet era, where you go e-shopping at a wide range of sites, from Amazon to your local specialist butcher, it seems to be necessary to log in separately to almost every website. This drives me nuts. When I want to purchase something from an e-shop, the only information I should need to hand over is the shopping basket contents, a delivery address, and my relevant credit card information. It’s taking a liberty to force me into registering on a website, to which I often have absolutely no desire to come back to – I went there for one specific purchase and that’s it. I really don’t believe that doing business in this way gives anyone the right to demand that my information be placed on their marketing database.
The same thing happens in real life, too, of course. Go into PC World, make any purchase and ask for a VAT receipt. This immediately makes you a “worth capturing” target, and the sales assistant will start demanding all kinds of information, such as your address, postcode, inside leg measurement and preference in vintage champagne. Their excuse if queried is that this is required for the warranty, but it would be hard to imagine a more blatant misuse of the Sale of Goods Act. It’s tempting to give the company’s own headquarters as your postal address, and the email address of its managing director as the contact mailbox.
Anyway, back to the virtual world. Each website demands its own username and password, although often the username will be an email address, but that doesn’t have to be so. It isn’t too surprising that many of us use the same password for these sites: “Who’s going to know?” goes the thinking. Maybe we’ve been clever and use a few different passwords, but it’s genuinely rare to find anyone using a truly hardened password. There are many reasons for this: first, they’re difficult to remember; second, they can be complicated to type, especially when you’ve included punctuation marks and you find yourself using a non-UK keyboard. Worse still, the passwords that are easiest to remember are also often the easiest to crack: dictionary attacks apply the logic of real words to help guide the crack effort in the right direction.
Maybe we’ve been clever and use a few different passwords, but it’s genuinely rare to find anyone using a truly hardened password
After scouring a dictionary, the cracker will turn to the more obvious social-engineering attacks: name of parent, name of house, name of first-born, first names of first and second children, date of birth coupled to name of dog, and so on. A great deal of this information can be discovered out there on the web, especially if you’re an enthusiastic user of sites such as Facebook. I’ll confess that I’m rarely surprised nowadays at the amount of personal information that some people quite happily scatter across their Facebook pages, then allow it to be visible not only to friends but to friends of friends, thus increasing the browsing population by an almost geometric factor.
I've been using LastPass for the pass few months and I think it's great.
By KryptosSol on 9 Nov 2012
Yep, I've been using it for a couple of years. Excellent service.
Security Now's Steve Gibson did an in-depth look at the encryption they use and described how the system works. I'm very comfortable using it.
By big_D on 9 Nov 2012
+1 for LastPass
I've been a happy user for a couple of years. It just gets better - now incorporating two-factor authentication using the Google Authenticator app, which can also be used to secure your Google account. I'd be lost without it.
By milboro on 9 Nov 2012
Question for those using password managers
I read this article with interest and have a genuine question, given this has been on my mind for a while and have been thinking about taking up such a service.
Are you worried that you will be storing your passwords with a company that you don't really know anything about?
Isn't this a case of all your eggs in one basket?
Like I say - it's a genuine question. I'm on the verge of doing it myself. I just worry that we are at the mercy of the security of the company/people who write the software.
By metalmonkey on 9 Nov 2012
+1 for LastPass
I've just started using Last Pass in the last few days and although the smartphone apps are rudimentary, to have access to passwords from so many potential devices is great. And the ability to share passwords with other users, with sync, is also very useful.
By PsYcHoTicTac on 9 Nov 2012
Password Protection in the cloud but not of the cloud
I've been using KeePass for quite a while now, in conjunction with Dropbox. Not only is it free, it has corresponding apps on Windows 7, Android and iOS 6.
It means that the password file is both securely encrypted with a passkey that only I know, synchronised across all my machines (since it uses Dropbox), backed up to the cloud, yet Dropbox have no ability to open the file.
So for @metalmonkey, there are other solutions out there that allow you to have similar functionality but without giving up supposed control to a third party.
By MCunliffe on 9 Nov 2012
+1 for KeePass
I also like the way only I know the master password. A slight worry is that a keylogger usr might be able to get hold of the file and passwords, so I will look into Last Pass.
big_D thanks for the reference will I take a look.
By tirons1 on 9 Nov 2012
The passwords are encrypted on your local machine, before being sent to LastPass (Pre-Internet Encryption) and LastPass cannot decrypt your passwords.
You need a strong master password, which is your key to encrypting / decrypting your passwords.
Steve Gibson was given access to the technology behind LastPass and gave it a clean bill of health for integrity and strength of the encryption they use.
By big_D on 10 Nov 2012
Do any of these apps integrate with a Fingerprint scanner?
I was using Protector Suite which worked great, but I don't want my passwords stored on the internet. Held locally is just find, I can do my own backups.
By kingct on 10 Nov 2012
The question about ""why should I trust this software?" is a very valid one.
You have to consider this as a shades of grey problem. Software like LastPass (Which I have heard good things about and would consider) or 1Password are from companies who only do this. Its not some corner-of-the-office team at a bigger company.
I think its less likely to have my master password broken than it is for me to set up an insecure password on a site, or to reuse one too often. I would be happier still if 1Pasword had a two-factor authentication -- maybe SMS based, or some other factor. That would make it even more secure
As it stands, I am happy with the *balance* of risks that I am taking using 1Password.
By JonH_ on 10 Nov 2012
Been using for a while and it is great, bit expensive if you want it on different devices to sync. I use it under crossover or wine in Ubuntu and it runs perfectly!!
By monotok on 10 Nov 2012
After much recent criticism from many (including me), about PCPro losing its way (e.g. articles about cycling), I wanted to compliment this particular piece of work. I've now started using LastPass. Thanks all.
By mppreece on 10 Nov 2012
Given that the fingerprint readers have just been shown to have a very bad security hole, I wouldn't want to link them anyway!
They store the master Windows password in an open area of the registry and use 64-bit encryption (2048-bit is the recommended minimum at the moment).
By big_D on 11 Nov 2012
Splash ID Safe
Aside from user convenience and easy sync features, it has a more flexible or customizable record keeping system for securing even non-password data that are frequently needed on the go for personal or business use.
By Deandre on 11 Nov 2012
Hi, I've used Roboform for years. It can generate random passwords, stores them in the cloud and can fill in web forms/passwords for you. I've also got it on my Android smart phone.
By jgordon on 12 Nov 2012
I got an ebook on Amazon that describes using a password manager. Cheap and right to the point. Just search for "practical security passwords" and you'll find it.
By JamesT1865 on 12 Nov 2012
+1 for Lastpass ( but what about Win RT)
I have used Lastpass for several years, with the google chrome addin and the IE addin it is an excellent solution. I pay the notional fees to get access from my smartphone for when I am out and about. Just waiting for a Windows 8 RT solution though....
By Tallfish1 on 13 Nov 2012
+1 for LastPass and OneLastPass
The only problem I've had with Lastpass is that they were apparently hacked last year (June 2011). Since they store all your passwords in the cloud, a breach like this can lead to to big security implications. After that, I moved to OneLastPass (
By sergvolkov00 on 9 Dec 2012
+1 for SplashID Safe
SplashData's SplashID Safe is great. I enjoy the new pattern-lock master key feature. More convenient than the usual character key input requirement.
By Aaron1 on 27 Jan 2013
Local Machine Failure.
If the master password is stored locally on your machine, what happens if the local machine breaks (happens from time to time). You then lose access to all your passwords?
I wouldn't trust anything to the "cloud".
By smartermind on 22 Aug 2013
- The importance of load balancing
- Windows Phone App Studio: an easy way to create your first Windows Phone 8 app
- The end of Windows XP support: what it really means for businesses
- Don't rely on Chrome's password vault
- Using Buffer to manage your social media
- Microsoft needs its own Steve Jobs
- Forget credit cards: hackers want your Facebook account
- Can't get fast enough broadband? Here's what to do
- Leap Motion and the battle against UI stagnation
- How to build a really bad network
- Switching from iPhone to Android: what I miss, what I don't
- Tech City: Easy to score when you move the goalposts
- How to remove SkyDrive from the Windows 8.1 Explorer
- Switching from iPhone to Android? Switch off iMessage
- Why is Google pumping more money into Firefox?
- Sky Broadband Shield review
- Samsung Galaxy S4: how to double your battery life
- Motorola Moto G review: first look
- IBM Watson meets Willy Wonka
- Google’s support policies shove users towards Chrome
- Microsoft patches TIFF flaw in next Patch Tuesday
- Microsoft expands encryption over NSA spying "threat"
- UK Cloud Awards 2014: nominations now open
- BlackBerry says "we're still alive" as sales hit new low
- Has HP turned a corner?
- Adobe admits it's struggling to notify hack victims
- Microsoft rolls out Office 365 admin app for mobile
- Office 2013 Service Pack 1 to arrive early next year
- Backup the best defence against CryptoLocker
- UK SMBs can now buy ads on Twitter