Keep Passwords Under Lock and Key

Passwords are the gateway to our online lives.  The revelations – which were not really that surprising, to be honest – that the NSA has cracked or created backdoors into many online security mechanisms only serves to underscore the fragility of online privacy and confidentiality.  Passwords are something within our control, though, and we can at least make a bit of effort to make them as strong and difficult to access as possible.  It’s one reason I’m wary of using sites like LinkedIn, who have exhibited poor care of users passwords.

Another recent discussion made me change my own password activities.  I have long used passphrases and typically use a handful of passwords that are about 20 characters long.  But I also use Google’s Chrome Web browser and it received a lot of negative press at the beginning of August about how potentially easy it was to view passwords saved within the browser.  My hand would be up if someone asked, “Do you save your passwords in your browser?”  It makes working on multiple secure sites easier if I don’t have to recall my passwords each time.  The cost-benefit seemed in favor of saving them, although I was well aware anyone gaining access to my computer profile could then use the browser to access secure content.

Online Password Managers

One alternative is to put all of your passwords into a password manager.  These are proliferating online, with popular names like Lastpass and Roboform but many others biting at their ankles.  These have the benefit of placing all of your passwords off your computer or tablet and wrapping them in encryption.  Techrepublic recently posed the question as to whether cloud-based password sites were really safe.  Answer from the password managers:  yes.

Password managers are not only stores of your own passwords.  They can help to generate them as well, so that you can (a) auto-generate a random password and (b) have it recorded so you don’t have to remember it.  This makes it easy to have a different, strong password on every site you use.

Offline Password Managers

I used Lastpass, an online password manager for awhile and mostly liked it.  The two drawbacks it had for me were that it sometimes filled the wrong password, for example when I had multiple accounts on sub-sites of the same domain.  Also, I wasn’t really interested in paying for an Android app for my tablet to keep my passwords.

Beyond that, cloud password managers are proprietary and prone to occasional lapses.  Lastpass has recently owned up to creating a bug in its browser plugin that allows for a password dump.  They had had another security problem in 2011.  I don’t mean to pick on them; they’re just the manager I was using so I would rather think of them as emblematic of some of the challenges.

In the end, I’ve closed my Lastpass account and gone to KeePass Password Safe.  It runs on your local device – which works great for me on Linux as well as Windows – and relieves me of my concern in using the cloud for my password store.  Don’t misunderstand – I use the cloud heavily and consider the security enough, in most cases.  Even though my password manager is no longer in the cloud, I backup my encrypted password store to an online storage site to make it easier to sync or recover from a disaster.

If you decide to move from a site like Lastpass or from your Web browser as your password store, you can export your passwords into a file.  You can then import the password file into KeePass, making it easy to get up and running.  Make sure you delete the exported – plain text? – file of your passwords, or secure it for your backup.

Offline Password Gotchas

Now all of my passwords are in an encrypted file on my PC.  They don’t reside in my Web browser nor do they live on a remote password manager server.  You can turn off your Web browser’s penchant for remembering your passwords, to avoid them being stored in your browser.  To achieve a similar result, I use the ChromeIPass plugin for KeePass to allow my browser to access my password store.

This led to a weird result.  Although I’d clicked on the Google Chrome setting to stop managing passwords, I use Chrome on more than one device.  You need to have it stop managing on all sites.  What happened was that Chrome on my Android tablet was still trying to remember passwords, and so I clicked yes to its request once to see what would happen.  Although my desktop was set to not remember passwords, because the browsers are synchronized, the password showed up there.  It means that I need to be conscientious about clicking never when Chrome prompts me for a password.

All in all, I’m much more satisfied with my password management now than I was before.  I can create what are essentially disposable passwords on new Web sites I’m testing or using and move beyond the handful of complex passphrases I’d been relying on.  There is no longer a potential hole –  through my Web browser, and since I often use Internet Explorer, Firefox, and Chrome, perhaps 3 holes – where someone walking up to my desktop could access my passwords.  I’m toying with the idea of moving to a USB drive with my password file, rather than using online storage for backup, but for now I’ll see how this arrangement works.

David Whelan

I improve information access and lead information teams. My books on finding information and managing it and practicing law using cloud computing reflect my interest in information management, technology, law practice, and legal research. I've been a library director in Canada and the US, as well as directing the American Bar Association's Legal Technology Resource Center. I speak and write frequently on information, technology, law library, and law practice issues.