I think that I have about 80 – 100 passwords that I use on a regular or
somewhat regular basis. I always remember my network and computer logon
passwords, but beyond that I often have to check my a) Outlook notes on my PC
at work, or b) when at home on my Mac, my little black notebook stuffed in the
bottom of drawer.
Is storing my passwords on Outlook notes safe for my bank and tax filing
accounts? Are online password managers or ‘safes’ secure? Do you have any
suggestions for how best to manage the proliferation of passwords for online
I don’t really have a good cross-platform solution for you, though I do have
a couple of odd ideas.
However, I have developed a very strong recommendation over the past couple
of months for a product called RoboForm – which happily includes a free version!
Let me touch on your first two questions first…
Become a Patron of Ask Leo! and go ad-free!
Keeping your passwords in Outlook notes scares me somewhat. Yes, your PST can
be encrypted (make sure that it is if you continue to do this), and
theoretically it should only be accessible when you’re logged in. Hence, it’s
“safe” behind your login password. But ultimately Outlook wasn’t designed for
this, and I’d be concerned that if the PST ever fell into the wrong hands, it
wouldn’t be that hard to open it up and have access to whatever you
have inside. So, theoretically it’s an “ok” solution, but not particularly
Online password vaults make me nervous as well. There are two issues: trust
and connectivity. I’ll admit, I’m a control freak, and the thought of handing
over my passwords to some online service over which I have little to no control
scares me. I’m sure that there are trustworthy ones out there, but I’m also
sure there are some that are less than reputable. I don’t want to be the
one to find out the hard way. Online vaults also assume you can connect to
the Internet and that you can connect to them. If the service goes down for some
random reason, would you be blocked out of everything? If the answer is yes …
well, that’s a deal breaker for me right there.
What I have been doing so far is keeping all this information (and more) in
an Excel spreadsheet. (You could, of course, use a plain text file and Notepad,
or whatever else you might like.) That, in and of itself, is
incredibly insecure and dangerous. That is, until I place that
spreadsheet – and a number of other sensitive files – onto a virtual drive
using TrueCrypt. When the virtual
drive is not loaded, the contents are securely encrypted and inaccessible to
others. When it is loaded, the contents are simple visible as unencrypted
password database’ – but it’s much more.”
Now, I worked that way for accounts and passwords for perhaps a couple of
years. It’s secure and relatively convenient, except for the part about having
to fire up Excel and copy/paste account names and passwords into the web pages
that required them.
Then a colleague suggested RoboForm.
It’s easy to think of RoboForm as simply “yet another password database”,
but it’s much more. That thinking actually kept me from trying it long ago – I
had a password database solution as I just outlined.
What makes RoboForm so much more than that includes:
RoboForm will capture passwords as you visit sites. That means creating the
password database is not an extra maintenance step but rather a somewhat
innocuous side effect of simply using the web. As you enter a username/password
on a site, RoboForm doesn’t already know about, it simply prompts you to save
(A side effect to this side effect, by the way, is that RoboForm can be used
to recover passwords you’ve forgotten but that your browser’s auto-fill feature
continues to enter for you.)
Once RoboForm has the password for a particular site, you can use the
RoboForm tool bar to go directly to that site, enter the login information and
submit it, all with only two mouse clicks. On the toolbar is a dropdown
Click on the site RoboForm knows about, and it automatically takes you there
and logs you in with your credentials.
The RoboForm database is, of course, encrypted by default. RoboForm also
handles the appearance and disappearance of the database gracefully. That means
if you have RoboForm configured to look for its database on, say, a USB
thumbdrive, simply inserting the thumbdrive will activate all of RoboForm’s
features; remove the drive, and RoboForm quietly notices.
While RoboForm is not truly cross-platform, it does include a viewer that
can be installed on your Pocket PC or your Palm device. Your RoboForm database
is automatically synchronized when you synchronize your device, and you can
securely view your passwords on your hand-held device.
Since with RoboForm you actually don’t need to remember
passwords, you can actually switch to using significantly better and harder
(even impossible) to remember passwords. And, naturally, RoboForm includes a
random password generator for just this purpose.
RoboForm works with IE, including IE 7, and Firefox, including FireFox
There’s more, so I’ll simply encourage you to check out RoboForm. The free version, naturally, has some
limitations, specifically in the number of “passcards” that you can keep. But
the Pro version does not and, in my mind, is worth every penny.
One addendum on how I use RoboForm today.
You’ll note that I said RoboForm’s database is encrypted by default.
That means the first time you use RoboForm after logging into Windows, you’ll
need to supply the password to unlock the database. I actually skip that step
and keep my RoboForm database unencrypted – because I still keep it on
my encrypted TrueCrypt drive. RoboForm doesn’t do everything – it’s a
solution for websites that require login, and it does that very, very well.
However, I naturally continue to have other sensitive information that I keep on
that encrypted drive – and even in my Excel spreadsheet. But since that drive
is encrypted, and since I have to specify a password to mount it, there’s no
reason for me to place an additional layer of encryption with RoboForm, so I
simply skip that.
And as I pointed out above, RoboForm gracefully notices when drives appear
and disappear – meaning that as I mount, or unmount, my encrypted TrueCrypt
drive, RoboForm “just works”.
The one bugaboo that I haven’t addressed is the cross-platform issue. As I
said, I don’t have a graceful solution for that just yet. RoboForm is Windows
only, aside from the PDA readers I mentioned above. TrueCrypt is promising a
Mac OSX version in the future and already has a Linux implementation, but even
when that does arrive, it doesn’t give you the features that RoboForm does.
I’m certain that there are good Mac solutions out there (I hear good things
about 1passwd), but I’m not aware of
one that interoperates with Windows.
So you’re left with two solutions, IMO:
Use the RoboForm PDA solution to keep your password list with you and use
that to manually read and type in your passwords on your Mac.
Use a Mac-based solution in addition to RoboForm on Windows. Yes, that means
keeping two databases – one on the Mac, and one Windows. But building that
database is really just a one-time thing on each platform. (And 1passwd
indicates it can import from RoboForm, so perhaps there’s a migration or
synchronization path there.)