I think that I have about 80 – 100 passwords that I use on a regular or somewhat regular basis. I always remember my network and computer logon passwords, but beyond that I often have to check my a) Outlook notes on my PC at work, or b) when at home on my Mac, my little black notebook stuffed in the bottom of drawer.
Is storing my passwords on Outlook notes safe for my bank and tax filing accounts? Are online password managers or ‘safes’ secure? Do you have any suggestions for how best to manage the proliferation of passwords for online accounts?
I don’t really have a good cross-platform solution for you, though I do have a couple of odd ideas.
However, I have developed a very strong recommendation over the past couple of months for a product called RoboForm – which happily includes a free version!
Let me touch on your first two questions first…
Become a Patron of Ask Leo! and go ad-free!
Keeping your passwords in Outlook notes scares me somewhat. Yes, your PST can be encrypted (make sure that it is if you continue to do this), and theoretically it should only be accessible when you’re logged in. Hence, it’s “safe” behind your login password. But ultimately Outlook wasn’t designed for this, and I’d be concerned that if the PST ever fell into the wrong hands, it wouldn’t be that hard to open it up and have access to whatever you have inside. So, theoretically it’s an “ok” solution, but not particularly secure.
Online password vaults make me nervous as well. There are two issues: trust and connectivity. I’ll admit, I’m a control freak, and the thought of handing over my passwords to some online service over which I have little to no control scares me. I’m sure that there are trustworthy ones out there, but I’m also sure there are some that are less than reputable. I don’t want to be the one to find out the hard way. Online vaults also assume you can connect to the Internet and that you can connect to them. If the service goes down for some random reason, would you be blocked out of everything? If the answer is yes … well, that’s a deal breaker for me right there.
What I have been doing so far is keeping all this information (and more) in an Excel spreadsheet. (You could, of course, use a plain text file and Notepad, or whatever else you might like.) That, in and of itself, is incredibly insecure and dangerous. That is, until I place that spreadsheet – and a number of other sensitive files – onto a virtual drive using TrueCrypt. When the virtual drive is not loaded, the contents are securely encrypted and inaccessible to others. When it is loaded, the contents are simple visible as unencrypted files.
Now, I worked that way for accounts and passwords for perhaps a couple of years. It’s secure and relatively convenient, except for the part about having to fire up Excel and copy/paste account names and passwords into the web pages that required them.
Then a colleague suggested RoboForm.
It’s easy to think of RoboForm as simply “yet another password database”, but it’s much more. That thinking actually kept me from trying it long ago – I had a password database solution as I just outlined.
What makes RoboForm so much more than that includes:
- RoboForm will capture passwords as you visit sites. That means creating the password database is not an extra maintenance step but rather a somewhat innocuous side effect of simply using the web. As you enter a username/password on a site, RoboForm doesn’t already know about, it simply prompts you to save it:
(A side effect to this side effect, by the way, is that RoboForm can be used to recover passwords you’ve forgotten but that your browser’s auto-fill feature continues to enter for you.)
- Once RoboForm has the password for a particular site, you can use the RoboForm tool bar to go directly to that site, enter the login information and submit it, all with only two mouse clicks. On the toolbar is a dropdown menu:
Click on the site RoboForm knows about, and it automatically takes you there and logs you in with your credentials.
- The RoboForm database is, of course, encrypted by default. RoboForm also handles the appearance and disappearance of the database gracefully. That means if you have RoboForm configured to look for its database on, say, a USB thumbdrive, simply inserting the thumbdrive will activate all of RoboForm’s features; remove the drive, and RoboForm quietly notices.
- While RoboForm is not truly cross-platform, it does include a viewer that can be installed on your Pocket PC or your Palm device. Your RoboForm database is automatically synchronized when you synchronize your device, and you can securely view your passwords on your hand-held device.
- Since with RoboForm you actually don’t need to remember passwords, you can actually switch to using significantly better and harder (even impossible) to remember passwords. And, naturally, RoboForm includes a random password generator for just this purpose.
- RoboForm works with IE, including IE 7, and Firefox, including FireFox 2.
There’s more, so I’ll simply encourage you to check out RoboForm. The free version, naturally, has some limitations, specifically in the number of “passcards” that you can keep. But the Pro version does not and, in my mind, is worth every penny.
One addendum on how I use RoboForm today.
You’ll note that I said RoboForm’s database is encrypted by default. That means the first time you use RoboForm after logging into Windows, you’ll need to supply the password to unlock the database. I actually skip that step and keep my RoboForm database unencrypted – because I still keep it on my encrypted TrueCrypt drive. RoboForm doesn’t do everything – it’s a solution for websites that require login, and it does that very, very well. However, I naturally continue to have other sensitive information that I keep on that encrypted drive – and even in my Excel spreadsheet. But since that drive is encrypted, and since I have to specify a password to mount it, there’s no reason for me to place an additional layer of encryption with RoboForm, so I simply skip that.
And as I pointed out above, RoboForm gracefully notices when drives appear and disappear – meaning that as I mount, or unmount, my encrypted TrueCrypt drive, RoboForm “just works”.
The one bugaboo that I haven’t addressed is the cross-platform issue. As I said, I don’t have a graceful solution for that just yet. RoboForm is Windows only, aside from the PDA readers I mentioned above. TrueCrypt is promising a Mac OSX version in the future and already has a Linux implementation, but even when that does arrive, it doesn’t give you the features that RoboForm does.
I’m certain that there are good Mac solutions out there (I hear good things about 1passwd), but I’m not aware of one that interoperates with Windows.
So you’re left with two solutions, IMO:
- Use the RoboForm PDA solution to keep your password list with you and use that to manually read and type in your passwords on your Mac.
- Use a Mac-based solution in addition to RoboForm on Windows. Yes, that means keeping two databases – one on the Mac, and one Windows. But building that database is really just a one-time thing on each platform. (And 1passwd indicates it can import from RoboForm, so perhaps there’s a migration or synchronization path there.)