Data security has been in the news again lately with new stories about stolen laptops (Anheuser Busch) and credit card break-ins. Its easy to slip into the mindset that nothing is safe so why bother. One point of vulnerability that has been on my mind lately is passwords. I have a lot to manage so I think about it, and clients often ask me how I do it when they see me working on their web sites and data systems.
Bad habits that really need to go are: using the same password over and over again. If someone breaks into a system and finds users names and passwords, it may find yours to many other systems if they are all the same. Easy passwords need to go. At work, if you step away from your computer for a minute and a screen saver log in comes up, or otherwise have situations where someone can see your login screen, someone on the prowl can guess run through those familiar names we have all used.
Not having a tool encouraged my lazy side to use the same, easy passwords all the time. I admit it.
For the last few years, I have used roboform from Siber Systems. Roboform manages several hundred passwords and identities for me. All are encrypted in a database that unlocks with a good password I only use for Roboform. I have a short cut on my browser tool bar that will click in username, password, and optionally other information for my sites. Firefox and Safari have pretty-good built-in password managers as well, but Roboform offers important advantages. I can have multiple profiles for the same site. For example, all our development web sites start off clients.dbdes.net/something. With Roboform, I get an automatic drop down with all the ones listed there.
Because it’s cross browser, I can have same lists in Firefox and Internet Explorer. That’s handy too.
And Roboform is great at serving up the login information on multiple pages and variations of the log in, much more so than built in browser password managers.
Roboform also has a “strong” password generator: it will provide a seemingly random series of letters and numbers to use for new identities, and since it will then manage it, who cares if you can’t remember it.
It’s not freeware, but at $29.95 with periodic promotional discounts, it’s not that much either. Since purchasing it, I have gotten numerous upgrades at no additional charge.
For Mac users, I hear that a comparable product is 1Password from agilewebsystems.com. I haven’t used it but it seems well regarded as the Roboform for the Mac.
A good Open Source alternative for Windows is Password Safe. You can download it for free for Windows from sourceforge. Aaron from our team, who probably has as many critical passwords as me, uses this. It doesn’t have all the fine tune user screens, but it is just as powerful.
Already happy with your browser password manager? Then at least take these steps:
- Make sure you have secured it with a good password that you only use to protect your identities.
- Make a commitment to getting rid of old, easily guess passwords.
- Back up your encrypted password file somewhere
- Generate new secure passwords at least for important sites. Aaron has place a link to a password generator on our web site which you can use anytime to make up new, strong passwords: http://dbdes.com/resources/passgen. Here’s another web based location he suggests: http://supergenpass.com/
Other things are coming soon to secure your identity on line.
Some folks swear by Open ID, which promises the ability to have a single, secure login to many sites. Drupal supports it, and I use it on some other sites.
Identify cards, thumb readers and the like promise the ability for your machine to automatically exchange secure login information with whatever is at the other end.
Until you have these things and they catch on, please work on your password habits.
