I am not going to do a review of password managers. They have been done to death. If you want someone’s opinion of which is better, go read them. What I want to discuss is features and do you need them.
First we need to define a good password. A good password is a combination of characters with no pattern that you use in combination with a username (or similar string) to gain access to your user account, or to allow you to access a site to do whatever you are allowed. Now in a perfect world you should be able to use whatever character you like in the password. In all reality you will be able to use numbers and the characters contained in the language each site is written in. For our purposes here, we will use English, as that is the only language I have even a passing familiarity in. If you’re lucky you may be able to use numerical characters and possibly punctuation and that is pretty much it. If you are very lucky you will be able to use other symbols.
To create the password, you will randomly pick from these characters to come up with a password. I know that many people want to use as few characters as possible, to make it easier to get into the site. However in reality you need to be using many more characters. 20 is a good number, and most sites allow you to go that high. I have seen one site that will allow 500. In my opinion that is more than just a bit excessive.
Now why did I go through what makes a good password? Your manager needs to be able to handle those characters, and allow you to say which ones you want to use. If your manager will not allow that, just get rid of it and find another one. Why do you want a password manager that you can configure to use different groups of characters? The reason is because if you can’t, it will make changing passwords a pain, soon you will go back to your old ways.
OK, now that you know that your manager will allow you to designate which character groups you can use, what’s next? They have to be randomly selected, and if at all possible there needs to be a method that you can randomize the characters even more. It may be typing random characters, scrolling your mouse around, coming up with an algorithm, or by using a defined pattern. This would not be a pattern in what letters to use where, but a pattern in which the first character is alpha numeric, second is lower case alphanumeric, third character is punctuation etc….. This will be handy with some sites that have a requirement on what you have to have in your passwords.
It is possible for a 20 character random password to have numbers, but some sites will require at least one of each set of characters. Some managers will even allow you to create passwords according to a set of rules. For instance there must be at least one lower case, one upper case and one number. Then the password generated will be totally random, but it will make sure that those three rules are followed someplace in the password.
If you are still with me to this point you will realize there is a small problem that can develop with these passwords depending on the font you are using. In some fonts two or more characters will look similar enough to cause a problem. For instance a 0 and an O in some fonts are indistinguishable. A good manager will allow you not to use characters that can be confused. That way when if you have to manually input your password, it will not have confusing characters.
Great, now that we have a password, the username will generally be set by you and will be your username or address. So what else do you need? Well it would be nice if it would keep it in a list that is sortable or can be manually arranged. If you have a different password for everything (You are not recycling passwords are you?) you will soon have a hundred passwords, possibly more. Being able to group them into categories will be handy. That way you can put all your social networking passwords together, and all your shopping passwords together, and you get the idea. It makes it easier to go thru the list.
Now you have your Usernames and passwords and they are sorted into your lists. What else do you need? What is really nice is if your manager will autotype your username and password into the boxes on the webpage. It can be done in so many ways that it is impossible to even come up with a list. No matter how the manager types your username and password into the form, there needs to be a secondary way. Copy and paste, dragging, something that will put the username and password into the textbox. If not, you will spend a lot of time typing your beautifully crafted passwords into the textbox. It would be nice if there are even more ways than just two to get your passwords entered. The more the better.
There are always programmers out there that are even more paranoid than you are, and they will not allow you to autotype your passwords, paste them in, or even drag and drop them. The fewer methods you have of entering them in, the more time you will spend typing them in by hand.
Speaking of paranoia, notice how these sites are starting to get hacked and someone’s personal information is being collected? Sites are starting to put up a second layer of verification. They are asking you what your first pet’s name was. Before too long everyone on the dark side will know that you had a pet snuffaluffagus named Harold as your first pet. Once that gets out there, you will have to use something else for your security verification. Instead of that, why not use another random string? Those sites do not care what you put in as an answer, they only care that there is something entered in so they have one more thing to ask you.
If you want to use random characters for these answers, chances are you will not be able to do them right there, you will have to create this kind of answer just as you would create a new password, or you can come up with one on your own. The actual answer does not matter just so long as it is not the real answer. Now that you have all of these second layer questions and answers, it would be nice if these can be typed into the provided textbox. Chances are you will have to do a copy and paste.
Outstanding. You have a password / username combination as well as your second layer of protection, usually called a 2-step verification, and they are all sorted into a nice list with groups. Think you are done? Nope. Now here comes the part that is a pain (as if it has not been a pain getting this far). Are you going to use the same username and password combination for the next 30 years? This would be almost as bad as using the same password for everything (I hope you still are not doing that). You need your password manager to remind you to change your password. I would also change your answers to all those questions as well. If you have a username that is not a display name in a forum or something similar, you may want to consider changing that as well. That may be a bit more paranoid than you really need to be.
I have met people that come up with a system that may be even better. They change a certain number of passwords every week or so. You could do one a day. This is a personal thing. Do you want to change possibly hundreds of passwords every 6 months, or do you want to do 5 every Sunday? If you have 300 username / password combinations you need to change 12 once a week to get new passwords on all 300 in 6 months. Of course depending on the user, you may have more or less passwords, so you can adjust it. This is also a good time to thin out your passwords. If you have not used that combination in the last 6 months, you really need to look at it and decide if you can’t just delete the account. The fewer accounts you have on the internet, the easier all this becomes.
Now if you have been keeping score, there is one big issue I have not touched on. Do you use a password manager that is online, or one that is run locally? There are pros and cons to each. First, online password managers:
- Online password managers are convenient.
- Online password managers are very light on local resources.
- Online password managers are portable across any operating system.
- Some of the online password managers have additional options like form fill.
- In July of 2014 many of the online password managers were compromised due to security flaws in various facets of their operation allowing hackers to get customers information. I suspect there may be a weakness in the fact that the username and password are stored in their servers, and have to be displayed on your computer for them to be any use. This doubles the chance that a hack can get the information.
Now there are password managers that are local. This means the database is local and the program is local. It is up to you on how secure this is. If these get hacked, the hackers have to go to each individual’s database to get their information. Now this is not a good thing if you are the person that has just hacked off a dozen hackers. But if you are just the average user, you will have enough warning that you can do something to secure your passwords. The downside to these types of managers is that most people think their computers are secure so they don’t crank up the security to get into the passwords.
Now we get down to cases: Which password manager should I use? I will give you the same advice I give to people when they ask about antivirus software. Try them all. Everyone has his own preferences and tastes when it comes to software. One piece of software may work great for me, but when you use it, you can’t even figure out how to work it. Yet the one that you like does not do all I need. If you test them all out, and give them a good test, one of them will stand out for you. Make sure to do some research on each one as well. You do not want to use the one that some criminal just bought. I will tell you which one I use and why.
I use KeePass Professional. Why? Simply put it has almost all the features I want.
- KeePass runs locally.
- I can synchronize KeePass on several machines, or run it off the network (won’t say which way I do it).
- KeePass can be set to lock after so much inactive time (of using it, not of computer inactivity).
- KeePass can be set to use a password and a key combination.
The key is 256 characters long and my password is long enough and nonsensical enough that if you can hack into it, you probably have a gun to my head. I have also built in some more measures that a hacker will not like. I have several bogus databases and keys that sit in the same location as the legitimate one. Not the same folder but just the same general location. I also change the date and time of the files so some look to have been accessed before or after the legit ones. Keepass also has a portable version that allows me to save the whole kit and kaboodle to a thumbdrive and take it on the road with me.
So you have some choices to make and some research to do. But there are a few things you need to stop doing right now. Get rid of the notebook next to the computer that you have written all the Usernames and passwords in, stop recycling passwords, and do not save them as a text file on your computer. There is one thing you need to do right now, start deciding which password manager you are going to go to.
There is not an all-encompassing list of password managers, but here is a start. 1Password, Dashlane, iVault, KeePass, Keychain, LastPass, Mitro, Mitto, Pleasant Password Server, RoboForm. There are probably others, some pay some free. If they don’t have at least a free trial then they are too risky to even try. If you have a questions, there are several sites around the internet that will answer the questions you have. If you go to http://uniteagainstmalware.com/ there is a list of sites there. Any one of them will help you with information. If they do not know they will either investigate for you, or point you to someone or another forum where you can find your answers. They all charge you the same high rate of FREE.