Work Smart Video: Easily and Securely Save Passwords

September 15, 2010

When it comes to storing passwords, I've been a KeePass fan and user for years now, but when Leo Laporte told me he uses LastPass, I had to check it out. I don't love the idea of syncing my password file to a third-party web site--I'm that paranoid--but it is a total pain to cart around my KeePass database file. Now that I've tried LastPass, I'm sold--well, for my lower-security logins, anyway. This week's Work Smart video covers the security vs. convenience tug-of-war you have to put up with when deciding on any password system, and why LastPass is a solid choice.

Keepass + Dropbox is the bomb. I have the same Keepass file on my work PC, home PC, home laptop, MotoDroid and the iPad. Simply cannot live without it!

James Enloe
Sep 15 10 at 2:55 pm

Listen to the Security Now episode about LastPass to put your mind at rest. LastPass is as secure as KeePass. LastPass never has your password, only a hash of the password.

I personally use SuperGenPass:
SuperGenPass is a different kind of password manager. Instead of storing your passwords on your hard disk or online—where they are vulnerable to theft and data loss—SuperGenPass uses a hash algorithm to transform a master password into unique, complex passwords for the Web sites you visit. There’s no software to install: SuperGenPass is a bookmarklet and runs right in your Web browser. And since it never stores or transmits your passwords, it’s ideal for use on multiple and public computers. It’s also completely free.

What I like about it:
- I have completely different passwords on all websites.
- It works everywhere, without having to install or carry around anything.
- It generates 24 characters long passwords (using the customize option; default is 10)

What I don’t like:
- When I have to enter my password in an app (not a browser), it’s a pain.

I’ve been using LastPass since I saw Leo and Steve Gibson dissect it on Security Now. If it passes muster with those two, it’s GTG. Now I don’t know how I did without it.

extremus
Sep 15 10 at 9:28 pm

I’ve been using a password formula for years now and it has some strong advantages in comparison to software like LastPass. You have a unique password for every single site or App, you can easily remember them, no one else has it, it’s easy to leave to your next of kin in case something happens to you (you can store it in your bank’s digital safe to be released the moment you leave this planet).

A fomula is personal, but here is an example:
“I Love The Way Gina’s Mind Works 2010 X Better, Except 4 The [Google] Password Thing” this becomes:
“Iltwgmw2010Xb,e4tGpt” (without the quotes). It has special characters, it’s lengthy (absurdly so in this case, make the sentence shorter for practical use) and it has a capitals amongst normal type. The second capital letter is unique to whatever I log in to. In this case Google. It would have been an ‘E’ if I logged in to eBay. The Year (or week+month number, or something else) has you change your password once every X. This is to accommodate systems that demand that for you.

I’ve tried to keep it short, hope my point comes across. It’s a lot safer that any system that saves password for you.

Verdi
Sep 15 10 at 11:35 pm

Ahhh, Guillaume, thank you for introducing SuperGenPass! It is awesome!!!

dummydecoy
Sep 16 10 at 1:36 am

Isn’t it time to reconsider using fingerprint readers instead of passwords? With everything else engineers have managed to cram ino small spaces, it probably wouldn’t be too hard to add fingerprint scanners into all of our computing devices, mobile or otherwise.

DanielK
Sep 16 10 at 5:48 am

You don’t want to have your passwords in the cloud… forget LastPass or whatever thing following the same lines. It could be hardly encrypted but also a tasty target for hackers. Keep it local, use 1Password or something like this, which syncs locally with your iPhone and can generate random secure passwords for all your websites and everytime you want to access it you will be asked a master password, so if you loose your laptop, they won’t be able to use your passwords and you can have a copy in your iPhone.
Mind the cloud ;-) is good, but not for everything!

LastPass looks interesting, but I’m not sure what’s the problem with saving passwords in your browser. Firefox encrypts the passwords. Just make sure you use a strong master password.

hezy
Sep 17 10 at 4:24 am

Hi Gina

I wished you would add subscribe by email/Gmail to your Feedburner RSS subscription options.

I really like receiving my favorite RSS feed subscriptions my email.

Love your This week in Google Podcast <3

Thanks,

Byron

Byron Friday
Sep 18 10 at 5:37 pm

I use KeePass’s autotype feature. You just hit a key combo and it auto types the username and password; no need to actually open the program like you say in the video. So this makes it very convenient. You can setup rules for key sequences and browser title bars. So for example, if you login into one site with several accounts, it will give you a popup where you can select which username you want to log in with.

I tried LastPass, but still am uncomfortable with giving my passwords to one company online.

I also like KeePass cause I can store software serial numbers, credit cards numbers or whatever information I want to keep secure and easily accessible.

I can use dropbox to keep the database synced across multiple PC’s as well.

petebocken [+1]
Sep 19 10 at 6:42 am

Yeah Gina, I’m a huge KeePass fan also. By using a really small USB drive such as Super Talent’s Pico-C (http://benmoore.blogspot.com/2008/11/bye-bye-u3.html) I just keep it on my house key chain. PStart makes U3 unnecessary although Windows 7′s killing of AutoRun complicates things somewhat.

I did worry about losing the key chain and with it all my passwords so I devised a method to back them up to the cloud (http://benmoore.blogspot.com/2006/10/how-to-safely-store-and-manage.html).

An earlier commenter’s mention of Dropbox may be the ultimate solution but my technique doesn’t require Dropbox being installed.

I’ve also incorporated my names & addresses into KeePass as well (http://benmoore.blogspot.com/2006/08/inspiration.html).

I love TWiG!

fastoy [+1]
Sep 19 10 at 1:52 pm

Its funny how people comment but clearly don’t know what last pass is or can.

Your data is encrypted and its the encrypted data which is stored in the cloud. You save a local version any time you like (also decrypted). You click one button to generate new passwords of up to 100 characters.
There are programs for PC,Macintosh and Linux, and plugins for IE, Opera, Firefox, Chrome – that means any of those browsers you use anywhere on any of the three platforms can fetch the passwords – it can automatically log into any site without you having to enter anything.
You can browse to the password vault using any web browser, and there are native mobile apps for Iphone, Blackberry, Windows Mobile, Android, Symbian S60, Palm Webos.
There is a portable USB key version. If you are in hostile places you can log into your account with a virtual keyboard (ie click with a mouse to fool keyloggers), you can pregenerate a list of one time passwords for your account. You can use a USB drive as multifactor authentication. It supports the YubiKey USB autheticator.
It can be used to fill any form on any page, and you can save notes (all encrypted on your system and stored encrypted on their system).

Lastpass can’t be beat *IF* you can trust the people who run it.

But in the end you have to trust someone – how do you know your ISP isn’t snooping on you ;)

Sterlingwit [+10]
Sep 20 10 at 9:07 am

I used to use Keepass, and I used to use Roboform. But LastPass blows them all away, IMO.

Last Pass doesn’t keep your passwords, only the encrypted hashes of the login data. It can’t be decrypted without the master password that you supply locally. I have no qualms about saving any of my data there. It’s state of the art crypto.

And having my password data available to me on any browser that I use on any platform, and even on my mobile phone, is just awesome. The browser extensions integrate the functionality and makes it dead simple. It’s just plain awesome.

Jeff [+2]
Sep 20 10 at 12:22 pm


Comments are closed. Thanks for reading!