Langa Letter: How To Safely Store And Manage Passwords
We all struggle with keeping and securing passwords for the various accounts and systems we access. Here are 17 reader-recommended free and low-cost password-storage solutions, plus two more from Fred Langa.
Every so often, a topic emerges that hits an unexpected hot button among readers and generates a flood of responses.
One such hot button was the seemingly innocuous "Safe Storage For Passwords" discussed in a recent newsletter. A huge number of readers responded to that item. Apparently, we're all juggling so many passwords at work and at home that safe and secure password storage has become a real issue.
For example, look at the reader note below--the one that started the discussion: He travels for business and must access numerous password-protected accounts from various PCs at his main office, at remote locations, and at home:
"Hi Fred, I have a question about password security. As you know, most people (at least the ones I know) have several locations at work and at home that require you to logon. I happen to have 142 places that require my login ID/password. These range from the company ERP database, to my online banking account, to the Pizza Hut online order. Most of my coworkers try to use the same password for everything. This way they can remember it. That is a security disaster. They use things like birthdays or their pet's names as passwords, which is also a security risk.
"I have been using a Login ID and Password storage/retrieval software for about 3-4 years. It was previously called Passwords Plus and is now called Passwords Max (shareware; $20).
"[My employer] has turned its head and not yet given me any problems for installing Passwords Max on my work PC, however the hard-line company policy is that we aren't allowed to install unauthorized software on any company asset.
"Passwords Max is great and stores your password database in encrypted format. It has lots of neat features and works just fine as long as you can work at one PC and do not need portability.
"But my job has recently changed and I now travel. Last week, I had to print out a hard copy of my passwords to carry in my briefcase while working at a company site in Mexico. I am guilty of poor security practices, too, and realize this is also extremely poor security because all my passwords were in plain text. Had I lost that 8-page booklet of passwords, anyone could have gotten into my checking or retirement accounts and cleaned me out. I do not yet have a laptop PC so I used a visitor PC while in Mexico.
"Can you or any of the other readers tell me if there is a password storage/retrieval tool that I can install on something like a USB pen drive? I would like to find one that encrypts my password database so no one could access it if I accidentally left it plugged in the USB port. I am looking for something that doesn't require software to be installed on the [PC] so I can stay in good graces with the company. Any ideas? Thanks, Sam"
My initial reply to Sam was brief:
All the auto-fill-in password tools I know of (I personally prefer RoboForm) require at least some minimal level of installation so the software can watch for places that require a login or password. I suppose you could put the setup files and data files for the form-filler of your choice on a pen drive, install it at the start of the business day, and uninstall it at the end of the day. This would violate the "no installed software" policy, but at least would make no permanent changes to the company's PC, and thus might be granted an exemption.
"A simpler, no-software solution might be to store your passwords in an encrypted text file on a USB pen drive; or even on a plain old floppy disk. You can use 256-bit AES encryption with WinZip, for example, and there are plenty of 100% free encryption tools out there. Cryptomathic's free File2File provides nearly effortless 128-bit AES encryption, for example. An encrypted file wouldn't automatically fill in login/password boxes for you, but would at least serve the same purpose as your paper printout did, but with much less risk and with no software installation required. A floppy version (as opposed to a USB drive version) also has the benefit of being nearly universally supported, as almost all systems have at least a floppy drive."
I thought that was that--but I was dead wrong. Soon, a veritable flood of great suggestions poured in from other readers. Here are the most recommended additional solutions, ranging from ultra simple to the more complex; and from the free to the commercial. No matter what your security needs or your company's restrictions on external software, there's bound to be a solution here you can use:
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Infographic: The State of DevOps in 2017Is DevOps helping organizations reduce costs and time-to-market for software releases? What's getting in the way of DevOps adoption? Find out in this InformationWeek and Interop ITX infographic on the state of DevOps in 2017.
IT Strategies to Conquer the CloudChances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.