A look at password-management apps
Published 8:10 am Wednesday, July 22, 2015
By Julio Ojeda-Zapata
St. Paul Pioneer Press
My method for creating passwords used to be clever — to a fault.
Every password was made in the same way with an obscure character and a particular word followed by the site’s name with its vowels replaced by similar-looking numbers.
These weren’t the worst passwords in history (like “123456” and “password”), but they weren’t great, either. Someone clever enough might have cracked one of them in relatively short order. If a no-goodnik had done so and then figured out my system, all of the passwords I used across the Internet would have been vulnerable.
Last year’s Heartbleed, a massive security breach that compromised Internet-user passwords by the millions, was my wake-up call to fortify my password procedures.
I was hardly the only one with weak passwords. It’s a major problem, and fixing it can be a big job.
Thankfully, I was part of the way there because I already used the LastPass password manager. The popular tool helps computer users create strong passwords and keep those passwords safe yet readily accessible.
I had been using LastPass only for storage of my too-weak passwords. After Heartbleed, I began tapping the tool’s terrific password-generating features, as well. I’ve continued doing so to this day.
LastPass isn’t the only such password manager. Many others exist.
1Password has a devoted following, and Dashlane has garnered great reviews.
Other such password products include RoboForm, SplashID, mSecure, Keeper, Norton Identity Safe, DataVault Password Manager, PasswordBox, oneSafe, Passpack, Kapersky Password Manager and KeePass Password Safe.
I like LastPass because it is affordable (free if used on computers, and $12 a year if also used on mobile gadgetry), is Web-centric and therefore platform-agnostic (it works on Macs as well as PCs, Android devices as well as iOS devices) and is compatible with all major desktop browsers (via plug-ins that turn the browsers into secure password vaults).
Because LastPass takes a Web-based approach, it gives me ready access to my passwords anywhere and on any machine — I just have to log in.
At the same time, LastPass is available in nifty desktop-app form for Macintosh, as a touch-friendly Windows 10 app, and in mobile-app form on all the major mobile-device platforms.
LastPass doesn’t do all my work for me (I wish).
When upgrading my password-security procedures after Heartbleed, I had to visit all of my sites to update each of their passwords, which took hours. But LastPass helped me at the instant of password creation by filling in the new-password field. This meant I had a secure password instead of something vulnerable.
Now, when I return to one of those sites, I don’t have to remember its password. LastPass provides it automatically.
But LastPass isn’t perfect. It has an inelegant design, and its automated controls for helping me create passwords don’t always work flawlessly. I had to make multiple attempts on certain sites during my long password-updating slog. Futzing was sometimes required. I got annoyed at times.
And LastPass itself isn’t impervious to security breaches.
Its publisher, also called LastPass, revealed last month that it had detected “suspicious activity” on its own computer system, which led to the discovery that some users’ email addresses, password reminders and encryption elements had been compromised. The company said it was able to block the attack, and a subsequent investigation found no evidence that individual passwords or user accounts had been breached.
The Fairfax, Va., company advised users to change their LastPass master passwords, which are used to retrieve encrypted individual passwords for the users’ other online services or accounts. But it said they don’t need to change individual passwords for all their accounts.
Despite all this, I’m still using LastPass. But I’m intrigued by the new Password Boss (see my recent article about the app’s launch) and will definitely be giving it a try.
Competing password managers have their ardent adherents.
Mark Fawcett, who owns the St. Paul-based Mac Men tech-repair company, said he has used AgileBits’ 1Password for about six years and puts it on all his Apple Macintosh and iOS devices. The product also is available for Android and Windows devices.
“I also recommend it to my clients due to security, ease of use and the fact that they can have all of their passwords with them at all times but only need to memorize one master password to get access to all of their other ones,” Fawcett said.
Patrick Rhone, a St. Paul-based technology consultant, said he uses 1Password “and recommend it to all my clients and friends.”
Mike Evangelist, a Birchwood, Minn., resident who used to work for Apple, agrees that 1Password is “very useful, rock-solid, well integrated. It’s the second thing I install on any new iPhone, iPad or Mac (right after Dropbox).”
Yet another 1Password fan, Adam Best of Minneapolis-based Code42 Software, said he puts the password manager on all his Mac and iOS devices.
“So no matter what app or site I need to use, on any device, anywhere I am, I can access, create and change complex passwords immediately,” said Best, who manages social media for Code42.
Christopher Hertel, a longtime technology-industry worker based in St. Paul, said he prefers KeePass Password Safe.
He notes that KeePass runs on all the mainstream computing platforms along with a more obscure one, Linux, which he uses heavily in his work.
“I use Dropbox to share the password database, which is encrypted with both a password and a key file,” Hertel said. “Even if someone else gets hold of a copy of the database, they have to crack a combined password of over 2K bytes.”
The Associated Press contributed to this report. Find Julio Ojeda-Zapata at ojezap.com.
Do’s and don’ts of password security
Millions of computer and mobile-device users don’t use strong-enough passwords. We asked experts for tips on beefing up password security and keeping it strong over time.
Do: Make a habit of changing all of your passwords at regular intervals, such as every three to six months. If you have not done so in a while, you should immediately hit accounts that are most critical and sensitive (bank, PayPal account, email accounts, social media accounts). Then do the rest of your accounts and sites. Use the semi-annual time change or the start of a season as a reminder, much like changing the batteries in a smoke alarm.
Do: Use a unique password on each and every site. This limits the damage from a single breach as using passwords on multiple sites leaves you more exposed.
Do: Create passwords with combinations of upper and lowercase letters, numbers and special characters. Some sites won’t accept some special characters in passwords.
Do: Create long passwords. The longer, the better. Some sites have limits on the lengths of passwords.
Do: Use a password manager like Dashlane, LastPass, 1Password or RoboForm to automate the creation of good passwords and keep them stored securely. These kinds of tools are available for traditional computers as well as for tablets and smartphones.
Do: Use other password-creation tools such as the Strong Password Generator site (among others) and the iOS-based Wolfram Password Generator Reference App.
Do: Use the “Keystroke” method to create memorable passwords. Think of a word and create a keyboard mapping system. One key to the left and one up would make the password “tinmen” change to “47gh2g.”
Don’t: Use personal information in your password, such as your name, your partner’s name, your child’s name, a pet’s name, your occupation, telephone number, birthdate, etc.
Don’t: Keep a record or list of your passwords in unencrypted files on a computer, mobile device or flash drive, or written down on a physical medium such as paper sheets or sticky notes.
—Credits: Dashlane, McAfee, RoboForm, Byte Technology. Distributed by Tribune Content Agency, LLC.