Another day, another password: Thanks
to Web-based apps, we're all
acquiring passwords at quite a clip.
How do you remember them all
while staying secure?
Here are some helpful tools and
strategies -- that don't involve
writing your passwords on sticky notes.
By Bill Snyder
shopper-Bill, flyer-Bill, reader-Bill,
buyer-Bill, potrero-Bill, or this that
and the other Bill on the 30
or more sites that comprise
my online life?
And which of my many passwords
do I need right now?
If you spend much time online,
you probably have the same
problem I do: How to remember
your ever-growing list of
online usernames and
secure at the same time.
[What's the latest in
Microsoft's War against
See CIO.com's recent analysis
of where Office stands a
gainst rival Web-based apps. ]
You're savvy enough to know that
identity theft and illegal access
to personal and financial data
are real-world problems that
you want to avoid. But what are you
doing about it?
Odds are, not much, says
Andrew Jaquith, a computer
security analyst at Forrester Research.
"There are two classes of people; those
who seem to care about the security
of their accounts, and those who
act as if they don't."
Most people, he says, fall in
the later category.
If you're one of the majority,
your security strategy may be
nothing more than using
a single password for every site
you need to access. On the one hand,
the chances of it being stolen
aren't terribly high and you
probably won't forget it. But if it
is stolen, the malefactor will have
access to your entire online life,
including bank accounts and
maybe medical records.
Not a pretty thought.
It turns out that there are a number
of strategies that will help you
avoid that ugly scenario. Most of them
are simple, free or quite inexpensive,
and much more secure than
what you're doing now. But some
are just halfway measures that
could let you down in a pinch.
A Password Safe of SortsLet's start with my favorite.
A Windows program called RoboForm,
($29.95) from Siber Systems.
RoboForm stores your passwords,
usernames, personal information,
and the URLs of sites you visit
on its secure server. Your information
is protected by a master password
that you'll enter before
logging into a site. The program will
then log you in, and automatically
fill out the kinds of forms you need
to do things when shopping online.
If you typically work on two computers,
say one at home and one
in the office, you can synch
the two PCs and have your
passwords on both systems.
Until recently, RoboForm suffered
from the same flaw that most
suffer from:it was useless if you
were on a public computer.
That's a real problem if you're
traveling without your laptop and
suddenly realize you have bills
to pay via your banking site,
or want to make an online trade.
RoboForm Online fixes that.
It is however, in beta form, and
a bit clunky, requiring a double sign
on and a few other minor annoyances.
But it does work (based on my try out)
and the company expects
to have a finished, and presumably
more polished, version out
within a few months.
There's also a version for the iPhone,
and it's possible to load RoboForm
onto a USB drive and take it
with you for use on public computers.
The company says the USB version
leaves no traces behind.
If you use RoboForm do not
forget your master password—it is
not recoverable. Although password
recovery is a common feature
on many Web sites, Siber Systems
decided that enhanced security
was more important than
Tools for Mac UsersBy the company's own admission,
RoboForm doesn't work
very well on a Mac (that's supposed
to change next year) but a similar
program called 1Password ($39.95)
from Agile Web Solutions,
offers many of the same features
for use on Apple hardware.
I haven't tried it out, but it's
earned good reviews and gets
nod from Forrester's Jaquith.
Users of various versions of
the Mac OS can also take
advantage of a built-in feature
called Keychain that offers
on a single machine.
Another option that's similar
to RoboForm, Callpod's $29.95
Keeper utility, comes in versions
for Mac, Windows, and Linux users
(The vendor offers a 15-day free trial.)
A separate mobile Keeper version
serves iPhone and iPod touch users.
If you are a smartphone user,
the first step you should take
to stay safe is password protect
your whole device: See instructions
from CIO.com's Al Sacco on how to do it.
A Free Trick or TwoDon't want to spend money?
You could simply put your passwords
in a password-protected file.
If you use Microsoft Word, it's easy.
Simply go to Tools, then Options
and click the security tab.
You'll have the option to require
a password to open the file,
or just to modify it.
If you're traveling, you can put
that file on a USB drive.
But don't forget that password.
If there's a backdoor that will let
you recover the file without it,
I haven't heard about it.
Warning: Many security gurus,
such as Bruce Schneier,
don't advocate keeping this type
of file on your PC. (See this useful blog
post from Schneier for some more
advanced advice on crafting
and managing passwords. )
Most browsers, including
Internet Explorer, Firefox and Safari,
can automatically fill in forms
and passwords for you.
That's certainly helpful and if
you're certain that no one else
has access to your computer,
it's not terribly risky.
However, if your teenager or
someone else does use your computer,
you could be in trouble.
A simple solution is to delete
saved passwords and forms
when you get done. In Firefox,
for example, go to "Tools," "Options"
and then the security tab and look
for the "saved passwords" button.
Click it and a list of saved passwords
and usernames opens up.
Simply delete all or some of them.
Other browsers have similar features.
Also remember that public computers
are often infected with malware, including
keyloggers that copy everything you type.
Password managers defeat them,
since the password is not
actually typed on the page.
Finally, Google and some other
online heavyweights are reviving
an old idea, a secure, single
such as your Google or Yahoo ID,
that you could use for multiple sites.
Sun and other companies have
experimented with similar schemes,
but none ever got off the ground.
Maybe this attempt will be
the charm. But I'm not holding
my breath, and will continue to explore
password management options
that really exist. So should you.
San Francisco journalist Bill Snyder
writes frequently about business
Follow everything from CIO.com
on Twitter @CIOonline.
Sent from Kigali, Rwanda