Is Your Password Good Enough?

I have used RoboForm for several years. In addition to residing on my computer, there is a RoboForm to Go product which is on my thumb drive, and RoboForm Online, which allows me to access from others' computers. RoboForm Online keeps all my password databases (home computer, office computers, thumb drive, etc.), in perfect sync.

A weakness of RoboForm is that all its capabilities are useful ONLY for Web-based passwords. If you have password-protected Word or Excel documents, for example, of password-protected applications such as Quicken, then RoboForm is useless for those passwords. It's simply not designed for non-Web-based applications.

I have Roboform but am frustrated by its inability to handle ING Direct's login screen, on which you have to click the individual digits of your password one by one. If anyone has a solution to this, I'd love to hear it.

Password requirements differ. Some sites require a combination of letters and numbers, some require only letters, others only numbers, while some require non alpha-numeric characters. Required minimum and maximum lengths differ as well.

I may be paranoid, but I don't really trust any software and service to hold my passwords; how can I be sure they aren't stealing them? I have developed an Excl spreadsheet with all of my frequented sites. It lists the name, user ID and password along with a link to the site. I have also included customer service phone numbers and security questions. The file is password protected with a strong password. I never type my user ID or password, I always copy and paste from the spreadsheet; this adds an additional level of protection from hackers who can see what you type. When I travel I have a copy on a secure encrypted USB flash drive.

A trick I picked up about creating a strong password is to start with a phrase. Then use the first letter of each word. Mixing upper and lower case makes it stronger. Replacing numbers for a letter or word also strengthens the password ('to' becomes '2', 'ate' becomes '8', 'often' becomes 'of10', 'at' becomes '@', 'and' becomes '&' - you get the idea).

One thing you failed to mention is the security questions. Such as what is your mother's maiden name or high school, etc. On my secret questions, I lied on all of them. I keep a cheat sheet in reach somewhere. I know, I am screwed if the cheat sheet is lost, as I will not remember the fake answers. It is the chance I take. It would not be hard to guess a close friend's mother's maiden name, high school, etc. I know of one person who tapes her email passwords to the monitor. Windows remember passwords is turned off here, too.

I use Keepass which is available for multiple platforms. I have it run from inside a Dropbox folder which makes it easy to run from multiple machines.

I'm not a security expert but I think it's far better to use one strong password management program with a strong access password than to use weak but easy to remember passwords for every service. But it is a trade-off.

The other reason I prefer a password management program is in case my machine gets malware on it. The program won't have access to my passwords unless it can figure out my access password. I'm not sure I trust the web browser for this.

I don't use passwords anymore. I think a better solution is to use a pass-phrase that's easy to remember but difficult to crack. For example: "A quick brown fox jumped over one lazy dog" could be reduced to @QbFj01Ld. You're using lower case and upper case letters, numbers, and special characters.

That pass-phrase could be used on all websites by adding a prefix or suffix pertaining to the website. Again as an example, if your site required a password I could amend my basic pass-phrase to AbR@QbFj01Ld or @QbFj01LdaBr, etc.

I use multiple passwords, which are alphabetically stored on 3 X 5 index cards next to my monitor, for the various requirements.A lot are generic to me only & contain weird combinations of numbers & letters which only make sense to me & since I only have a limited number are reasonably easy for me to remember. I still retain the card system for "lapses" when I don't use one that often.This is a home system so I'm not worried about someone breaking in & stealing them.

I use Microsoft's Fingerprint Reader with "Digital Persona" password manager, I know that it is not perfect but I can manage all the passwords for different websites and the hardware make sure that the person behind the keyboard is really me.
Also, if somebody need to get my passwords they need to have physical access to my computer.
They need to break in my apartment.

Thanks for the article Bob! I use SBSH SafeWallet Password/Info/Cards Manager for iPhone and its associated PC Client for synching. They cost around USD 10+ and very useful. For file encryption/decryption I use AxCrypt freeware. Cheers - Ram

KeePass does it all for me. Saves lots of info, can fill out forms, can be portable. Does require NET framework for latest version, but earlier version available on website does not. Password generator can be customized in several ways. Can import from many other similar tools. Dropbox will handle web based synchronization. Check out http://keepass.info/index.html

KeePass is portable.
Installer packages are available, too, for the ones who like to have shortcuts in their Windows start menu and on the desktop.

Also check out Password Hasher add-on for Firefox and Google Chrome browsers. Helps you to use strong passwords without storing them anywhere.

It is true that RoboForm Pro only works for web-based passwords right now. However, RoboForm Enterprise has the capability to store passwords for non web-based applications.

I'd like to add that RoboForm can create randomly generated passwords and allows you to specify the length and characters you want used. Once the password is generated, you never have to remember it again because RoboForm will store it for you. A free trial can be found here: www.roboform.com

http://howsecureismypassword.net/ tells you how secure your password is in terms of how long it takes a desktop computer to crack it. The site is fully secure as you don't have to go to a second page.

I have used Password Padlock for several years. The beauty of this is that I can run it from a USB key, so it's not resident on any one machine.
It gets around keyloggers, as the entry method is by copy and paste.
Download a free trial at http://www.tmss.co.nz/pp/index.htm The free version allows 6 passwords; a small registration fee opens it up and allows unlimited storage.

I have used Roboform for a number of years. I first used the free version, but needed the capabilities of the pro version. I also use it to remember information on my ISP, my email, financial accounts, and anything else I want to keep handy. The problem is using a master password to protect the passwords and information you store in RoboForm. If you don't do that, why use it?

Have used Roboform for 1-1/2 years. It works fine for me and I like the portable version using a USB flashdrive. The "weakness" of having a master password do not seem like a problem to me. I can memorize one very long complex password and forget about the rest. You put all your eggs in one basket and then protect the heck out of that one basket. If you're afraid you'll forget it, write it down and hide the piece of paper inside the electrical box behind a switchplate in the bedroom.

Jim posted question here about using Roboform with Ing Direct. It is simple, set the first screen to memorize the user name. On the second screen for the PIN, click on the tiny link that says "If you're unable to use your mouse, you may also use your keyboard." This will create a box and then RF can automatically insert your PIN into the box.

I highly recommend 'Lastpass' as a password vault/manager. I spent a lot of time on the 'master password' to get into my vault--something I could memorize reasonably easily, but would be nearly impossible for anyone other than Spock to deduce! After that, I could generate very complex passwords for various sites requiring them ... 'Lastpass' has a password generation tool that I really like (you set the amount of characters, what kind of characters it can use, etc... it does the rest). This software is free and has plenty of useful features.

@Jeffrey: Thanks for the suggestion, but it's not that simple. When you click the "use your keyboard" button, ING randomly associates a letter with each number on the number pad. For example, if my password is "1234" ING might assign "N" "K" "P" and "S" to those numbers...then you have to type in "NKPS" corresponding to the number, NOT the actual password (which is numerical). Furthermore, the letter association changes every time, so next time I might have to type "RGYT" to correspond to "1234". It's all in the name of security I suppose, but it's just maddening to me that I can't use Roboform to log on.

Roboform also chokes on sites that ask "what's you favorite movie?" type questions that change every time too.

Does anyone know if any of the other software apps described here can handle those types of logins?

I also highly recommend Lastpass as it is very secure. It handles more kinds of web sites then anything else I've tried. However, while it can do everything I want (and more), it has a learning curve.

Steve Gibson did a podcast a while back that covered it in detail.