Thursday, April 5, 2007

Passwords Part 3/3 - Password Management

Too many times have I seen passwords written on a Post-it note. Too many times have I heard one person give another person their password. Too many times have I been asked for my password from Help Desk personnel.

Oooooh Boy! I have to tell you that nothing tans my hide or boils my blood more than a password written down on a piece of paper! Then I tell myself to calm down and take the ISO hat off for a minute. Many people don't know any better. Others may know better, but how else will they remember 10, 20, 30 or more passwords? Especially if they are all supposed to be "strong"? To make matters worse, I suggest using a different password for each different login.

Why do I suggest a different password for each different login?
Simple answer, to limit the damage. If one of my passwords is compromised only that account is compromised, not all my accounts.

I suppose I should also mention what I mean by "password management". In a nutshell, password management is ensuring the confidentiality of your passwords from their creation through to disposal. Basically, keeping a password secret from the time I think of it until I no longer use it and everything in between.

I have a lot of accounts! I have 59 passwords that I need to keep track of, and each one needs to be "strong". Can you imagine how bad it would look if the "security guy" had his password disclosed? I have a very limited memory as surely my wife would agree. There is no way I will remember 59 passwords. I'm lucky to remember one! Is there something I can use to store my passwords securely and allow me to access them when I need to?

Yep, enter personal password management programs. A good personal password management program will:

  • Be easy to use
  • Store my passwords using encryption. If implemented correctly, this measure will prevent someone else from accessing my passwords.
  • Give me the ability to copy and paste passwords. I like this feature because it is quicker and defeats simple keyloggers.
  • Have the built-in ability to make secure backups of my passwords. Secure backups mean that the backup data will be encrypted.

So, which programs do I use?

I use a combination of two programs for personal password management. I use RoboForm for the management of my Web site/browser-based usernames and passwords and I use Password Safe for the management of all other passwords. I can recommend either or both of these programs because I have used them extensively. As with most things, you may find something you like better.

Through the use of a secure password management program, I can store all of my passwords safely. I only need to remember the one password that opens access to all of the others. Easy, right?

Well, there you go. Passwords are a necessary evil for us all, but the pain can be reduced somewhat. Remember to make backups your passwords!

No comments: