NCSAM TIP #14: Password Management
Passwords for computer authentication are as old as multiuser computers, and are not the best form of authentication we have. Certificates are better, but harder to manage. So, for most purposes we are stuck with passwords.
Many people deal with the proliferation of passwords either by using very weak passwords or using the same password in multiple places. The obvious downfall is that if one site gets compromised, you may lose many accounts.
Another problem is using computers you don’t trust. Sometimes you are traveling and need to access your bank from an Internet cafe or hotel computer, which may have keystroke loggers.
The root of the problem is reliance on human memory. Luckily, every time we need a computer password, we have a great memory tool at our fingertips.
There are several software solutions that allow you to have strong passwords accessible on all your devices, while only having to remember one password. These store all your passwords in an encrypted form, either on one computer, a memory stick, or online in a cloud. Advantages include:
- A different password for every site.
- Need to memorize only one password
- Many allow automatic form-filling, which facilitates longer, better passwords.
- Passwords can be generated or evaluated for strength
- Many will automatically capture your passwords using browser plugins
- Passwords are stored encrypted.
- If you are willing to store your passwords online, then they are available on mobile devices, multiple computers.
- If you are worried about keystroke loggers on computers, some programs let you enter your master password on a virtual onscreen keyboard rather than a physical keyboard
- Some allow one time master passwords for use in untrusted environments.
All of this convenience comes with some caveats:
You need a strong master password, and need to keep it secure, because a compromise could be disastrous.
For mobile support, you usually have to entrust your encrypted passwords to a third party.
Here is a sampling of the many password managers available: