Interesting feedback from my column a couple of weeks ago asking what you use to keep track of your passwords. These days, a password manager is almost a necessity for anything like safe computing. The thing is that "12345" and "asdf" and your boyfriend's name are not really passwords at all. If you use passwords like that, you'll be sorry. The internet guru Bob Rankin claims with only mild hyperbole that "if you can remember your password, it's not strong enough".
Keepass has an excellent password generator that can help you choose a security master password during your initial set-up (inset).
Password managers thus generate impossible-to-remember logins - and then remember them and enter them for you.
The old reliable Roboform, a very good password manager that will also fill in web forms, still seems to be the favourite, if a totally unscientific email poll is any indication. Roboform is an ancient app by PC standards. It has always had high security, and over the years this has got better, and far easier to accomplish.
Reader Neville Nicholson had a fairly typical comment on his favourite program. "I have found AI Roboform [to be] excellent. . .to the extent of my buying the Pro version," he wrote. And in addition to easily doing passwords and filling web forms, "you can always securely access your Roboform Password Manager, whether you are on your desktop, laptop, netbook or mobile device".
Frequent correspondent Neal Pinckney of Hawaii has given this whole password security problem a lot of thought and has come up with an imaginative idea. "I still wonder if someone out there may be capturing my keystrokes as I enter the password," he wrote - and of course this is one of the insecurities of computing, since there are several ways that bad people can capture your information in transit this way.
Anyway, "I'm experimenting with a macro program you recommended years ago, Texter," writes Mr Pinckney. And this caught we quite flat-footed.
Texter is a substitution program, designed to speed your work. You might type "pmav", for example, and Texter types "Prime Minister Abhisit Vejjajiva" into your work. You can type something like "dayx" and Texter types "Tuesday, March 15, 2011, 8:42am". It's a terrific time and keystroke saver.
Well, Mr Pinckney puts his cursor at the bank password place on the web page and types "bankpw". Texter replaces that with his actual bank password, which of course can be letters, numbers and symbols and dozens of characters long. He does the same for "cabletvpw" and "mobilepw" and so on. This means there is virtually no chance that anyone can log his keystrokes since he isn't typing his password at all.
It does leave one security hole, which Mr Pinckney recognises. The Texter substitution list is in the clear, not encrypted in any manner. But in general, I find this an interesting way to do passwords, even though it does to a very small part depend on obscurity, since very few hackers are going to be spending the time to sift through text substitution programs.
The main drawback with Roboform has always been that it is essentially a commercial program. If you have a lot of passwords, you have to pay, and in a world where more and more passwords are required it's harder and harder to keep below Roboform's free usage threshold.
There are two other excellent, free password managers which also integrate with browsers - PC, phone, tablet and all - to enter form information, such as name, address and the like.
LastPass manager is essentially a cloud app. It runs on your PC or device, but it stores information online. This bothers some people, because it requires a certain level of trust. LastPass has been vetted by thousands, but if you simply don't trust that the company can encrypt and keep your information and passwords securely, you don't - there are alternatives.
LastPass has plug-ins for pretty well every browser, on pretty well every platform. Plus, of course, since your info is on the Net, you can access it from anywhere, any time.
LastPass is pretty well a one-click operation for whatever you need, from logging onto Bangkokpost.com to filling out the order form at Amazon.com.
I like this program, but I was disappointed by one glitch; it can only store details of one credit card per account.
KeePass requires no trust (it's open source), offers tremendous security and lets you keep your own passwords.
Again, it works on everything: PCs of every stripe, BBs, iEverything, Android and J2ME devices. . .you name it, KeePass works. Set-up is simple and well explained, and there is a huge amount of guidance available through the app's Help button.
You can set up so that you use a master password (Composite Master Key) and/or a key file and/or even the Windows UAC file. Of course, your master password should be very strong. Since you only have to remember one, make it difficult enough that no one else will guess it or easily break it.
The details of storing passwords and information are left to you - where, number of groups, if any, duplicate accounts and so on.
One strong feature apparently "borrowed" from Roboform is that you can drag and drop fields from your database onto a web form in your browser. This is an exceptional security feature, as well as convenient.
KeePass requires a little time to set up. You should use that to good advantage, using the strong password generator to change every password you are registering, as you go. KeePass is at keepass.info while LastPass is at lastpass.com. Check out Roboform at http://www.siber.com.
