29 May 2012

Store your passwords securely

If you're like me you are logging in to different sites all day long. When that prompt appears in your browser asking if you want it to remember your password it's very tempting to click on Yes, so you don't have to remember it or type it in again. You might even set your browser to automatically remember your passwords every time you create a new username and password. Whenever you visit that site again your browser automatically completes the login details for you - no more trying to remember your password - easy!

Beware! Having your browser remember your passwords isn't as secure as you might think. Your passwords are stored on your computer and there’s nothing stopping someone viewing a list of all your passwords just by accessing your browser settings; by someone using a separate utility to access them; or if Malware gets onto your computer.  Some browsers are more secure than others….

If you're using Firefox you can set a master password, which provides an extra layer of security, but are still ways of getting to the password list.

Internet Explorer and Google Chrome don't offer a master password feature, but your passwords are encrypted and only decipherable with the Windows user password that was in use when the password was created.   (That’s the password you enter on the first screen that appears when you start up your computer – unless you have chosen not to have a password!).  If someone gets your Windows user account password then they have access to your saved browser passwords.  There are utilities which can decipher Windows passwords, so make sure you have a strong Windows password.

Safari is the most secure browser because, unlike the others, you cannot see the stored passwords.  Safari stores your passwords in a ‘secret’ file that’s a bit harder to find.

While researching this post I came across two sites that give instructions on how to access the password lists on all of these browsers!

If you’d prefer not to have your browser remember your passwords, most internet security suites offer password managers (like Norton Symantec Identity Safe) where your logins/passwords/credit cards/frequent flyer numbers can be stored securely. This means the only login and password you need to remember is the one for your security suite's password manager. Once this is provided any logins on websites are completed for you. They can also auto-fill online forms that you use regularly.

Another option is a separate Password Manager – either on your computer or in the cloud - for storing your individual login/passwords so you only need to remember one master password.  Unless you only ever use one computer at home I’d recommend an online/cloud based password manager.  Then you’ll be able to access your passwords at home, work, anywhere, no matter what type of computer/mobile device you use.  The best also give you a synchronised, local copy of your password database on all of your computers and mobile devices, so you don’t have to worry if the password database in the cloud goes down.  If you’re worried that the Password Manager might not be safe – don’t worry – they don’t actually have access to your passwords.  The database of your passwords is created by your computer encrypting the passwords and other personal data before uploading a copy to the cloud.  Because the data was encrypted on your computer, the password manager is not able to unlock it – only you can. 

There are plenty available, but the one that regularly tops the Best Password Manager lists is

Lastpass - There’s a free version (for all major operating systems, browsers and iPad) as well as a premium version ($1 per month), for an extra layer of security and using it on multiple systems. Lastpass is the easiest to use - automatically adding your login/password to a website as soon as you arrive at that site - no button-clicking required.  It can also analyse your existing passwords for weaknesses and generate really secure passwords for any new logins; and there’s an option to automatically delete passwords stored by your browser. A local copy of your passwords and personal data can be stored on all your mobile devices and personal computers.

Watch this video about Lastpass from my all time favourite Techie:  

ONE LAST COMMENT:  You might think the easy way out is just to have the same password for everything and just remember that.  What happens if one of your accounts gets hacked – you’ll have to change your password for every other site where you have created an account!  However, say your Facebook password is compromised and you have a different password for all your other sites, you just have to change that one password. 

No comments:

Post a Comment