If you’re like me, you have accounts on a ton of web sites. I probably have over 200 accounts, including my email services, storage & note-taking sites, organizations, social sites, and a pile of online stores. In my previous articles, I’ve hopefully convinced you that you need good, strong passwords that are different for every site. The good side to this plan is that it helps keep your accounts secure. The bad side is that all these good, strong, unique passwords are a nightmare to remember. In fact, unless you’re one of the lucky few with a photographic memory, there’s no way you’ll remember all these passwords.
So what’s an Internet surfer to do?
There are two basic ways you can manage an unruly pile of passwords: Develop your own system for keeping everything tidy, or use a third-party password manager and let it do the dirty work for you.
Anyone who knows me will tell you that I’m kind of paranoid about giving up control of my belongings, so I’ll tell you up front that I have a pretty sweet system for managing my own passwords. But there are a lot of people who use third-party password managers and they swear by them. By all accounts, they seem very secure and have built-in “fail safe” features to protect you against disaster. We’ll start by looking how these services work.
PASSWORD MANAGERS
Password Manager applications have been around for a few years, but they really started to catch on over the last year or so. Several of my friends use them and have had really good luck with them. A lot of tech journalists I follow also swear by these nifty tools and recommend them all the time. LastPass seems to be the odds-on favorite, but 1Password, Dashlane, and KeePass are also very popular.
So how do they work? The premise of all Password Managers (okay…I’m just going to call them PMs from now on) is very simple. They create a database that stores your user names and passwords for sites. Then they encrypt that database with a single, complex password, which is, essentially, the only password you need to memorize. So when you go to a site, the PM prompts you for your one password. If you type it in correctly, the PM then opens up the database, pulls your login credentials for the site, and logs you in. So, in effect, you have one password to rule them all.
PMs are very convenient. And because they encrypt your database, they are relatively secure, too. All the major ones have apps for Windows, Mac, iOS, and Android, so you can use these services across all your devices. Choosing a PM can be tough, though, as they all pretty much do things their own way. Some of them store the database on your devices, others store it on their server, and others let you put a copy online (like in DropBox). Some of them are free up to a certain number of passwords, then require you to pay a subscription fee. Others are free on computers, but require you to pay a subscription for mobile access.
As for me, I can’t bring myself to use any of them. First and foremost, I don’t like the idea of relinquishing control over my passwords to people I don’t know. Second, I see too many points of failure, none of which I have any control over. To use a PM service, I have to trust that the business doesn’t have malicious intentions, that all their employees are trustworthy, and that they have safety plans in place in case of a disaster. That’s a lot of trust to put into a company. Maybe they have an employee that’s actually a black-hat hacker (one of the bad ones). What if the database is corrupted and everything is lost? What if a hacker breaks into your device, your DrobBox, or the service and steals your database without you knowing. It’s encrypted, so it should take them a long time to brute-force their way in, but if they do crack it, they have everything.
And also, I should probably mention that with these PM services, if you forget your password, everything is lost. The companies can’t recover them or reset your password. It’s all contained in the database itself, so if you forget it, you lose everything.
Like I said: Too many potential points of failure, none of which I can prevent or mediate.
SO HOW DO I MANAGE MY PASSWORDS?
Actually, believe it or not, my system isn’t all that different than the PM applications. I create my own database, store it in multiple formats and multiple places, write everything down in a secret code (my own personal encryption, if you will), and check my database when I need to log into something. Here’s how I do it:
I keep my database in two places: I keep an electronic copy on one of the popular web-based note taking services, and I keep a good, old-fashion pen-and-paper version in my house. The electronic version is accessible from all my devices: phone, tablet, and computer. No matter where I am, I can pull up my list on my phone and have access to all my passwords. The paper version exists as a box of index cards, with a single index card for each site.
I like having both, because if the electronic version disappears or gets corrupted, I can re-create it from the paper version. And if the paper version is stolen or destroyed, I have the electronic version to rebuild it from.
Now as to the encryption part, I have developed my own personal shorthand system for writing down my passwords. Unlike computer encryption, there is no decoder ring (encryption key) to translate the shorthand. It’s all in my head. So if a hacker gets my electronic file, or if a burglar steals my index cards, the information won’t do them any good because I’m the only one who understands what the codes mean.
For example, a thief could steal my index card for my bank and see that my username is GorillaRampage. But for a password, it shows ShnozChomp-BreakfastFight. Little does he know that it actually stands for 62_NosesBit@WaffleOnTheBacon_Foot. And unless he can get into my head, he’ll never figure it out on his own.
Granted, my shorthand system is very robust, and it’s taken me a couple years to develop what I have. But to me, it’s worth it. I have a system that allows me to access my passwords from anywhere, but also hides the true passwords from would-be thieves.
Whether you go with a Password Management service or develop something on your own, today’s Internet requires you to have some sort of password management scheme. Good luck…and I’d love to hear what type of system you use, so leave a comment and share your thoughts with my readers.