Electronic Yellow Sticky of Doom

The previous post looked at written passwords – let’s now look at electronic passwords:

Instead of writing passwords on a piece of paper, you can save them on the computer. The most obvious way to do this is with a text document or a spreadsheet.

Bad idea!

Your password is now subject to being hacked. Since your computer is almost certainly connected to the network (or you wouldn’t have so many passwords!), you are now threatened by the entire Internet, not just the people around you.

OK, you can save the document or spreadsheet as a password protected document. Less bad, still not good. It is a step in the right direction, but there are better ways to do it. This is a situation where you should use the right tool for the job – in this case a password manager.

A password manager is an application designed to manage your passwords. It will typically have a strong security model, the ability to organize passwords by the application or web site they go to, and the ability to generate passwords. Many password managers are designed to integrate with applications and the Web, where they can automatically provide the username and password and login for you.

Instead of trying to remember multiple passwords, all you have to do is remember a single password to open the password manager. (Yes, you can write down the password to your password manager. In fact, you probably should – and lock it up in a secure location like a safety deposit box. Think of this written copy as a backup, where security is more important than ease of access. You may even want to print out the contents of your password manager and lock them up in the safety deposit box.)

There are many password managers available, so you should do your research before choosing one. Reviews are available from a number of sources such as LWN  or Tech Radar. Be especially careful when choosing a password manager from an application store that has millions of applications – many of these applications are poorly written and may contain malware. For something as important as a password manager you need to do your homework!

An example of a highly regarded password manager is KeePass and the KeePassX version for Linux. This is an open source application, so the code has been widely reviewed. If you are running Linux, KeePassX is probably included in your Linux distribution.

KeePass creates an encrypted database of passwords on your system. In fact, it supports multiple databases, so you can keep personal and work related passwords separated. KeePass also has an internal group structure to organize passwords. This allows you to to have groups like finance, social, sports, email, and work for your various accounts.

A strength of password managers is that most of them have a password generator. Again looking at KeePass as a specific example, you can control the length of the password, uppercase/lower case, numbers, special characters, and even whitespace. You also have the option of specifying “pronounceable” passwords.(For some values of pronounceable…)

Using a password manager makes it feasible to use more secure passwords – specifying 24 characters, uppercase/lowercase/numbers/special characters and generating a unique password for each application or site is easy. It is also easy to change passwords regularly – just have your password manager generate a new password, which it then remembers.

Password managers aren’t perfect, but they are a useful tool for making passwords as good as they can be. Using a good password manager is more secure than re-using an easily guessable password across multiple applications.

Next: Yellow Sticky of Doom in the Cloud

About Russell Doty

A technology strategist and product manager at Red Hat, working on the next generation of open source systems.
This entry was posted in Security. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s