Saturday, December 4, 2010

Geeky Stuff: managing passwords

Well, Caitlin has had a lot of sleepless nights since my last Geeky Stuff post, in which I terrified her with the prospect of losing control of all of those passwords.  Here are some typical ways of managing the dozens of online accounts that we've accumulated since we started moving our lives online.

  1. Use the same password everywhere.  The advantages of this one are  obvious, but so are the pitfalls.  If your password gets compromised, your whole life is an open book.  And that can happen remarkably easily, via a fake website, or in your local coffee shop.
  2. Use a different password every time, and store them all in a Word document on your laptop.  This has obvious flaws (your whole life is gone if your laptop gets lost or stolen) but I know people who actually do this, believe it or not.
  3. Use Password Safe, (thanks Rupert) or another of the many programs like it. This is handy, and the passwords are stored encrypted on your computer, so if someone steals your laptop they can't access the passwords.  But they're only on that computer, a password you store on your laptop at home isn't available on your PC at work.
  4. Use your browser's 'remember passwords' feature.  This is handy, and as long as you set a 'master password', the passwords are stored encrypted.  But again they're only available in that browser, on that computer.  If only there was some way of sending those encrypted passwords to a central server somewhere, so you could access them from anywhere...
  5. Use LastPass.  I love this thing.  When I create a login on some site, I use it to generate a totally random password that no one could ever guess, like f3OgPkJo.  I could never remember it, but I don't care.  LastPass remembers it.  When I come back to the site, LastPass fills in the login form and logs me in automagically.  And my passwords are stored encrypted on the LastPass servers, so I can get at them from any computer I want to use.  They even have an app for my Android phone, so I've always got my whole keychain with me.  Even Lojo likes it!
There you have it - some unsolicited advice only tangentially related to living in Chile.

Geeks only:  yes, I know LastPass is not open source, so it can't be publicly audited for security.  Bruce Schneier would not approve.  For now I'm taking the risk...

1 comment:

  1. I'll put my money on you. It's only got to be good enough, right? And, if it's secure enough for you and Lojo likes it, sounds like you've got a winner. Congrats. Can you remote wipe any automatic authentication if your phone were to get stolen? If so, I might even try it, although my trusty Mac has this nice keychain thing built into the OS.