Last week I was invited onto the “Bill and Wendy Show” on Chicago’s WGN Radio 720.
Bill Leff and Wendy Snyder got in touch with me after two million passwords belonging to users of Facebook, Twitter, LinkedIn and other websites were uncovered on a criminal server, after being stolen by hackers who installed malware onto innocent users’ computers.
The conversation turned into a discussion of how computer users can best manage their passwords, what programs can help you remember your passwords, hacked social network accounts, and the scale of malware on Windows compared to Mac.
On the recording you will hear me mention a few password management programs that can help you choose stronger, unique passwords for all of the different websites you access.
In case you didn’t catch them, here is the list again:
Thanks to Bill and Wendy for having me on the show. If you’re interested, you can keep track of my other media appearances here.
If you have views on the best password management program, why not leave a comment below?
Graham
Do you continue to recommend these (US) password managers in light of all the recent NSA revelations?
I get it that the only thing these companies store is the hashed values of everyone's passwords…but it seems to me that the US intelligence agencies could simply demand that these companies change their code so that plain text versions are stored on their systems – a la Lavabit.
The terms of the order would likely include, under the threat of draconian punishment, that the companies could not reveal the fact that they have changed their code and so their users would carry on blissfully unaware that all their passwords are now highly vulnerable.
I know I am speculating a bit here…but as a long time user of one of these services, I am getting nervous. I am checking out F-Secure's attempt at a password manager as right now, I trust the Finns more than the Americans!
1Password and KeePass store your passwords locally, using strong encryption. The people behind those tools never get your passwords (even in encrypted form) on their servers. They don't even know if you are using their software.
LastPass does store your passwords in "the cloud", but they don't know your master password, and cannot decrypt your passwords to read them for themselves.
Of course, you still need to be careful with your master password, and your personal computer's security.
But overall, I think password management software is a good thing for most people.
Graham, Thanks for the work you do on talking about best practices. I am not a fan of cloud storage of passwords for page login. Even though 1Password has the cloud as an option, it may change its "mind" and enforce cloud storage. Symantec had a local storage policy on their NIS product until 2013 version, and now their enforce cloud storage. So, I am moving to KEEPASS, which hopefully has a local encryption. Anyway, with hundreds of pages in use, memorizing passwords of good quality is just close to absurd. If Norton/Symantec had kept a local storage I would have kept that, but I am moving to ESET as well, not all I have to is find a fill in product I can trust which is local.
All the best, and thanks for the great info.
Don't forget Password Safe (http://pwsafe.org/)
It's an opensource Windows password storage program first
written by Bruce Schneier over 10 years ago but still being
regularly updated. Keeps everything local in case you
don't want to use "somebody else's
computer" (a.k.a. the Cloud).
There are many more password managers out there, but
beware; many of them do not give you the security they promise. A
bunch of password managers were tested by Elcomsoft and presented
at BlackHat EU in spring 2012:
http://www.elcomsoft.com/WP/BH-EU-2012-WP.pdf (PDF) Although a bit
of crypto knowledge is required, their paper is sometimes hilarious
& scary in terms of how bad security can actually be in
some password managers. Last but not least: writing down your
usernames & passwords on paper and storing that at home can
be a good idea in most cases – and much better than using the same
password everywhere.