You need a password manager!

Do you have sticky notes all over your desk with ID’s and passwords? Perhaps you have a notebook with passwords scribbled out and rewritten. Or you went the other direction and have nothing!

I run into this all the time. A customer’s hard drive fails and I load Windows or Linux from scratch. When I deliver the computer, they want to be sure they can access their email, Facebook, on-line games, etc.. They are shocked to find that it does not automatically log in. I often end up spending 2 hours helping customers reset their passwords.

Both Chrome and Firefox have the ability to store this information on-line. That works fine to store the information for that browser. However, once that browser is configured I have to open the other browsers and import the settings. The data between the various browsers will never be synchronized. “Oh, but I never save my passwords in a browser because it’s not safe, and on-line is even worse!”

There is a lot of truth to that. So why would you ever trust a password manager to automatically gather your ID’s and Passwords and save them on-line? One word, encryption. You must remember ONE password that is used to encrypt/decrypt your data. All information is encrypted on your PC before ever being sent across the Internet. “No, I’m afraid someone would crack it.” If the Federal Government trusts AES encryption to keep their secrets safe from China, you can certainly trust it! AES Encryption is very secure when properly implemented. The encryption itself cannot be broken. What can be cracked is your password. Did you know that ANY 8 character password, no matter how complex, can be cracked instantly? Today’s crack utilities employ the graphics card in your computer to do the number crunching. Graphics cards can process numbers far better than any Microprocessor and math co-processor combination. Here’s a little test for you: howsecureismypassword.net. Don’t worry, this does not send your passwords. It runs a little Java program on your computer.

But my computer is managed by my company, I can’t install software. Most password managers have enterprise versions available, that are managed by your administrator. If you work in a health-care or financial industry, password managers help maintain HIPAA, FIPS, and Sarbanes-Oxley compliance. The password manager can generate random passwords that meet your company’s requirements, check the age of your password, and in some cases, even change your passwords for you automatically! If your company is not interested in this, many password managers have plug-ins that run in the Firefox and Chrome browsers. This may be a way around your company’s software restriction. Not that I am asking you to bypass their restrictions. Please verify with your administrator first.

This sounds interesting, but how much will it cost? Some are free, with certain limitations. For example, LastPass is free if you want to use it only on your computer. You can upgrade to premium for $2 per month that will allow you to use it on your smart phone as well.

Edit: The free LastPass account now works across multiple devices and is likely all you need!

RoboForm is the same, with a free option, and $19.95 per year for RoboForm Everywhere. Dashlane is another option. They have the same free personal option, and $3.33 per month billed annually for use on all your devices.

PC Magazine has reviews of several other managers here: https://www.pcmag.com/article2/0,2817,2407168,00.asp

Interesting to note, I have both RoboForm and LastPass. I have used them for many years. Neither received an Editors Choice from PC Mag. They recommend Dashlane, Keeper, LogMeOnce, and Sticky. The last two I have never heard of until just now. It just goes to show you how rapidly the digital landscape changes. Even the experts have trouble keeping up. That’s not to say LastPass and RoboForm are not good. I’ve been very happy with them. Why do I have two? Because RoboForm did not work properly on Linux. I filed a bug report with them and it took months for a proper fix. I now rely heavily on these and being without RoboForm was not an option, so I switched to LastPass. However, LastPass did not properly import everything from RoboForm, so I kept it too. Now all my new stuff is in LastPass, so I have both. Perhaps one of these new programs will import everything, and I can migrate back to just one. I won’t include them in this article because it may take a few months for me to test all the features before migrating completely. You see I also use them on my iPhone for my business. They log me in to my invoicing site so I can create invoices for my customers when I work on their computers. They each hold hundreds of ID’s and passwords for the various sites I use, include private notes for things like my EIN number, my spouse’s social security number, etc. If my wallet were ever lost or stolen, all my credit/debit card information is in them. I could easily contact my banks to cancel the cards. I rarely allow websites to store my card information because the password manager will automatically fill this for me. The same goes for all those website forms that need your address, phone numbers, etc.. The password manager will fill these automatically for me. I have a pretty good understanding of encryption, and am quite familiar with Rijndael’s cypher. AES stands for Advanced Encryption Standard. Many people competed to win this title from the NIST to replace the aging and compromised Data Encryption Standard. Serpent, Blowfish, and Twofish are other contenders that in some cases provide even better encryption, but are not as easy to implement, or could not provide the performance. Rijndael was the winner. But data encryption is another discussion topic. Suffice it to say that AES encryption is very secure, and the weakness is the password. My weakest passwords will still take billions of years to crack via brute force attack. Some of my more secure passwords are in the quadrillion or septillion years range. Yes, I trust these password managers to store my information much more so than paper. And if anything is ever lost, I can log on to their website and get it all back. Everyone NEEDS a password manager! They’re inexpensive, easy to set up, and indispensable. I can’t imagine not having one. If you need a little more help, give us a call at 480-382-4761. We’d love to help you. Irwin Electronics makes old computers run like new, and so much more.

Update: Since writing this article I had the opportunity to try Keeper. Overall it’s a fine password manager, but it’s form fill is limited. It successfully imported my logins from LastPass and Roboform, but not my Identities, credit cards, or Safe Notes. Their support advised only logins are supported. I also had a problem with the Chrome extension on one PC. Their support advised this is a known issue.

These forced me to take a deeper look at PC Magazines reviews. The reason LastPass did not receive an Editors Choice award is because everything you need is now included in the FREE version. There is no need to upgrade to premium. The Free version IS an Editors Choice. Therefore, I will stick with LastPass, and whole-heartedly recommend it to everyone! Even though the free version now includes the necessities, I will continue using my paid version. $24 per year is a small price to pay for continued development. While PC Magazine may feel the cost just not justify the features, they do not see the big picture. If everyone uses the free version, the company could not support itself and we all loose.

For those of you that are super paranoid, Keeper does focus more on security, privacy, and anonymity. They only use 256 bit AES encryption, and are all about Zero-Knowledge. Nothing identifiable is ever stored unencrypted on their servers, not even briefly. And if that still isn’t good enough for you, Sticky Password has a Wi-Fi only sync option that syncs information across your devices only on your Wi-Fi connection. Your data never leaves your network! Of course this means you can’t access your data from a website, but that’s exactly what you would want.

KeePass is another option for the uber secure. It stores your data (encrypted of course) on a USB key, locally, or anywhere you choose. KeePass has a portable app that runs from your flash drive without installation. They have clients for Windows, Mac OSx, Linux, Apple iOS, and Android. Another great benefit of KeePass is it’s entirely Open Source! That fact alone make it one of the most secure options in this group. KeePass is also completely free. I plan to test this further. You know how much I love and support Open Source! And yes, I do donate! It’s our way of giving back to the community.

Update: I had an opportunity to try KeePass briefly. The installer gives a desktop application and database to store your ID’s and passwords, and not much else. Browser plugins to auto fill are available from 3rd parties, and seem to be hit or miss. There is no option to import from other password managers, but this may be available from 3rd parties as well. If you’re looking for something to replace your pen and paper, do not trust encryption to keep your data safe online, and don’t mind a little work, KeePass could be a great option. Personally, I have hundreds of logins stored in LastPass, so migrating to KeePass would not be simple. Nor do I see any real advantage over LastPass other than the fact it’s open source,

Now that I’ve had a chance to try a few more of these, LastPass is the clear winner. The free account my be all you need. It has more features than you could likely ever use. It’s the easiest of all I’ve tried, both in setup and daily use. I have never needed to contact their support. If you do decide to purchase the paid version, even at $24 per year, it’s still priced competitively. They do have a family plan available for up to six users at $48 per year. Each user has their own account, and you can set up shared folders. LastPass also makes it easy to share a login with anyone, without giving away your password. You can also set up emergency access so that someone can access your accounts in the event you cannot. The team at LastPass has done and outstanding job on their password manager. Everyone NEEDS LastPass!