I finally forced myself to sit down and come up with a better management plan for password management this past week. As online identity theft grows, it’s becoming more common place for media and bloggers to write about security best practices, password protection, and other topics related to online identity. Unfortunately, password management is one of those topics that people choose to ignore because they want something simple and don’t want to be burdened with password rules and expiration dates. I counted myself in that group up until now.
I reviewed a few alternatives for password management programs. Some of the programs have local clients to install with the password storage local. Some use a recording and playback method. Some leverage a two-factor authentication system with a physical device that supplies a key. What is common among all of them is that they require a user to change their habits in someway. I think this is a valid trade-off for added security and a little peace of mind.
For my review, I decided I needed to find a solution that addressed the following criteria:
Have an online version so that I could access my password storage from multiple locations. Since I use different computers throughout the week or may need to get to a site from an unexpected location, I need something portable.
2. Multi-Factor Security Options
Ok, so this is obvious right? After all I am giving someone my accounts and passwords. Since I wanted an online solution, I need to be comfortable with the security of the system. A fairly new approach to security that goes above encrypting the contents of the message on the wire is the host-proof-hosting system. I’m not a security expert, but I get the fact that this systems encrypts the data on their server, that I have a secret key that is not stored on their server, and that at no time is the key moved to their server. I see there are several players on the market that are using this system including industry giant Verisign.
3. Browser Compatibility
I spend 95% of my Internet browsing time using Chrome or Firefox, so the password management system must run on those two browsers. I already have too many applications that only run with IE. I’m going to add another one.
At the end of my journey I selected PassPack as my management tool. The tool meets all three of my decision criteria and offers additional optional security features that I won’t list in this post. There is a local desktop version available as well. The PassPack business model is currently set to give away usage rights for individuals (up-to 100 passwords), while charging for group and administered accounts. It definitely requires a change in my behavior, but I know its for the better. At the end of the day, I’ll learn to enjoy the central management aspect of the password storage system and welcome the value-add it provides to me.