Thursday, May 28, 2009

Keeping track of your Web site passwords

I have a dirty secret to share with you all today: until recently, I didn't have a very good strategy for keeping track of my various Web site passwords and logins. Near my desk is a worn set of stapled sheets of paper with various notations about which username, email address, and password I have used to authenticate to its services. Luckily, I work alone, but still it bothers me that if someone were to break into my office, those special pieces of paper would probably be the most important thing to find. I know some of you use PostIt notes for this purpose, and keep them where no one would look, such as under your keyboards.

There is a better way, and I will get to it in a moment, but first I want to take you through what some of the other solutions that I have tried and rejected. Since I do most of my work on my laptop, why not just automate the credentials inside my browser? That is good for some of the sites that I use most frequently, but it isn't very secure should someone get a hold of my laptop.

Another idea is OpenID.net, which is an open-source collection of Web sites that federates your identity, including Yahoo, MySpace, Facebook, and others. OpenID sounds really good, until you start to peek under the covers, and realize that if a phisher ever got ahold of just one authentication of yours at one site, they could pretty much gain access to the rest of your OpenID sites. This is more 'phederated ID' and a hacker's paradise. The problem is that once you authenticate properly on one Web site, you can use your OpenID URL to gain access to anything else.

I have mentioned in previous missives Ping.fm and Quub.com that attempt to consolidate all of your social networking logins in one place, and be able to update your status messages across the board. But it is troubling when I get emails from Quub mentioning that they have upgraded their system and "had to clear everyone's existing credentials that were encrypted with the old algorithm. Please re-enter your credentials under Settings …"

RoboForm is another solution, which basically automates the credentials and saves it in an encrypted spot on your hard drive. That is great, but what happens if you are using a different PC?

Another way is to use some form of two-factor authentication, so called because it uses something that you – and only you – have on your possession, such as a special and unique SecurID token. I have one for my PayPal account, it cost $5 and is well worth the added protection that it offers. Basically, no one else can use my account unless they use the token to sign in.
http://tinyurl.com/paypalkey

But the issue with these tokens is that you need one for each of your accounts. There are some vendors who are trying to get around this issue by using one's cell phone as a second factor authentication tool including Phonefactor.com and FireID.com. Both require some integration of their tools into your applications, which isn't very good if you want to apply them universally to all of your Web authentications. FireID's solution involves using a special server that sits on my network, while PhoneFactor requires software agents to download to your desktop or to integrate into your Web applications.

So what else can you do? The service that I am trying out now is from Tricipher and called MyOneLogin.com. It costs $30 a year per user, and everything is done via their hosted service so there is nothing to download, other than an optional Firefox or IE browser plug-in to handle some tasks. You set up a special Web portal for your company, and then add your credentials to the various sites. It comes with hundreds of pre-set applications and works with either special knowledge questions (what was the name of your third-grade teacher) or with your cell phone. The good thing about MyOneLogin is that you can set it up and forget your passwords, because no matter where you are you can login to the portal and then to your applications. You can mix and match Web and internal apps, such as your VPN login, too, without any programming or installing any servers. And it is also a great solution if a company wants to keep control of these credentials to these sites, so when you leave you can't take your logins with you.

Look for one of my WebInformant.tv screencast video demos in the near future that will show you more about the service. And you can try it out for 30 days for free if you are interested. Maybe now I can finally toss those special pieces of paper – but first I will have to make sure to shred them!

No comments:

About Me

My photo
David Strom has looked at hundreds of computer products over a more than 20 year career in IT and computer journalism. He was the founding editor-in-chief of Network Computing magazine, and now writes for Baseline, Information Security, Tom's Hardware, and the New York Times.