More on storing or remembering passwords

A few weeks ago I wrote about passwords – creating them, storing them, and remembering them.  Passwords can be a real pain, but unfortunately they are the first line of defense when it comes to securing our files, systems and accounts.  Depending on how smartly you create and use your password, that line can be fairly strong or pitifully weak.

Several readers sent me their thoughts on passwords.  These ideas might not work for your enterprise password policy, but there are some good thoughts here for individual users.  Maybe there’s something here you’ll want to try.

Charles, a network specialist, wrote with his experiences:  “I found a program called AnyPassword to store the passwords that I use.  It stores them in an encrypted file. It lets you organize your passwords.  I then purchased a USB drive that fits in my wallet. The program, AnyPassword, can be stored on the drive and does not require being installed on a machine. This way I can store the passwords I need, carry them with me at all times, access them from any machine, and keep them protected. AnyPassword also can generate passwords based on the options you want: upper case, lower case, numbers, symbols, and length.”

Charles is also looking at a password tool for his workgroup.  “At the office we are starting to implement Password Manager XP. It integrates with Active Directory to provide granular user access. It has the ability to store passwords on removable drives as well. We are still looking at it, but it appears very promising.”  Charles, we’d love to hear more after you conclude your testing.

Back to AnyPassword for a moment.  In its basic form it is freeware that you can download for your personal use.  There is a nominal fee of $19 for a business license – that is, if you use it at your office.  There is also a more advanced “professional” version that sells for about $25.  I haven’t tried any of these, so we’ll have to take Charles’ endorsement of the product.  According to the marketing materials, AnyPassword offers support for a hierarchical data structure, a strong encryption algorithm, incremental search, a password generator, a multiuser interface, and a multilingual interface.

My friend Marc in the IT department at Indiana University took a quick look at AnyPassword, and he made this assessment:  “AnyPassword sounds very interesting – especially from the point of view of password generation.  If it generates the password for me, the password is as strong as the parameters permit.  If it also keeps track of the password for me, then I don’t even need to remember it. And, I can access it from any Windows PC with a USB port — but what about from my BlackBerry?  Or a Macintosh?  Or, Heaven forbid, a Linux or UNIX machine!  The downside is that it requires a Windows PC to access the encrypted file.”

Marc has some other thoughts about passwords:  “The worst part about the ‘best practices’ list adopted by the most conscientious of IT departments is that very few people can keep track of multiple strong passwords on multiple accounts – especially when they need to change them every 60 to 90 days.  In short, the rules can make the problem worse!  I would argue that it is better to have ONE strong password on a central authentication server.  Such an approach can alleviate the need for frequent password changes and permit the organization to adopt a more aggressive ‘passphrase’ approach.  These are much harder to break and often easier to remember.”  

He continues:  “This doesn’t solve the problem of passwords on public sites but it certainly goes a lot further to protect corporate data since that is where one usually finds the most Post-It notes within view of the greatest number of prying eyes.  In fact, there might even be a commercial market for centralized password management.  Imagine having one commercial site which manages the passwords of all of your favorite Web pages (both corporate and personal) which requires one strong passphrase (and a small monthly fee) and in exchange, it provides you access to any site you have registered with them, no matter what password you originally used to register for that site.”

Marc notes that a Web-based central repository has several advantages, the greatest one being the potential for platform independence.  Plus, it might have the ability to drop the password directly into the Web site you wish to access so it would not need to reveal the password to anyone, keeping it away from all prying eyes.

Gina is a network consultant who offers up these suggestions about passwords:  “The easiest solution I’ve come up with so far is to have the user pick something easy that he’ll remember (like your example of Rover) but simply input special characters and numbers in replace of the vowels and capitalizing the first letter – @ for a, 1 for i, $ for e, zero for the letter o, * for u (these characters and numbers are conveniently just above each letter on the keyboard) and so ‘Rover’ becomes ‘R0v$r.’   The password cracker programs I’ve tried have been unable to identify them.   I’ve challenged home users – if I can guess their password within 5 chances, they should change it.  For business users, I run a cracker and watch their mouths drop when they see how quickly it identifies their password.  I can’t force them to change it, so I try to ‘gently’ persuade them.  Usually, my examples of past experiences of breeches and abuses are enough of a deterrent.”

So there you have it – some good suggestions from people living the password dilemma every day.  As for me, I think I’ll start using pig Latin for my chosen passwords.  At least I can remember “Overay” as easily as “Rover.”