John Breeden is the lab director for the Government Computer News Lab and recently tested 4 different software programs that do just that.
“People can’t really keep track of their passwords, anymore. So, what people were doing was making really weak passwords, like names of their kids or pets, and they were using the same password for multiple sites, which is a big no-no. So what these programs do is allow you to create one very secure password that hopefully you can remember that pretty much will stay the same unless you change it, and then it manages all your other passwords for you. So you don’t even really have to know what they are.”
There are a variety of brands out there, but the program itself is pretty much the same. Breeden says he tested 4 and found that, initially, you have to sit down and devote some time to the task, no matter what brand you use.
“You’re going to have to log in and tell the program basically all of your passwords for all of your different sites. . . . From that point on, the program will manage your passwords for you. So, when it’s time to change your password, these programs will generate the new password for you.”
What this software will hopefully eliminate is the ‘Post-It note system’ — that habit developed by many feds and private sector employees that involves writing down a password and keeping it ‘safe’ in a desk drawer somewhere.
Surprisingly, however, the Post-It note system is not really the biggest threat to password security. Nowadays, most hackers steal passwords and get into accounts via the Web.
This later reason is why Breeden and his team tested the password software itself for security strengths and weaknesses.
“If these programs are not written right, they can be dangerous because basically all your passwords are stored there. So, one of the things we wanted to look at was security. We wanted to make sure they had 32-bit encryption. Most of them use the SHA-256 hash, which pretty much is unhackable right now. The passwords are kept safe. Since they all kinda do the same thing, we were looking for two things: security — how well they protect your data; and ease of use — because if they’re more difficult to use than memorizing the passwords then they’re not much good to you.”
Right now most of the software available is for individual use, not big companies.
“It’s interesting [that] in this particular area — password management — most technology initiatives that we see come from the top down. You know, the administrators say, ‘This is something that is going to happen,’ and they’ll put it on their server and they’ll push it down to the users. Password management is really taking off from the ground up, because it’s the users that are subjected to trying to memorize all of these passwords. So, most of these programs are designed with the individual user in mind. Administrators just want their systems to be secure. The users are the ones that say, ‘I can’t memorize 15 different passwords every three months,’ so they’re the ones that are really pushing this particular industry.”