password managers: yes or no?

but you don’t need to ask why.

by greg lafollette

password managers have been in the news as of late. unfortunately, the news has not been good. multiple security breaches may (or may not) have exposed millions of user ids and passwords. while many of my technology consultant-type friends are proponents of password manager apps, the idea of having a single point of (imo catastrophic) failure terrifies me. so i resist. which leads me to a conundrum. i usually try to expose practitioners to genres of apps and web tools they might not otherwise see. with that in mind i’ll point out that the leading password managers are actually very good. if you can get over the single point of failure issue.

commercial offerings

if you’re in the camp that can stomach the risk, i suggest you consider lastpass, dashlane, or roboform. all generate strong passwords, store them securely (or not, depending on who you believe), synchronize them across all your devices, and serve them up to you as needed. lastpass and dashlane have a free offering as well as a premium level product and although roboform does not have a free product it does offer a discounted 3-year subscription. all platforms include very similar features and all support multi-level authentication.

now, back to my conundrum. how to deal with a genre in which i honestly do not believe it wise to use? i elected to simply highlight the three market leaders and then explain my “work-around” personal do-it-yourself (diy) solution. these three all work on ios, android, and the web.

  • lastpass – lastpass.com, free for limited use, annual subscription $12.
  • dashlane: dashlane.com, free for limited use, annual subscription $40.
  • roboform – roboform.com, annual subscription $20, 3-year subscription $50.

a dyi solution

the basic tenant of security is to always use hardened ids and passwords. hardened is a term many consultants use to describe an id or password that is (usually) at least eight characters long, contains alpha, numeric, upper and lower case, and a symbol. it is not your name, your pet’s name nor the street where you live. in fact, it is never a word at all. hardened passwords are extremely hard to break, and the hope is that an intruder would lose interest rather than spend the inordinate time required to break your security and access your information. but you knew that, right?

what i’ll bet you don’t know is how to manage those hundreds (oops, there goes that exaggeration again!) dozens of user id / password combinations. here’s the method that seems to work well for me.

i have a “standard” user id and password that consists of letters (some upper case), numbers, a symbol, and two letters chosen from the web site to which i am authenticating, or program or machine i’m accessing. by way of example, my user id might be wjy6%xex, where the x’s are the second and fourth letter of the web site i’m visiting or program i’m using. so, if i were visiting www.etrade.com, my user id would be wjy6%tea. notice the “t” and “a” are picked from the web site address. if i were visiting www.aicpa.org, my user id would be wjy6%iep.

the secret is that i actually have only one user id to remember. in this case, it’s wjy6%xex, but it’s different at every site.

i do the same thing with my password; it’s another (not the same as the user id described above) random, single, hardened string incorporating something from the site i’m visiting. the result is a simple system that provides great security. often i’ll hit what looks to be a new site, and when it asks me to login, i’ll just “try” my user id and password. sometimes i discover that i’ve already been there as my “special” user id and password take me right in.

are there problems? sure. there are some sites that like to “assign” user ids and don’t give you the right to change them.

a few have policies that preclude the use of special characters, such !, @, #, $, %, ^, &, *, ( or ). one i use (a bank) actually had the gall to tell me their disallowance of special characters was a “security feature designed to protect you.” amazing! some sites use your social security number as an id (and they think that’s secure?). and there are some sites that limit your password to only five or six characters. my answer to them more and more is, “goodbye.”

thankfully, many sites are now enabling two-factor authentication. there’s a very simple rule for those sites: always enable two factor authentication. always.

i hope you’ll join me in demanding high-level security policies from the vendors with whom you work. and remember that if you’re not already providing individualized web services to your clients, you will be someday. and soon. and they will be asking you for the right to use “hardened passwords.” smart practitioners think ahead.

i hope you find my diy password technique to be helpful. it works for me and i’ve heard from hundreds of practitioners that it works for the, too.

ps: the user id detailed above (wjy6%xex) is not the one i use!!!