Sunday, February 20, 2011

Struggling to Remember Passwords, Boomers? Try a Password Manager.

Recently, I've been struggling with passwords.I don't know if my inability to remember all my passwords is due to age, or if everyone is afflicted by it. Nevertheless, every time I go to a new website, it wants me to set up a new user name and password. It is very tempting to use the same password for everything, but all the security experts say that's wrong, that this practice leaves your data vulnerable to hackers and leads to identity theft.

Yet when I try to vary things, I find myself unable to remember which variation I chose for which website. That wouldn't be so bad, but many websites lock you out after a given number of tries, which is really frustrating to me. As many of you do, I chose to keep a list. Of course keeping a list of passwords on your computer is about as dumb as using the same password for everything. For a while I thought I was outsmarting the hackers by keeping the list in a file labeled "info for eye doctor." I've learned, however, that hackers can find those kinds of files pretty easily.

My next step was to rename the file, take it off my computer, and put in in the "Dropbox", the secure "container" for documents and photos that resides somewhere in the cloud. I wrote about Dropbox recently. Still, that didn't solve my problem. Whenever I needed a password I had to open Dropbox (which has its own password) and search through my list to find the right one.

Last week, I read an article about Google that made me think twice about my password practices. In an attempt to make Gmail and Google cloud applications like Google Documents  more secure, Google is offering its users the option of a 2-step verification process so they can log into their sites more securely. The concept of 2-step verification isn't new. Some banks and other very secure sites have offered this in the past. I'd never taken anyone up on their offer to use this process to protect anything though. It just seemed too difficult to me.

With 2-step verification, a unique password is generated by the site you are trying to enter and sent to your cell phone or to some other place like your email account. (You set all this up ahead of time.) You look up this password on your email or text message and enter it in the Google site to provide that extra level of security. Luckily, you only have to do this once a month, although if you are paranoid about hackers you can do it every day. Nevertheless, it seems pretty inconvenient to me. If you want to try this, log into Google,  go to My Account, then Settings, and then Google Account Settings.

Afterwards, you can go to this screen:

Once you select "Using 2-step verification" you'll be taken to this screen:

The process is easy to follow after that, but I decided it was too much for me. Besides, this would only protect my Google information. I would wind up having to implement 2-step authentication for all websites that offer it, especially those that contain personal or important information, such as my banking application. That just sounded like too much work.

For the past few years, I'd been hearing about free "Password Managers" which encrypt your passwords and auto fill them in for you when you need them. It took me a long time to want to try this. I thought it would be difficult to set up this kind of program and I worried about what would happen if something happened to the password manager company. One of my tech-savvy children was using a password manager, but two of them were not. It was time to give the program a try.
For no particular reason I decided to try out LastPass, a password manager that has been given some high marks by CNET. I think I've mentioned CNET before as a trusted source of product reviews. There are plenty of other password managers out there to try, for sure.  I went to the LastPass website and downloaded the program.

I don't think that software developers really know the fears that people have when trying something brand new to them, especially something that says it will keep you safer. I had all kinds of questions about the password manager that were not answered by all of my researching. I wanted to know, for example, if I would have to add each and every password manually to the manager (no!), how it would handle sites that I couldn't remember the passwords to (it offers me alternatives), what would happen to the passwords currently stored on my computer (they are encrypted), and if I could entrust the company with my passwords. (Since you are not doing anything permanent and can still enter passwords manually, you won't loose your data. And this company says only encrypted data is sent to them, so you don't have to worry about them being hacked.) Until I actually tried out the password manager, I didn't know the answers to any of these questions.

After I downloaded LastPass, I went to my download manager in the Firefox browser, found the file and clicked on it to install it. Here is the page that you use to set up the password manager:
Notice that you have to set up a sort of "super password" to get into your LastPass account. This has to be something you will remember, but it also has to be strong enough and long enough that you will trust this password to hold the key to all your other passwords. I figured out what mine would be, checked off the terms and conditions and licenses box, and held my breath as my encrypted information was sent to LastPass.

What happened next was interesting. LastPass, created a list of all sites and passwords taken from my computer, and collected it in its Vault.  After I logged on to their website using their master password,  I could actually see what my passwords were. I had the option to have LastPass hide them, which I took advantage of. This is the way the Vault looks to me now, without the passwords visible:

The list included some old passwords that had been changed and some passwords that I had tried erroneously. All of these would be stored. In addition, the site created an Icon on the top of the sign in pages on my accounts such as my banking account, Google, and the Wall Street Journal. This is what the Icon looks like on my Google page:

As long as I remember my super password, or as LastPass calls it, my master password, I have access to my vault on the LastPass website. I also set up a security question so I could retrieve that master password, if a senior moment gets to me.

There are always some glitches along the way of adopting a new technology. Recently I went to one of my banks' websites, and found that LastPass didn't have that password in its vault. I wound up having to reset the password at the bank, but now LastPass has it, and I should be able to enter the site without a problem.  For the most part, I've found using this program a great convenience and a great relief. Once again, I want to say that there are many other password managers that work similarly to LastPass, and you should feel free to try them. Just check out their reviews on a site like CNET before you do.

Also, I just want to mention that many of these Password managers charge extra for managing your passwords that are on your mobile phone or iPad, and that there are other password managers out there that  are designed especially for mobile devices, not PCs.

Here is a list of resources about password managers:

Top Ten Reviews
Best Password Managers: Top 4 Reviewed
5 password managers for storing, protecting and syncing your personal information


Mimi said...

I've been using Roboform for about 8 months and love it. It's not possible to remember all the passwords we need to remember. You might find this post helpful in trying to decide what to use:

Esther Surden said...

Good post, Mimi. I hope my readers do look at Roboform. I think any of the good, reliable Password Managers will work. Some people are afraid to try them though.