Computer
Worse, we use the same ones for lots of Web sites. So if one site gets compromised, or an employee there is dishonest, someone could start trying out that password on other sites where you have accounts, like Amazon or PayPal, and youve got trouble.
Browsers help out a bit by offering to remember your passwords, but that does little good if you are on a different computer or want to try a different browser.
The rescue comes from password-management programs. A couple of them have recently taken a big step forward in ease of use, by storing your login information online so that you can access them from multiple computers. Online storage does raise some questions about security, but it also makes these little-known programs worth another look.
Ive used one called Roboform for more than four years. Like a browser, it stores passwords on your computer, encrypting them so that theyre revealed only when you type in a master password. It fills out the login forms on a Web page automatically. It also stores your address, credit card number and other personal data, so you dont have to type them in when you shop online. Because its independent of the browser, you can access the same passwords as you switch between Firefox and Internet Explorer.
With Roboform, I have been able to take those passwords to another computer, but its been a bit of a hassle. If I signed up for a new Web site on one computer, I had to manually copy the Roboform file that contained the username and password to the other two computers I use regularly.
A free update to Roboform, released last week, takes care of this problem by storing the passwords not only on the computer, but also in an online locker provided by the publisher, Siber Systems Inc. Every time you create a new password, Roboform stores it, in encrypted form, in your online locker. When you log in to another computer, the password is automatically copied over from the locker.
The system is still cumbersome. You have to install an extra piece of software called GoodSync on each computer you need to synchronize. If too many passwords have changed since the last synchronization, GoodSync pops up and asks you to manually approve the changes. The choices are difficult to understand.
In providing an online storage option, Roboform is catching up to a new password management program, LastPass, thats designed from the ground up to store passwords online. Trying that, I found it slightly easier to use – at least, it didnt confront me with cryptic dialog boxes. It also has the virtue of being free, while Roboform costs $30.
Both programs work in Internet Explorer and Firefox on Windows-based computers, but if you go beyond that, LastPass has the edge in compatibility.
Roboform doesnt work on Macs at all, though Siber says it is working on a plug-in for the Safari browser on the Mac. You can access your Roboform Online locker as a Web site on a Mac with any browser, but it wont help you create new passwords or fill existing ones into Web pages. This is at best a stopgap measure for occasional Mac use.
LastPass works with Firefox on the Mac, and the company says it is working on a Safari plug-in. LastPass also has a more effective stopgap measure for other browsers, both on Windows and Macs, in the shape of “bookmarklets” that will fill in passwords even if theres no compatible plug-in.
This may sound good, but one thing worries me about LastPass. By default, it stores your passwords only online. While Im reasonably comfortable that theyre safe from theft there, what if LastPass Web site goes down because of a hacker attack, or worse, because the company goes out of business? Then youve lost the keys to your online life.
Neither Roboform nor LastPass is a complete answer to online security, of course. You could still be duped into entering a password on a fake “phishing” site set up to look like your banks. And if someone gets hold of your master password, that person can get all your passwords in one swoop from your online locker. In that sense, online storage of the passwords is riskier than having them on your computer.
But even if there are risks to using these programs, theyre better than using the same password for all sites. Its probably also safer than writing down all your passwords on paper and carrying them around with you.
If we accept online password storage as safe and reliable, then these password managers are probably just a stepping stone to a more comprehensive, Internet-wide identity management system. The long-frustrated idea there is that one “ID card” that you store online would be legible by all Web sites, and your password tells a site that that ID card belongs to you.
Microsoft Corp. has tried to get sites on board with this model for more than a decade and has accumulated criticism for security flaws along the way. Now, however, theres some momentum behind a system called OpenID that just might make programs like LastPass and Roboform unnecessary. Most of the big Web companies, including Microsoft and Google Inc., support OpenID.
I wouldnt hold my breath, though. In the meantime, Roboform Online and LastPass both do a good job.