In recent blog posts, I’ve written about methods you can use keep your information secure. I also wrote about the importance of keeping your passwords safe. However, I haven’t given any practical tools one can use to protect their data. Several utilities exist for such a purpose, but I’m only going to cover 3 tools you can use.
So without further ado, and in no particular order, here’s that list.
My favorite password management tool is KeePass. KeePass is an open source program that you can freely download and that runs on your computer locally. It keeps your passwords safe by requiring a “master password” that then decrypts the file and allows you to view, add and edit your other passwords. (Note, however, that KeePass is useless if you don’t use a secure password for your master password). Once you’ve loaded the KeePass file with the correct master password, you are able to organize your passwords (as an “entry”) with a title (to help you remember which website the account belongs to) and a username. You can copy passwords with ease, so that when you go to login somewhere you don’t have to manually type the password. Note that once a password is pasted once, though, it no longer remains in memory (i.e. if you have to type the password more than once, you have to copy it again).
You can also create different groups and subgroups of entries to better organize them. In my primary KeePass file, I have a group for all accounts related to the operation of Barred Owl Web, another group for my clients’ & volunteer data, and yet another group for all of my personal accounts. KeePass allows you to add new entries with either an autogenerated (secure) password or using a password you manually type. I normally stick with the auto generated password. Keep in mind, however, that since KeePass lives locally on a computer, the data isn’t stored anywhere else. As a result, you should regularly back up your data. I keep a local computer in my house (whose hard disk is fully encrypted) that I use to store backups. You could just as easily backup your encrypted KeePass file onto a USB stick or an external hard drive. I personally don’t let any of my password backups anywhere on the internet (such as in an email or on “the cloud” somewhere).
[Note added in 2017: A lot can change over the years, as can security. LastPass is currently my number 1 recommended Password Manager, and Barred Owl Web uses it internally. The paragraph below reflects my thoughts from when this blog post was originally published in 2013.]
Although I personally never, under any circumstances allow my passwords to be stored online (using a cloud service or email or something else, as I said earlier), LastPass is widely used and a popular option for managing your passwords. Like KeePass, LastPass is a free program that you download. The data that you enter into it, however, is (securely) uploaded (in an encrypted format) to the LastPass servers, so that you can then sync multiple computers, phones, and other devices to the same LastPass data. All encryption and decryption happens offline, though, and the decryption keys are never stored anywhere except your local devices. LastPass is a trusted option, although I personally do not use it.
[Note: At the time this blog post was published, TrueCrypt was a respected encryption utility. The project has closed, and this software is no longer considered by the original maintainers as secure.]
TrueCrypt is not necessarily a password management utility. Instead, it is a disk (or file) encryption program. It is well received in the security community, and is my favorite disk encryption program. Though it isn’t built to necessarily handle passwords, you can use it for that! Before I started using KeePass, my typical method of managing passwords was to keep them in a spreadsheet which I then stored in an encrypted TrueCrypt container. Note that encryption built into Microsoft Excel is actually weak and useless. It isn’t safe, and you shouldn’t rely on that feature to keep your Excel data safe. This is obviously not an elegant solution, and is a bit clunky. But it worked and was safe.
I hope that this information is helpful and helps you as an organization or individual better protect your user accounts. Remember: Security is a lifestyle. It is not a one-off solution that you do once and then forget about. Be safe and be secure.