Repeat Wednesday – Password Manager Tools

You may have noticed a trend with my recently blogs.  I seem to be spending a lot of time talking about passwords, password complexity, and frequently used passwords.  This is because this is one area where you really can help to control how quickly someone else can gain access to your information.

Passwords are used on so many critical systems – we use them for online banking, e-statements, access to our phones and our email, just to name a few.  Many people use the same password for everything (bad idea in my opinion), and many don’t protect those that really need it (like email – ones that has been compromised, you are open to having every other ID / password reset!).

A friend of mine recently asked me about software to store and protect passwords.  While I don’t use one, I do think that they are good for most people.  I asked several security professional friends of mine for their opinions, and got mixed reviews.  Most feel that there is a place for such tools.  There is also a strong current of belief that the tool is only good if you protect the access to the tool.

So what does such a tool do?  The tool will allow you store login information – user names, passwords, url’s, etc. in a locked file.  When you type in the master password and launch the tool, you can click a button and the tool will log in for you.  No more having to remember multiple cryptic passwords!

There are a myriad of products on the market today.  I decided to compile a list of features I would want to see in such a product, without pointing out any specifics since I don’t have personal experience.

  • Such a tool should have strong encryption.  Terms you want to look for include “AES” or “128-bit” (or 256-bit).
  • The tool should support long passphrases for enabling the access to the tool.
  • The tool should not show up in your running applications list.
  • The tool should have built in backup and recovery functionality so if the original file is lost or corrupted, you can still access all of your accounts.
  • The tool should permanently lock after a specified number of invalid attempts.
  • The tool should auto-lock when the PC goes into sleep mode, or is inactive for a certain amount of time.
  • The tool should support, but not necessarily require, two-factor authentication.  This means that you store part of the code on a thumb drive or CD, and it must be inserted for the tool to run.
  • The tool should have a strong password generator to create those cryptic, difficult to remember passwords.  Since the tool stores and enters them, you don’t have to remember them.