Ask Unclutterer: Secure password managers

Reader Nutro submitted the following to Ask Unclutterer:

Since my father passed away recently, I’ve had to take care of almost all kinds of family accounts (bills, insurance, car titles, house deeds, etc). Not only is this new to me (I’m really young), my mother never learned how to take care of these things since her English is bad. It helps to do most of it online, but I have to keep track of different usernames, account numbers, and passwords. I can remember my own account information easily but what is the best way to keep track of the others? I thought of writing it down, but was worried of someone finding and taking it since I have to access it quite often. Currently, I have some of the information on a private blog, but worried about what will happen if someone hacked either my computer or the blog. Is there a better, safer way to organize private information that needs to be accessed regularly?

My condolences to you on losing your father. You’re also very kind to help out your mother during this time.

As far as username and password storage is concerned, I strongly recommend the program 1Password. It interfaces with all the major browsers on both the Mac and Windows platforms, and it stores unlimited passwords. It is also great at generating passwords that are very difficult to hack. If you have an iPhone or an Android, it also syncs with these smart phones, too. It is a one-time charge of $40, and it is completely worth the price in terms of providing you and your mom safety online. There is a 30 day free trial if you want to give it a spin before purchasing it.

There are other programs that are similar to 1Password, although I do not have experience with them. SplashID, RoboForm, and KeePass are usually the best reviewed of the alternatives.

Secure password manager programs are a safe and excellent way to store usernames and passwords — certainly better than writing them down and much more convenient than trying to keep everything stored in your head. Even if someone hacks your computer, they’re likely not going to get into your secure password manager since you’ll be able to create a very difficult password for the program since it will be the only password you have to memorize.

Thank you, Nutro, for submitting your question for our Ask Unclutterer column.

Do you have a question relating to organizing, cleaning, home and office projects, productivity, or any problems you think the Unclutterer team could help you solve? To submit your questions to Ask Unclutterer, go to our contact page and type your question in the content field. Please list the subject of your e-mail as “Ask Unclutterer.” If you feel comfortable sharing images of the spaces that trouble you, let us know about them. The more information we have about your specific issue, the better.

36 Comments for “Ask Unclutterer: Secure password managers”

  1. posted by Laura on

    I would recommend mSecure. I use it on my Mac and iPod Touch, but they also have versions for Android and Windows. It is a very easy program to manipulate. I even recommended it to my mom who was having trouble remembering her passwords (they used to be posted on sticky notes all around her computer). If my mom can use the program, anyone can use it!

  2. posted by Sergio on

    I’d suggest PasswordSafe (http://pwsafe.org/), a free windows utility designed by Bruce Schneier, one of the most known security expert.

  3. posted by Mark on

    Another huge recommendation here for 1Password. Been using it for years. Can’t imagine not having it. Stores more than just logins and passwords. It will also store credit card information, software serial numbers, secure notes, journal entries, anything you want to keep secure behind strong encryption and have available on all your devices.

    And when you pick your password for 1Password, make it a nice long phrase rather than just some random word with a few substitutions for numbers and letters. Seriously, the longer the better as long as you can remember it. When brute-forcing the password it’s length, not funky characters that makes the difference.

  4. posted by Amy on

    I use KeePass and can’t recommend it enough. I use it on my personal laptop, work computer, and Android phone (using Dropbox to keep the password file in sync) and love that I can use the generator to get insane passwords (A random, cat-walked-on-my-keyboard 50 char password for gmail? Done!).

    Another one many people love is LastPass. To be honest I’ve never tried it, but it’s another option to look at.

    And while we’re on the subject of encryption, if you have files you want to keep secure, you can create a virtual drive using TrueCrypt – or just encrypt your entire hard drive. I then keep its password on KeePass as well.

  5. posted by Shadlyn Wolfe on

    I would definitely stop using a private blog; they’re not very secure and sometimes admin errors can make private things public (both on your end and on the blog site’s).

    I use the “security through obscurity” method – all my passwords are written down in a small 33 cent pocket spiral notepad, which sits in an out of the way corner of a room in my house, with nothing to distinguish it.

    If a thief were to come into my house and bypass the TV, the laptop, and the various electronic toys to steal a small black notebook…well, that’s what chargebacks were invented for!

    Many password managers are very good, but none will ever be foolproof. For me, at least, the security of knowing someone has to actually come TO MY HOUSE outweighs inconvenience of flipping pages for the passwords I can’t remember.

  6. posted by Eric Doherty on

    I use and highly recommend Laspass. It works with all browsers across all operating systems. They offer free plans but I’ve been using anpaid account for the past 2 years.

  7. posted by Kara on

    My husband and I also use LastPass. We recently set my mom up with it after her netbook was stolen. She had her browser remember all of her passwords, including her bank accounts, so it was a lot of work and anxiety to change all of them.

  8. posted by Jim on

    Another vote here for LastPass. It integrates nicely and just works (everywhere).

    It fills out forms, generates passwords, etc. I’ve been using it for about 6 months (just the free account) but it seems like the dollar a month for mobile support is worth it.

    Most importantly, it is very open about the technology used, and has been reviewed by security experts. That’s important to me, as is having my passwords vaulted in the cloud.

    Here’s a blog review comparing the features of both:

    http://blog.ryankearney.com/20.....1password/

  9. posted by Mark S on

    I use LastPass. This allows you to have your passwords on any computer (or device). Also you can share sites with other select users. The program has a password generator so it can generate strong passwords.

  10. posted by A guy on

    I use lastpass, especially since I can use it on multiple computers. I started using it to generate random passwords after one of my passwords was released in the Gawker media hack.

    With their $1/mo “pro” account, you can add two-factor authentication, where you have to enter a master password AND plug in a USB (either your own with Sesame installed or a Yubikey).

    Some more peace-of-mind that someone can’t hack into your vault with all of your important passwords.

  11. posted by Jenna @ NeatFreakWannabe on

    I need to re-vamp my own password protection, so it’s great hearing everyone’s suggestions and reviews.

  12. posted by Tony on

    Another vote for 1Password. I’ve tried LastPass and KeePass, and find the UI much richer and better organized/easier to use with 1Password.

    But here’s the BEST advice I can give: stop using passwords. Use pass-phrases instead. They are exponentially more secure, yet much easier to remember than some arcane password. The research bears this out, but a comic is much easier to digest than a long-winded report from a security researcher, so here you go:

    http://xkcd.com/936/

  13. posted by clothespin on

    I second the thought of keeping a notebook of paper at the house with the passwords on it. NOTHING is foolproof on the internet.

    I use plastic page protectors with loose leaf notebook paper in them and then write the info for each account on one of the super sticky post it notes – and then stick that to the notebook paper. Keeps the little papers from getting bent or lost but at the same time, I can replace the post it notes as needed when I change passwords (which you should do every 6 months anyways).

    Unless you access your accounts away from home a lot (and then, be sure it is on a secure network – not the free stuff at Starbucks) I just don’t see a need for an on line password organizer/protector.

  14. posted by Denisia on

    I haven’t tried any of the other password services yet, but so far I’m very happy with LastPass, which works across all the devices I own.

  15. posted by Suzy on

    I use KeePass & the KeeFox add-on for Firefox. It works with almost all sites automatically. I also know people who swear by LastPass.

    and like Tony’s comment above, I agree with http://xkcd.com/936/

    And I think I’m going to backup with the notebook/paper/postit ideas, especially clothespin’s variation. But I’m going to put a date on each post-it to prompt me to change it regularly.

  16. posted by Superman on

    I use MobileSitter since two year. It’s resistent against brute-force and dictionary attacks. Unfortunately, there is currently no android version.

  17. posted by MT on

    lifehacker.com/5483119/the-easy-any+browser-any+os-password-solution

  18. posted by Jeffrey Goldberg on

    Hi, I work for AgileBits, the makers of 1Password.

    It’s really great seeing all of the positive things said here, and more generally about the importance of using a good password management system. While I certainly want people to use 1Password, I’d still be happier with people use another good password management system than nothing at all. Weak passwords and password reuse are a threat to everyone, and so the more people who are using good password management the better. But of course, I think that 1Password is the best choice among them. (I’m not just saying that; I was a big supporter of 1Password prior to working for them.)

    I think it is good to have a hard copy backup of your password data as some have suggested, particularly if you use a system that doesn’t store your data locally (and if you aren’t all that good about making backups), but I do disagree with the idea of using paper as your password management system. The problem with that approach is that you are bound to end up using the same password in multiple places. Password management systems should give you strong, *unique* passwords for every different site. Keeping track of hundreds of passwords on paper just isn’t going to be practical.

    I also agree that it is important to consider how open people are about the technology that underlies the products. I believe that we are as open about this as a non-open source project can be. You just need to look in our knowledge base, blog and forums.

    Cheers,

    Jeffrey Goldberg
    AgileBits Defender Against the Dark Arts

  19. posted by STL Mom on

    If you do write down your passwords, you can use a sort of code. For instance, use your first boyfriend’s name and then the street you lived on in your first apartment. Write down the name of the website, then “first boyfriend first apartment.” That’s enough information for YOU to remember the password, but not many other people would know that information.
    YMMV, especially if it is your own family that you want to keep out of your accounts.

  20. posted by Javamonster on

    Passwords are a bane. My husband tried to get me to use one of these password programs that remembers your passwords–and then he forgot what the password was to the program itself! It was only after some guessing that he finally broke into it.

    I keep that information in a little notebook in my office. My desk is so cluttered with papers it would be a wonder if anyone figured out where it is. My own memory is so weak as it is, that any other solution for me would be a huge fail. And why would I keep my passwords in yet another program I’d forget about, AND to me, would be yet more computer clutter and likely to disappear after yet another computer death?

  21. posted by RebeccaL on

    I’m not comfortable storing my passwords online. So they’re in an alphabetized index card box. The ones I use most often are on a sheet of paper, tucked in a binder by the computer. Both items are so innocuous that they’d never be taken.

  22. posted by Jasmine on

    I’ve been using KeePass, with the password database saved in my Dropbox. I know this isn’t the safest thing to do, but one would have to know my master password *and* have the keyfile (which I store elsewhere; good luck finding it!) in order to access my database.

    I also have the option of just storing the password file on my computer itself, so *nothing* from the program is anywhere online. It’s a nice way of being fully responsible for account information, without relying on either online sources or physical copies. I just keep the password database in my Dropbox because I often switch between my main laptop and my netbook, so it’s convenient to keep them in sync (not to mention, I use KeePassDroid on my Android phone).

  23. posted by Alannah on

    We actually choose the handwritten approach: the passwords we come up with are lengthy random alphanumeric stuff, but we thought the best failsafe was to write them down and keep a copy in each of our wallets.

    The thing that makes this “secure” is we both know the three digits missing from the front of all the passwords. So, if anybody got their hands on the sheet itself, it would still be useless.

    This may suit you if there’s already too much tech savvy needed in your lives.

  24. posted by jodi on

    I have my passwords in code for the very reason mentioned here. I write them down, but you need to be close to me to understand the codes.

    I had to email a password one time (something divorce-related regarding one of my kids) and this was essentially how I did it (example code is made up):

    Persons birth year, then last name initial lowercase underscore middle initial uppercase, last four of phone number then 123.

    Most of my passwords follow some type of pattern, and I have them written as such. Some of them are things only people close to me would know (I.e. what my husband eats when my daughter drinks coffee)…inside family joke makes it hard to guess to the person who doesn’t know, and I never use only one thing per password.

    I once TRIED explaining my system to a very dear and trusted friend, and she couldn’t hack my passwords, even with the explanation…but my husband and oldest daughter both figured them all out after explanatining just the first few.

    Works for us!

  25. posted by Egon on

    I also swear by LastPass. You never know about security, though, something you manage yourself (e.g. KeePass) might be more secure depending on how neurotic you are with this information, but also more of a hassle to keep synchronized and use. LastPass has this marvelous feature in Android that it provides a keyboard that detects which password you need in most cases. It also supports Two Factor Authorization (Sesame, Yubikey or just a static password grid), which is really nice if you want some extra security. It has a great form filler with multiple profiles, strong password generator (not the xkcd kind, but random passwords). As a human you might not have any possibility of remembering a 40 character password such as KmxUx2&6W#fQWxX!rXscZXnD#ags%z#V#WUvtgDT but a lot of services will not allow passwords above a given length. So pass phrases are nice, but you cannot use them everywhere (and what’s the point when you can have an application that remembers them for you AND fills them in for you). Such feature reduce the risk of a key logger capturing your passwords.

    With respect to some schemes out here. I would strongly recommend against paper based systems. With paper you only have access to your passwords at a single location, while that may be part of your safety, it is a hassle (i.e. to keep passwords synchronized across different notebooks of passwords) and it leaves you with a single point of failure. If your house burns down, you will be left with no passwords at all. Digital alternatives at least allow for backups, and can be stored in encrypted form (e.g. by using TrueCrypt).

    Cloud systems such as LastPass have the advantage that you get access to them everywhere you have internet access, but this might be a liability as you depend on their security measures to keep your information safe. Personally I trust LastPass, not that they haven’t had any security issues, but at least their communications and suggested course of action were quick, honest and sound.

    1Password looks fine as well, but since there is no Linux support, this is no option for me. LastPass offers native clients for Windows, Mac, Linux (and BSD, Solaris, …) as well as plugins for all major browsers and smartphone platforms. I have to say, I really like how LastPass integrates really well with Android (it provides a keyboard that allows you to select your password and in a lot of cases even detects which password you actually need). At $12/year, I think it’s a bargain.

  26. posted by Denver Cyber on

    Lastpass wins hands down (cross platform, free and inexpensive paid options required for used with Yubikey).
    And if you want to go a step further use Lastpass with Yubikey for two factor authentication.
    That way if somehow your lastpass login and password are compromised, access to your information without possesson of your yubikey (usb token).
    On top of that I still keep a notebook for a few things.
    Lastpass even has a “secure notes” feature, which is where I store things like security questions and answers and other misc. information.

    References
    1) http://lastpass.com/support_screencasts.php – nice set of howto videos
    2) https://shouldichangemypassword.com/ – see if your password has been compromised
    3) http://en.wikipedia.org/wiki/Passphrase Using passphrases instead of passwords (at least for your Lastpass master password)

  27. posted by katrina on

    I agree with the other posters who recommend writing them down, especially as your Mother will also be using them as they’re for her accounts.

    I suggest you use passwords that you can remember with a question, sentence or code. Something that makes sense to you and your mother.

    For example you could write down “on Jenny’s birthday Danny’s cat hid under Amy’s car”.
    On Jenny’s birthday (28) Danny’s cat (cat’s name) hid under (_) Amy’s (green) car.
    So the password would be 28Fluffy_green

  28. posted by Joe T. on

    Things I look for in a digital password manager:

    - exportability in a usable format. There’s gonna be a day in the future when you move to another platform. I’ve got hundreds of passwords stuck in SplashID (it’s desktop is corrupting them, and it only exports via the desktop). Printing would also be nice, so you can keep your password list with your will.

    - on-the-go data entry. You’re going to be at a PC less and less, and want to enter new information on the fly on your phone or tablet or whatever small device.

    - flexible fields, so it takes all sorts of information.

  29. posted by Jackie Pettus on

    There are quite a few password managers online. I like LastPass. For the rest of your mom’s household information you might want to use household record keeping software like Matters of Fact (Things the family should know) at my website, Habitudes.info. It will help you and your mom organize her vital information. It’s password protected, encrypted and stored online on ultra-secure servers, not on your computer. You and your mom can share access so you can help her enter the info and access it.

  30. posted by Melanie on

    I am with those who write it in a book. I keep this book with me at all times; it is as secure as my credit cards and other information that I carry around.

  31. posted by Mackenzie on

    I’m another one who does the KeePassX + Dropbox trick. I especially like that the Linux version of KeePassX has an “autotype” feature, where it’ll type in the username and password and hit submit, when all I do is hit ctrl+v

  32. posted by Amanda on

    I second password safe. Simple to use and completely free. I keep extra copies on my flash drive, my dropbox, and as an attachment to my main google email so no matter where I’m at, I can still get to it. I love that you can keep categories of passwords and there is no limit to the usernames and passwords for each site. I prefer not to integrate my password safe with browsers since I’m so often on computers that aren’t my own. :)

  33. posted by carole on

    I have used Roboform for years, and can’t imagine going without it. Also makes it super easy for me to fill forms when I do my online shopping with my address and credit card information.

  34. posted by Nutro on

    Ah, I just found out my question was answered lol. Life has been hectic so I haven’t been keeping up with the updates here. Thank you Unclutterer and everyone here for the responses and tips =). I will try both online and paper methods and see how it goes.

  35. posted by Deborah on

    Very nice, i suggest Admin can set up a forum, so that we can talk and communicate.
    Nancy (added by Mobile using Mippin)

  36. posted by Jenny on

    AWESOME tip! I just set this up- thank you!!

Comments are closed.