Password woes? These may help

Password woes? These may help

More than half a million websites that were supposedly secure turned out to be less than safe when the Heartbleed bug was discovered in April.

This vulnerability affected the popular OpenSSL cryptographic software library used to encrypt Web traffic.

More shocking was the revelation that the bug had been around for more than two years before it was found.

Despite the widespread attention - a recent Pew Research Center survey found that 64 per cent of Internet users in the United States had heard about Heartbleed - only 39 per cent of online users changed passwords or took other steps to secure their accounts after learning about it.

Users may be understandably blase about such security breaches, as websites and online vendors seem to be hacked with alarming frequency.

Or they may find it too much of a hassle to change their passwords when they have numerous online accounts.

This is because, not only do you need to change passwords, but you must also ensure that the replacement passwords are strong ones that cannot be easily guessed or cracked by brute force. But strong passwords can be fiendishly hard to remember.

This is where password managers come in. These apps save your log-in IDs and passwords, so you need to remember only a single master password. Not having to remember scores of passwords means you can stop recycling a handful, and, instead, create unique and strong passwords for all your accounts.

Password managers are not new - every modern browser has a basic version. Some can even sync your passwords in the cloud, so you can access the saved passwords when using the browser on another device.

The downside is that anyone with access to your computer will be able to view the stored passwords.

Only Firefox offers the option to enable a master password to encrypt the stored passwords.

Dedicated password managers, however, offer much more. They can generate strong passwords for you and protect your saved passwords using the latest encryption standards. They can sync your passwords across computers and mobile devices.

They can even fill in forms automatically for you.

Some password managers can be stored in a USB flash drive and used at public computers. These usually support multi-factor authentication, that is, they protect your account even if a password is leaked.

Here are five password managers you should check out.

LastPass

Free for use on computers; for mobile devices, a yearly subscription of US$12 (S$15) is required.

For Android, BlackBerry, iOS, Linux, Mac, Windows, Windows Phone

LastPass is one of the most popular password managers around, and it is easy to see why. Even the free version has plenty of features, such as the ability to fill forms and create notes within the app to store bank account and passport numbers.

But you will have to upgrade if you wish to use LastPass with mobile devices, or run it off a USB drive.

Multi-factor authentication is another reason to upgrade. LastPass offers a free paper-based solution, or grid multi-factor authentication.

You print out a square grid of random numbers and alphabets, and carry it with you. When you access LastPass, the app will ask, in addition to the master password, for certain values found on the printed grid.

A less common feature is its ability to disable log-ins from a list of countries. So if you will not be doing any travelling in the near future, you can allow log-ins only from Singapore.

RoboForm

Free version offers limited functionality; US$9.95 for first year and US$19.95 subsequently

For Android, iOS, Linux, Mac, Windows

The free version offers up to 10 saved log-in IDs, which is great if you have only a few online accounts. There are no ads. 

This works on computers and mobile devices. Saved data is backed up to the cloud, for syncing with other devices.

It comes with a built-in password generator. As its name suggests, RoboForm remembers the details the first time you fill in an online form, and will automatically do it for you.

There is no export feature in RoboForm. So if you are sampling various password managers, try RoboForm last as it can take some work to transfer saved data from it to a rival password manager.

Dashlane

Free version has limited functionality; US$29.99 per year for premium version

For Android, iOS, Mac, Windows

The free version will not let you save your data to the cloud and sync across devices.

But its key features - password management, auto-fill forms and a digital wallet - work on all its supported platforms.

If you have only one device, you get full functionality without upgrading.

Two-factor authentication is available, but limited to the Google authenticator app on the phone.

The app will tell you which of your saved passwords are weak, via a user-friendly dashboard interface. It will also send you security alerts when your online accounts may be compromised, so that you can change your passwords immediately.

Upgrading to the full version is relatively expensive. But its slick and polished interface may be worth the premium.

KeePass

Free

For Windows; unofficial ports for Android, iOS, Linux, Mac and Windows Phone

This open-source password manager is spartan compared with the other apps featured here. Going by its old-school user interface, it is obviously not designed for mainstream users.

The learning curve can be quite steep, so expect to tinker with the settings to get it set up properly.

But it is powerful and highly customisable. Its password generator, for instance, has many more options than that of the typical password manager.

KeePass comes with two-factor authentication built in. A portable version lets you run it off an external storage device without installing the app.

You can import saved passwords and data from other apps and password managers.

Written originally for Windows, KeePass has been ported to multiple platforms. Its greatest strength lies in the numerous optional plug-ins that add extra functionality to the app. 

1Password

US$49.99 for single-user licence (no subscription)

For Android, iOS, Mac, Windows

Unlike most of its competitors, AgileBit's 1Password does not use a yearly subscription model.

Instead, you pay US$49.99 for a single-user licence, which lets you install the app on as many machines as you like, but for only one user.

You are also entitled to software updates until the next major release.

The app works on both Windows and Mac, but its interface is clearly influenced by Cupertino.

It has the typical features, such as integration with popular browsers and secure text notes to store sensitive information like passport numbers.

But you have to install a file-based syncing app such as Dropbox to use 1Password over multiple devices, as the password manager does not have its own cloud-based sync feature.

The company recently released a new Android version with an improved, modern user interface. This mobile version is free till August.

Next: Five ways to secure your online accounts

Five ways to secure your online accounts

Perhaps you are not comfortable with delegating passwords to an app. Here are some basic practices that will help secure your online accounts.

Remember: your password is the first line of defence. Having a strong password makes it difficult for hackers to access your account, even if they manage to hack the website.

This is because passwords stored online are usually encrypted.

1. Create a strong password

You probably have an idea that strong passwords have a variety of characters, including numbers, upper and lowercase alphabets and symbols such as "$".

The more random the password string, the more secure it is.

Search for online tools that generate or test the strength of your passwords.

2. Do not reuse passwords

This is tempting, especially if they are used for secondary e-mail accounts that are deemed less critical. But if an account is compromised, it will be a race for you to change the passwords on other accounts before the hackers get to them.

3. Store your passwords securely

It is difficult to remember your strong password, so you may write it down on a note or store it on your computer. This works only if you do not lose the paper or have multiple users accessing your computer. You can encrypt the note on the computer, but this would require another password.

4. Change your passwords

When websites get hacked, the sites may inform users to change their passwords via e-mail. Go to the website to verify if this is true and do not reply to any e-mail with passwords or log-in information as they could be attempts at phishing.

5. Turn on two-factor authentication

Many websites, including Google, Facebook and Dropbox, now support two-factor authentication. When enabled, they will usually drop an SMS to your registered mobile phone number with the passcode when you try to log into your account.

 


This article was first published on June 18, 2014.
Get a copy of Digital Life, The Straits Times or go to straitstimes.com for more stories.

This website is best viewed using the latest versions of web browsers.