[Web Informant] 28 May 2009: Keeping track of your Web site passwords

[David Strom]

Web Informant 28 May 2009: Keeping track of your Web site passwords

I have a dirty secret to share with you all today: until recently, I
didn't have a very good strategy for keeping track of my various Web
site passwords and logins. Near my desk is a worn set of stapled
sheets of paper with various notations about which username, email
address, and password I have used to authenticate to its services.
Luckily, I work alone, but still it bothers me that if someone were to
break into my office, those special pieces of paper would probably be
the most important thing to find. I know some of you use PostIt notes
for this purpose, and keep them where no one would look, such as under
your keyboards.

There is a better way, and I will get to it in a moment, but first I
want to take you through what some of the other solutions that I have
tried and rejected. Since I do most of my work on my laptop, why not
just automate the credentials inside my browser? That is good for some
of the sites that I use most frequently, but it isn't very secure
should someone get a hold of my laptop.

Another idea is OpenID.net, which is an open-source collection of Web
sites that federates your identity, including Yahoo, MySpace,
Facebook, and others. OpenID sounds really good, until you start to
peek under the covers, and realize that if a phisher ever got ahold of
just one authentication of yours at one site, they could pretty much
gain access to the rest of your OpenID sites. This is more 'phederated
ID' and a hacker's paradise. The problem is that once you authenticate
properly on one Web site, you can use your OpenID URL to gain access
to anything else.

I have mentioned in previous missives Ping.fm and Quub.com that
attempt to consolidate all of your social networking logins in one
place, and be able to update your status messages across the board.
But it is troubling when I get emails from Quub mentioning that they
have upgraded their system and "had to clear everyone's existing
credentials that were encrypted with the old algorithm. Please
re-enter your credentials under Settings …"

RoboForm is another solution, which basically automates the
credentials and saves it in an encrypted spot on your hard drive. That
is great, but what happens if you are using a different PC?

Another way is to use some form of two-factor authentication, so
called because it uses something that you – and only you – have on
your possession, such as a special and unique SecurID token. I have
one for my PayPal account, it cost $5 and is well worth the added
protection that it offers. Basically, no one else can use my account
unless they use the token to sign in.
http://tinyurl.com/paypalkey

But the issue with these tokens is that you need one for each of your
accounts. There are some vendors who are trying to get around this
issue by using one's cell phone as a second factor authentication tool
including Phonefactor.com and FireID.com. Both require some
integration of their tools into your applications, which isn't very
good if you want to apply them universally to all of your Web
authentications. FireID's solution involves using a special server
that sits on my network, while PhoneFactor requires software agents to
download to your desktop or to integrate into your Web applications.

So what else can you do? The service that I am trying out now is from
Tricipher and called MyOneLogin.com. It costs $30 a year per user, and
everything is done via their hosted service so there is nothing to
download, other than an optional Firefox or IE browser plug-in to
handle some tasks. You set up a special Web portal for your company,
and then add your credentials to the various sites. It comes with
hundreds of pre-set applications and works with either special
knowledge questions (what was the name of your third-grade teacher) or
with your cell phone. The good thing about MyOneLogin is that you can
set it up and forget your passwords, because no matter where you are
you can login to the portal and then to your applications. You can mix
and match Web and internal apps, such as your VPN login, too, without
any programming or installing any servers. And it is also a great
solution if a company wants to keep control of these credentials to
these sites, so when you leave you can't take your logins with you.

Look for one of my WebInformant.tv screencast video demos in the near
future that will show you more about the service. And you can try it
out for 30 days for free if you are interested. Maybe now I can
finally toss those special pieces of paper – but first I will have to
make sure to shred them!