Review: Password management eases with Net storage

Aug 12, 2009 By PETER SVENSSON , AP Technology Writer
In this screen shot, the RoboForm and LastPass password management programs are seen in use in a Firefox browser window. (AP Photo)

(AP) -- Do you use your kids' names? Your pet's? Your favorite color? We all use some dumb passwords that are too easy to guess.

Worse, we use the same ones for lots of Web sites. So if one site gets compromised, or an employee there is dishonest, someone could start trying out that on other sites where you have accounts, like Amazon or , and you've got trouble.

Browsers help out a bit by offering to remember your passwords, but that does little good if you are on a different computer or want to try a different browser.

The rescue comes from password-management programs. A couple of them have recently taken a big step forward in ease of use, by storing your login information online so that you can access them from multiple computers. Online storage does raise some questions about security, but it also makes these little-known programs worth another look.

I've used one called Roboform for more than four years. Like a browser, it stores passwords on your computer, encrypting them so that they're revealed only when you type in a master password. It fills out the login forms on a Web page automatically. It also stores your address, credit card number and other , so you don't have to type them in when you shop online. Because it's independent of the browser, you can access the same passwords as you switch between and .

With Roboform, I have been able to take those passwords to another computer, but it's been a bit of a hassle. If I signed up for a new on one computer, I had to manually copy the Roboform file that contained the username and password to the other two computers I use regularly.

A free update to Roboform, released last week, takes care of this problem by storing the passwords not only on the computer, but also in an online locker provided by the publisher, Siber Systems Inc. Every time you create a new password, Roboform stores it, in encrypted form, in your online locker. When you log in to another computer, the password is automatically copied over from the locker.

The system is still cumbersome. You have to install an extra piece of software called GoodSync on each computer you need to synchronize. If too many passwords have changed since the last synchronization, GoodSync pops up and asks you to manually approve the changes. The choices are difficult to understand.

In providing an online storage option, Roboform is catching up to a new password management program, LastPass, that's designed from the ground up to store passwords online. Trying that, I found it slightly easier to use - at least, it didn't confront me with cryptic dialog boxes. It also has the virtue of being free, while Roboform costs $30.

Both programs work in Internet Explorer and Firefox on Windows-based computers, but if you go beyond that, LastPass has the edge in compatibility.

Roboform doesn't work on Macs at all, though Siber says it is working on a plug-in for the Safari browser on the Mac. You can access your Roboform Online locker as a Web site on a Mac with any browser, but it won't help you create new passwords or fill existing ones into . This is at best a stopgap measure for occasional Mac use.

LastPass works with Firefox on the Mac, and the company says it is working on a Safari plug-in. LastPass also has a more effective stopgap measure for other browsers, both on Windows and Macs, in the shape of "bookmarklets" that will fill in passwords even if there's no compatible plug-in.

This may sound good, but one thing worries me about LastPass. By default, it stores your passwords only online. While I'm reasonably comfortable that they're safe from theft there, what if LastPass' Web site goes down because of a hacker attack, or worse, because the company goes out of business? Then you've lost the keys to your online life.

LastPass does provide a free application that can store your passwords on your computer's hard drive or a portable thumb drive. I strongly recommend using that application, LastPass Pocket, to make regular backups.

Neither Roboform nor LastPass is a complete answer to online security, of course. You could still be duped into entering a password on a fake "phishing" site set up to look like your bank's. And if someone gets hold of your master password, that person can get all your passwords in one swoop from your online locker. In that sense, online storage of the passwords is riskier than having them on your computer.

But even if there are risks to using these programs, they're better than using the same password for all sites. It's probably also safer than writing down all your passwords on paper and carrying them around with you.

If we accept online password storage as safe and reliable, then these password managers are probably just a stepping stone to a more comprehensive, Internet-wide identity management system. The long-frustrated idea there is that one "ID card" that you store online would be legible by all Web sites, and your password tells a site that that ID card belongs to you.

Microsoft Corp. has tried to get sites on board with this model for more than a decade and has accumulated criticism for security flaws along the way. Now, however, there's some momentum behind a system called OpenID that just might make programs like LastPass and Roboform unnecessary. Most of the big Web companies, including Microsoft and Google Inc., support OpenID.

I wouldn't hold my breath, though. In the meantime, Roboform Online and LastPass both do a good job.

If you're a new user, you may be drawn by LastPass' zero price tag, but be aware that you need to back up your data. I'm considering switching from Roboform because it's lagging in how many browsers it supports. It works well enough, though, that it's probably not worth the move.

---

On the Net:

http://www.roboform.com

http://www.lastpass.com

---

Peter Svensson can be reached at psvensson(at)ap.orgGot a technology question? Send an e-mail to gadgetgurus(at)ap.org.
©2009 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.

Explore further: Startups offer banking for smartphone users

add to favorites email to friend print save as pdf

Related Stories

So many passwords, so little memory

Apr 15, 2009

How many keys are on your keychain? I just looked at mine and counted nine keys. And that's not counting the bulky little remote control key fob that locks and unlocks my car. I've tried to consolidate my keys by making one ...

Tired of Passwords? Replace Them With Your Fingerprint

Sep 14, 2004

If you're like most people, you have more than a dozen passwords and user names to remember. Whether you're checking your e-mail for new messages, catching up on the news, posting to a Web discussion group, ...

Help! How to avoid fast-moving computer worm

Jan 28, 2009

Since early January, a worm that has been referred to by several names, including "Downadup," "Kido" and "Conficker," has been infecting millions of computers around the world. The worm exploits a previously discovered vulnerability ...

Networking: The end of 'shoulder surfing?'

Feb 20, 2006

Some hackers like to "shoulder surf," or steal unsuspecting PC users' passwords by looking over their shoulders at the Internet cafe. Others prefer to crack an account's password -- using sophisticated software programs. ...

Spyware poses identity-theft risk (Update)

Sep 15, 2005

A new study finds that a growing amount of Internet spyware -- programs downloaded to users' computers without their knowledge -- is designed specifically to steal personal information that could be used for identity theft. ...

Twitter hacked by old technique -- again

Jul 15, 2009

(AP) -- Breaking into someone's e-mail can be child's play for a determined hacker, as Twitter Inc. employees have learned the hard way - again.

Recommended for you

Startups offer banking for smartphone users

9 hours ago

The latest banks are small enough to fit in the palm of your hand. Startups, such as Moven and Simple, offer banking that's designed specifically for smartphones, enabling users to track their spending on the go. Some things ...

Ecuador heralds digital currency plans (Update)

Aug 29, 2014

Ecuador is planning to create what it calls the world's first digital currency issued by a central bank, which some analysts believe could be a first step toward abandoning the country's existing currency, ...

'SwaziLeaks' looks to shake up jet-setting monarchy

Aug 29, 2014

As WikiLeaks founder Julian Assange prepares to end a two-year forced stay at Ecuador's London embassy, he may take comfort in knowing he inspired resistance to secrecy in places as far away as Swaziland.

WEF unveils 'crowdsourcing' push on how to run the Web

Aug 28, 2014

The World Economic Forum unveiled a project on Thursday aimed at connecting governments, businesses, academia, technicians and civil society worldwide to brainstorm the best ways to govern the Internet.

User comments : 2

Adjust slider to filter visible comments by rank

Display comments: newest first

earls
not rated yet Aug 12, 2009
Wow, Roboform sounds like garbage - the kind you pay for at that.

What's the difference between using the same password for all the sites or getting your password management software password hacked?

Either way the hackers will have carte blanche to all of your sites, possibly even more so with the management software because it stores your usernames as well - mine vary from site to site because of the lack of username formatting standards and/or someone taking my name. Password management software seems like a huge bullseye to me.

There's nothing wrong with using the same passwords on multiple sites - just group them logically. Don't use the same password on Physorg as you do for your online web banking!
Yogaman
not rated yet Aug 12, 2009
How does the open source keepass compare?