Terry Zink: Security Talk

Discussing Internet security in (mostly) plain English

I am finally experimenting with a password manager. Here are the results so far.

I am finally experimenting with a password manager. Here are the results so far.

  • Comments 10

I’ve been aware of password managers for years but I never used one – I was skeptical. While I understand their benefits, I always thought they would be too inconvenient to use.

I’m going to assume that you’re aware of what these things are – little pieces of software that keep track of all the passwords you use to login to various websites, and the only way to get at them is to enter in your one master password. So, instead of memorizing a ton of random passwords (which no one does), you only need to remember one. The password manager can even generate passwords for you if you want, and then you just need to reset your password on whatever website you log into with the one that was randomly generated.


I broke down this past week and decided to stop relying upon my brain to do my password management and instead use software. I did this for two reasons:

  1. For security

    I have quasi-uniqueness for many of my passwords, but I do reuse some of them for web sites I don’t care about that much.

  2. Because my $WORK is making me

    At work, I have to login to a bunch of different environments and it’s pretty much impossible to keep track of them. Furthermore, they rolled out a change this past month where you can’t pick your own password to login to these environments (excluding my PC logon), they generate them for you. Either I write them down or I use a password manager. The password manager won.

We had a security presentation a few weeks ago and the one thing I remember is that the recommended piece of software to use internally at the company is called… well, I’m not sure if I am supposed to advertise it so I will refer to it as ComboPass. I hope that doesn’t actually exist, I don’t look things up while I am blog-writing. This is a 3rd party tool and the reason the company recommends it is because it integrates with certain other tools we use like Windows Phone (I can’t recall if this is the real reason but I’m on a roll and can’t be bothered to stop typing).

First impressions

Anyhow, I downloaded the tool, installed it, and… nothing happened. Did it work properly? I started digging through the help guides and figured out that a little icon shows up in my Windows SysTray.

Oh. Right.

I double-clicked the icon and createdea new master password to unlock it. Now what? I looked at the screen and I couldn’t figure out what to do. This may seem obvious to all of you but I didn’t know what my next steps were. Weren’t these things supposed to be easy to use? In my mind, I envisioned that every website I used could easily integrate with this stuff.

Eventually, I figured out that I had to right-click and add a new entry. I guess that makes sense, looking at it in retrospect.

Well, first things first. The main reason I have resisted using a password manager is this – won’t I have to sync this across all my devices?

I have a Windows 8 PC, a Windows 7 PC, a Windows Phone, an Android tablet (which I got for free), an iPad 3, and an older iPad which I also got for free. My wife also has a Mac. I don’t use all of these devices at the same rate. But I do use them all once in a while. Was I going to have to install ComboPass on every single one of these?


I decided to start small. To begin with, I decided to save only my work environment passwords on my primary Windows 8 machine, but I made the mistake of saving the password file to the local hard drive. I generated some new passwords and stored them in ComboPass.

Now how do I use them?

Oh, I have to copy/paste them when I want to login. But first I have to unlock ComboPass every time using that new master password I generated for it and I don’t have it memorized yet.

Ugh. What an inconvenience. But at least those crazy work passwords are stored so I don’t have to remember them anymore.

Syncing to another device

Okay, well, since I have two main PCs – Windows 8 and Windows 7, I figured I better get ComboPass set up on Windows 7. I downloaded and installed it and then pointed the password file as SkyDrive Pro (Microsoft’s enterprise cloud storage solution). I copied my Windows 8 password file from the hard on that PC onto SkyDrive Pro where my Windows 7 machine could pick it up. So, now they’re sync’ed!

That was not going to end well, as we’ll see later.

Aside: I got my Windows 8 PC back in May and I do most of my work on it, but I retain my old Windows 7 PC for a couple of reasons:

  1. I like the hardware better. The keyboard “clicks” better, and the mouse trackpad is more responsive.

  2. I can’t figure out how to get certain connectivity to the corp network working in Windows 8 the way it works in for me in Windows 7. This is clearly user error. But this user’s workaround is to use Windows 7 instead of calling the IT department to fix it.

My website logins

Next up – my website logins. I am not thrilled about the possibility of having to copy/paste my password from ComboPass into Amazon, Mint, Netflix, my banks, etc. every time I want to login to them (I don’t save them in my browser, I retype them each time I login). So, I decided to experiment with a website I don’t care about as much – FutureAdvisor. This is a website that analyzes your stock portfolio and makes recommendations on the best way to balance them. Pretty cool, if I could get it to work. I reset my password for it and stored it in ComboPass.

At this point, I only have a few things stored in ComboPass. But then I realized something – my Windows 7 device pulls the password file from SkyDrive Pro, but my Windows 8 device pulls it from the local hard drive. That shouldn’t be; I copied it from the hard drive to SkyDrive Pro.

That was a mistake.

For you see, I wasn’t keeping things in sync (I know, it’s my fault), I overwrote the password file and I locked myself out of FutureAdvisor along with a couple of other websites.

Ugh!

And I can’t reset my password because FutureAdvisor’s password reset currently doesn’t work. Every time I click the “reset my password” which sends me an email, it tells me the link has expired. It is physically impossible to click it any faster than what I am doing.

I know it’s always possible to lock yourself out of your own accounts even using conventional password management. But this only happened because of me using a password manager and trying to sync it between only two devices.

My impressions so far

So far, my initial reactions are mixed. While I like the ability to not have to remember my passwords:

  1. Remembering the new master password is inconvenient. I had to write it down and physically carry it with me on a piece of paper.

  2. Copy/pasting from the password manager is inconvenient. I liked being able to logon to Amazon by typing in my username and password (I had it memorized and it is unique). It is now an extra step. Or at least it would be if I hooked it up to Amazon. I thought these things were supposed to auto-fill in web logins? Right?

  3. Even though I know that locking myself out of FutureAdvisor was my fault, and it’s their fault the password reset doesn’t work, it feeds my paranoia that using a password manager adds too much complexity. I don’t mind adding accounts that I only access on two devices that sync with Skydrive Pro. But am I going to have to type in those super-long passwords on each of my Windows Phone, iPad 3, old iPad and Android?

    So for now, I still memorize the passwords on websites that are important which I may log onto on multiple devices (which defeats the purpose of a password manager).

  4. What happens if I ever cannot connect to SkyDrive Pro (e.g., I ever leave the company I work for)? Then I can’t log onto anything! I’d have to go and reset the password on every service and then update it on every device.

    I prize convenience, and this adds a lot of risk.

I am probably whining about a lot of things that have already been solved. I readily admit that I have not climbed the learning curve that exists for changes in anything. While I find the password management useful in some cases, I’m not ready to make the full leap.

Leave a Comment
  • Please add 2 and 4 and type the answer here:
  • Post
  • I have a pretty nice setup with KeePass (open source!) + Dropbox + plugins for various browsers. Indeed, it takes some time adjusting (couple of days), but now I couldn't imagine myself without it!

  • Hi Terry,

    my first thought was "really!?".

    I like your honest style of writing, though. ;)

    Cd-MaN mentions in his comment KeePass and thats what is use too. Looking to your post i assume thats what you use(d).

    I agree, this tool isn't yet good enough to read the user's mind but with some manual input ("Add Entry") it can keep track of the important details.

    "Perform Auto-Type" is a "stupid" (means not related to AI at all!)  but handy feature.

    With regards to your challenge to use the same key file on different devices, would it be an option to use dropbox or evernote? These tools could take care of the sync part, couldn't they?

  • I'm going out on a limb here and thinking maybe the best way to take care of your sync problem would be to use a thumb drive, then you have no sync problem, and can take it with you since you can only type on one machine at a time. Plus it takes your pwd store off the cloud, where they might be compromised.

  • @c - I'm willing to do this, but how would I get it to integrate with my tablet devices that don't have USB ports?

  • Wow, never heard of Combopass. I use Sticky Password, which suites me the best.

  • Used to use keepass and SkyDrive for many yrs. Moved to lastpass 6 months ago. Easy to setup, import, and available on all platforms.

  • I really like lastpass.  It is a minimal cost, works only multiple platforms, and has a browser plugin so you can auto fill web sites.  

  • I have a backed-up USB thumb drive that serves for each environment I use ComboPass in.  The auto-type, drag-and-drop and the "double-click to copy to clipboard" operations work out very well for me.  I have even started putting my debit card numbers in so I don't have to haul the card out when I am doing some sort of impulse buy on the 'Net.

  • IMO, the master password should be long but relatively easy to remember.  For example using the title of this blog post as a starting point

    $I1Am2Finally3Experimenting4+-

    That is a 30 character password.  All you have to remember is $ at start, +- at end, capitalize first letter of the words, and replace the spaces with ascending digits.  Yes seems like a lot but remember, the idea is to only remember ONE password.

    Also just print out the master password and put it in a secure place, and of course, do not label it! It should be recognizable to you when you see it.

    I use KeePass, and the real value to me is the password generation.  The passwords I use are different for every site and I try to use the full limit of what the site will accept (some only take 8(!) characters, others can't handle > & etc).  I will use 32 character length passwords, full character set if possible.

  • PassZwype-your finger swipe is your password.  PassZwype is tha android password manager that secures your information through your unique swipe

    To Know More about PassZwype visit  www.kickstarter.com/.../passzwype-your-finger-swipe-is-your-password

Page 1 of 1 (10 items)