How Password Management Software Works

Walter Burch, Editor-in-Chief of CreditLearningCenter.com, reviews nine ways people can help to prevent identity theft.
Credit Learning Center.com

Log in to your e-mail account. Log in to your bank account. Log in to Facebook. Log in to your Amazon account. Log in to your photo sharing service. Can you count the number of applications you use on a regular basis that require a password? This includes your local computer account, your e-mail, social networking Web sites and merchant accounts at various online stores. If you're in school or at work, you should count password-protected resources you use there, too, like your personal records or network file shares. How do you keep track of all of all those passwords?

Here are a few tricks you might have tried or considered (with hints about why you may want to steer clear of some of them):

  • Memorize passwords. This is a great technique if you use your passwords every day, but maybe not for those you only need occasionally. If you don't use a password regularly, there's a good chance you could forget it if you rely on memorization alone. In addition, Web browser cookies can remember your login session for days or weeks at a time, meaning you only enter the password manually once in a while even if you use it every day.
  • Use the same password everywhere. Memorizing a single password for every account does make life simpler. For security reasons, though, this isn't a great idea, because it makes it easy for a hacker who finds your user name and password for one account to break into your other accounts, too.
  • Write passwords down on paper. This is an ideal solution if you can hide the written information where no one else has access. Not only is this a risk if someone finds the list, but a written list or an assortment of scraps of paper could also be lost or damaged, and you'll need to find and update the list each time you update a password.
  • Write passwords into a file on your computer or mobile device. This is less likely to get lost than the paper, but you do risk losing the file if you have hardware failure. In addition, this file is as vulnerable to hackers as other files on your computer. You could encrypt it for an added layer of security, which makes this strategy similar to the next solution.
  • Use password management software. Password management software is a utility you can use to save and retrieve all your passwords. This software could be a standalone application on your local computer or a feature within another application. This option greatly limits hackers' possible routes to your password data while adding convenient features for organizing and retrieving information.

In this article, we're going to break down the types of password management software, and we'll examine both the benefits and the risks of using each type. We'll also discover some specific applications on the market and sort out which ones are hit-or-miss in both features and security. But first, a walk down password management software's memory lane as we look at its history.

History of the Password Management Problem

If all you have is one computer, one user and no Internet connection, a single password protecting access to said computer might be sufficient. That's what some of the earliest home computers were like. You could write your password on a sticky note, put it on your monitor and no one would find it unless they broke into your home or office.

Soon, though, people found ways to connect computers on a network, and the need arose for ways to better secure the data on each system. Suddenly, you needed more sticky notes than you could fit on your monitor just to keep up with all the usernames and passwords you had to remember across the network. As we pointed out earlier, though, writing these things down is risky.

To address this problem, a new kind of software was designed: password management software. From the beginning, these applications have had a simple, straightforward goal: Manage a list of accounts along with the username and password for each account. In most cases, this software also protects that list from hackers, both on the local computer and over network connections. Later, when we scan through the list of password management features, you'll see how past and present password management software has tackled these goals.

The password management problem has grown exponentially since the early 1990s because of the World Wide Web. Each Web site has its own user account system requiring a username and password. Some have extra thresholds to deter password-guessing software. In addition, many Web sites require users to follow certain password rules for length and content, and these rules can vary between sites in a way that forces you to create several different passwords. For example, one site may require you to use special characters like exclamation points or asterisks in your password, while another site doesn't recognize or allow those symbols.

Mobile computing has also added to password management challenges. Laptops make it easy to use the Web from anywhere. However, they also increase your chances of losing your data as a result of damage or theft. Add smartphones and tablets into the mix, and you could be managing your passwords among several devices, not just one or two.

Today's password management solutions take these Web and mobile challenges into consideration. They've also added tie-ins with Web browsers, such as automatically filling in the blanks on login forms when you visit sites you've specified in your setup preferences. The password management problem is likely to grow as Web applications built around cloud computing replace the need for many locally installed utilities. Today, you can even find password management software in the form of Web apps.

Now that we've scoped out the challenges of password management, let's look at the basic features of different types of password management software.

Types and Benefits of Password Management Software

The user interface for Aurora, a standalone password management application for Microsoft Windows, will be entirely familiar for Windows users.
The user interface for Aurora, a standalone password management application for Microsoft Windows, will be entirely familiar for Windows users.
Screenshot by Stephanie Crawford for HowStuffWorks

Software developers have taken different approaches to creating password management software, including where it stores the data, how it's secured and what additional features should be available for saving and retrieving account information.

The following are the different types of password management software available as of 2011. First, we'll examine the features and benefits of each type, as well as why you might choose it. Later, we'll take a close look at their risks.

Bonus feature within other software. Operating systems, Web browsers, antivirus software and other applications occasionally include a password manager feature. Some examples include the password managers in Chrome, Firefox and Internet Explorer browsers and the identity management features in the Norton 360 comprehensive security suite. Use this type of software if you're confident in the security offered through the product and don't feel a need for an additional layer of protection.

Standalone password manager. The earliest type of password management software was the standalone application not associated with any other software. Many such apps still exist today, including KeePass and Aurora. Aurora boasts strong encryption along with added features such as form-filling for Web pages, a password generator and the option to export passwords to a readable file. Try out this type of password management if you do most of your computing on one device that you don't share with other users.

Password managers using embedded security hardware. This is a less commonly employed approach than other types of password management. This software requires hardware embedded on your device to save and encrypt data. For example, Lenovo's T-series ThinkPad laptops feature a chipset mounted on the motherboard called the Embedded Security Subsystem. Used in combination with Lenovo's password management software, you can save passwords and other data to the device,. Furthermore, it's encrypted so that only someone with a passkey, fingerprint (from a fingerprint reader) or both credentials can retrieve that data. Because the information is stored in the chipset instead of on the hard drive, you can also configure the computer to require the passkey or fingerprint to boot the machine altogether. Use this type of password management if your computer is at a high risk of physical hacking or theft; usually, that's the case if you keep it in a shared living or office space or you travel a lot with it.

Web-based password manager. This newest type of password manager is a Web application that you can use from any Internet-connected device. Apps like RoboForm and PasswordSafe have similar features to Aurora with the added benefit of accessing those features from a variety of Web browsers running on different desktop and mobile operating systems. For example, using a single password to sign in to RoboForm, you can retrieve all the passwords you've saved there. Use this type of password management if you have multiple computers or mobile devices with different operating systems and you need to retrieve all your passwords from each device.

So, now that you're savvy about your password management software options, let's weigh their benefits with their risks.

Risks of Using Password Management Software

The auto-fill feature available with some password management software is convenient, but it illustrates why you want to be careful about the service you choose. Imagine what could happen if someone hacked your password management account.
The auto-fill feature available with some password management software is convenient, but it illustrates why you want to be careful about the service you choose. Imagine what could happen if someone hacked your password management account.
iStockphoto.com/Thinkstock

Your passwords are as important as your wallet and car keys -- you never want to lose them, and you certainly don't want them falling into the wrong hands. That being the case, you shouldn't trust managing your passwords to just any piece of software. Before you start saving your passwords in a management application, be sure you know how that app saves your data and what risks you're taking by using it.

The biggest risk involved in using any password management software is that all your passwords are in one place. Think of the password management software like your home: All your stuff is in it, and one key unlocks everything you own. If your password management app requires a master password or an encryption key, a hacker only needs that one password or key to access all your private account credentials.

There's a lot you can do to minimize the risk of a hacker getting or using this master password or key. Take the following precautions no matter what type of password management software you use:

  • Keep your computer or mobile device physically secure by leaving it at home or keeping it in sight at all times. Consider computer locks as a theft deterrent when you're on the go and might need to walk away from the machine for a short time.
  • Set a password to access the user account on your computer or mobile device, and change this password regularly. Make sure the system requires this password from you whenever it boots or wakes up.
  • Use a screen lock for your computer or mobile device when you're not using it, requiring you to enter a password when you return.
  • Never trust anyone else with your passwords or encryption keys.
  • Use reliable firewall software to prevent unwanted access over your network connections.
  • Select password management apps that require a complex master password or encryption key.
  • If your password management app uses a master password, change it every two to three months, and never make it the same as the password used to log in to your computer.
  • Consider a biometric credential, such as a fingerprint scan, if you have trouble remembering your master password and you don't mind using additional scanning hardware.

Going back to the house metaphor, we could summarize these recommendations as, "Keep all of your doors locked, don't lose the key and choose a lock that's so difficult to pick that a thief will probably just give up and move on to the next house." But what if the thief decides to just knock down the door or break through a window instead? Sometimes it's the house itself, not the lock, that puts you at risk. Next, we'll look at the potential problems unique to specific types of password management approaches.

Additional Risks

So far, the risks we've detailed affect all types of password management software uniformly. Each type we listed earlier, though, comes with some additional hazards.

One threat to any software that stores passwords locally is malware. Each application on your computer squirrels away its passwords in a specific format at a specific location in your file system. Malware can be designed to scan your computer for password data, targeting those locations and sending anything it finds to a hacker elsewhere on the Internet. You can stave off these and other malware attacks using reliable, frequently updated anti-virus software.

Web browsers' password managers are notoriously risky because of how they store and secure saved passwords. However, the measures you're already taking to prevent access to your system from the Internet and malware should prevent the dangers that such risks present. For example, Firefox has been known to encrypt and encode the passwords it saves but then writes the encoded password to a simple text file alongside its corresponding URL. Protecting access to your local files with physical security, user passwords, screen locks, anti-virus software and firewalls should be sufficient to safeguard that file and, thus, your Firefox passwords.

Some browsers are using an integrated security approach. For instance, Internet Explorer in Windows creates a Windows registry key to store the password, which incorporates/takes advantage of the system's Triple DES encryption. Administrator-level access to the Windows registry is required to display those saved passwords on the screen. If you're preventing access to your Windows account with some of the methods listed earlier, especially guarding against malware, you should have no trouble keeping these saved IE passwords safe.

Embedded security chips and other encryption hardware don't present a new risk as much as they amplify an existing one: losing your master password. These security systems include the added option of requiring a password to boot the operating system. If you set a boot password then forget it, you'll be unable to start your computer at all. Since today's computers can run for days or weeks without rebooting, there's plenty of time to forget your password. In addition, if you move the hard drive to another machine, you might get past the boot password, but accessing the hardware-encrypted data on your hard drive will be difficult, if not impossible. Check whether the hardware manufacturer has recovery steps in these situations if you think recalling your master password will be a problem.

The final risk consideration comes with the newest type of password management software, Web apps. Web apps present the same security and privacy concerns described in our article How Cloud Computing Works. You're relying on the company behind that Web app to keep your data safe. One particular concern is similar to that of banking and government sites: The company itself could become a target for hackers and identity thieves looking for a bigger score rather than picking on individual users. The only way to minimize that risk is to take special care when selecting which Web-based password management software to use. Research the companies behind the products, and read evaluations by security experts who have tested the software. You might just decide that the convenience you'll gain by using a specific Web app outweighs its potential risks.

Want to unlock lots more on password management software? Pass on over to the next page.

Related Articles

More Great Links

Sources

  • Animabilis Software. "Aurora Password Manager: Features." (Sep. 18, 2011) http://animabilis.com/password-manager/eng/features.htm
  • Felker, Mikhael. "Password Management Concerns with IE and Firefox, part two." SecurityFocus. Reprinted by Symantec Corporation. Mar. 10, 2010. (Sep. 19, 2010) http://www.symantec.com/connect/articles/password-management-concerns-ie-and-firefox-part-two
  • Faulkner, Jason. "How Secure Are Your Saved Internet Explorer Passwords." HowToGeek. Jul. 19, 2011. (Sep. 18, 2011) http://www.howtogeek.com/68231/how-secure-are-your-saved-internet-explorer-passwords/
  • Lenovo. "ThinkPad T420/T520 Notebooks." Mar. 2, 2011. (Sep. 18, 2011) http://www.lenovo.com/shop/americas/content/pdf/notebooks/ThinkPad/t-series/ThinkPad%20T420-T520.pdf
  • Pash, Adam. "Five Best Password Managers." Lifehacker. Aug. 28, 2008. (Sep. 16, 2011) http://lifehacker.com/5042616/five-best-password-managers
  • PasswordSafe. "About Us." (Sep. 19, 2011) http://www.passwordsafe.com/about/
  • Siber Systems. "RoboForm: Key Features." (Sep. 18, 2011) http://www.roboform.com/how-it-works/key-features
  • Symantec Corporation. "Norton 360 Version 5.0: How It Works." (Sep. 16, 2011) http://us.norton.com/360/
  • Teare, Dave. "Mac Password Manager." (Sep. 19, 2011) http://macpasswordmanager.com/