How Password Management Software Works

If all you have is one computer, one user and no Internet connection, a single password protecting access to said computer might be sufficient. That's what some of the earliest home computers were like. You could write your password on a sticky note, put it on your monitor and no one would find it unless they broke into your home or office.

Soon, though, people found ways to connect computers on a network, and the need arose for ways to better secure the data on each system. Suddenly, you needed more sticky notes than you could fit on your monitor just to keep up with all the usernames and passwords you had to remember across the network. As we pointed out earlier, though, writing these things down is risky.

To address this problem, a new kind of software was designed: password management software. From the beginning, these applications have had a simple, straightforward goal: Manage a list of accounts along with the username and password for each account. In most cases, this software also protects that list from hackers, both on the local computer and over network connections. Later, when we scan through the list of password management features, you'll see how past and present password management software has tackled these goals.

The password management problem has grown exponentially since the early 1990s because of the World Wide Web. Each Web site has its own user account system requiring a username and password. Some have extra thresholds to deter password-guessing software. In addition, many Web sites require users to follow certain password rules for length and content, and these rules can vary between sites in a way that forces you to create several different passwords. For example, one site may require you to use special characters like exclamation points or asterisks in your password, while another site doesn't recognize or allow those symbols.

Mobile computing has also added to password management challenges. Laptops make it easy to use the Web from anywhere. However, they also increase your chances of losing your data as a result of damage or theft. Add smartphones and tablets into the mix, and you could be managing your passwords among several devices, not just one or two.

Today's password management solutions take these Web and mobile challenges into consideration. They've also added tie-ins with Web browsers, such as automatically filling in the blanks on login forms when you visit sites you've specified in your setup preferences. The password management problem is likely to grow as Web applications built around cloud computing replace the need for many locally installed utilities. Today, you can even find password management software in the form of Web apps.

Now that we've scoped out the challenges of password management, let's look at the basic features of different types of password management software.

Software developers have taken different approaches to creating password management software, including where it stores the data, how it's secured and what additional features should be available for saving and retrieving account information.

The following are the different types of password management software available as of 2011. First, we'll examine the features and benefits of each type, as well as why you might choose it. Later, we'll take a close look at their risks.

Bonus feature within other software. Operating systems, Web browsers, antivirus software and other applications occasionally include a password manager feature. Some examples include the password managers in Chrome, Firefox and Internet Explorer browsers and the identity management features in the Norton 360 comprehensive security suite. Use this type of software if you're confident in the security offered through the product and don't feel a need for an additional layer of protection.

Standalone password manager. The earliest type of password management software was the standalone application not associated with any other software. Many such apps still exist today, including KeePass and Aurora. Aurora boasts strong encryption along with added features such as form-filling for Web pages, a password generator and the option to export passwords to a readable file. Try out this type of password management if you do most of your computing on one device that you don't share with other users.

Password managers using embedded security hardware. This is a less commonly employed approach than other types of password management. This software requires hardware embedded on your device to save and encrypt data. For example, Lenovo's T-series ThinkPad laptops feature a chipset mounted on the motherboard called the Embedded Security Subsystem. Used in combination with Lenovo's password management software, you can save passwords and other data to the device,. Furthermore, it's encrypted so that only someone with a passkey, fingerprint (from a fingerprint reader) or both credentials can retrieve that data. Because the information is stored in the chipset instead of on the hard drive, you can also configure the computer to require the passkey or fingerprint to boot the machine altogether. Use this type of password management if your computer is at a high risk of physical hacking or theft; usually, that's the case if you keep it in a shared living or office space or you travel a lot with it.

Web-based password manager. This newest type of password manager is a Web application that you can use from any Internet-connected device. Apps like RoboForm and PasswordSafe have similar features to Aurora with the added benefit of accessing those features from a variety of Web browsers running on different desktop and mobile operating systems. For example, using a single password to sign in to RoboForm, you can retrieve all the passwords you've saved there. Use this type of password management if you have multiple computers or mobile devices with different operating systems and you need to retrieve all your passwords from each device.

So, now that you're savvy about your password management software options, let's weigh their benefits with their risks.

Your passwords are as important as your wallet and car keys -- you never want to lose them, and you certainly don't want them falling into the wrong hands. That being the case, you shouldn't trust managing your passwords to just any piece of software. Before you start saving your passwords in a management application, be sure you know how that app saves your data and what risks you're taking by using it.

The biggest risk involved in using any password management software is that all your passwords are in one place. Think of the password management software like your home: All your stuff is in it, and one key unlocks everything you own. If your password management app requires a master password or an encryption key, a hacker only needs that one password or key to access all your private account credentials.

There's a lot you can do to minimize the risk of a hacker getting or using this master password or key. Take the following precautions no matter what type of password management software you use:

Going back to the house metaphor, we could summarize these recommendations as, "Keep all of your doors locked, don't lose the key and choose a lock that's so difficult to pick that a thief will probably just give up and move on to the next house." But what if the thief decides to just knock down the door or break through a window instead? Sometimes it's the house itself, not the lock, that puts you at risk. Next, we'll look at the potential problems unique to specific types of password management approaches.

So far, the risks we've detailed affect all types of password management software uniformly. Each type we listed earlier, though, comes with some additional hazards.

One threat to any software that stores passwords locally is malware. Each application on your computer squirrels away its passwords in a specific format at a specific location in your file system. Malware can be designed to scan your computer for password data, targeting those locations and sending anything it finds to a hacker elsewhere on the Internet. You can stave off these and other malware attacks using reliable, frequently updated anti-virus software.

Web browsers' password managers are notoriously risky because of how they store and secure saved passwords. However, the measures you're already taking to prevent access to your system from the Internet and malware should prevent the dangers that such risks present. For example, Firefox has been known to encrypt and encode the passwords it saves but then writes the encoded password to a simple text file alongside its corresponding URL. Protecting access to your local files with physical security, user passwords, screen locks, anti-virus software and firewalls should be sufficient to safeguard that file and, thus, your Firefox passwords.

Some browsers are using an integrated security approach. For instance, Internet Explorer in Windows creates a Windows registry key to store the password, which incorporates/takes advantage of the system's Triple DES encryption. Administrator-level access to the Windows registry is required to display those saved passwords on the screen. If you're preventing access to your Windows account with some of the methods listed earlier, especially guarding against malware, you should have no trouble keeping these saved IE passwords safe.

Embedded security chips and other encryption hardware don't present a new risk as much as they amplify an existing one: losing your master password. These security systems include the added option of requiring a password to boot the operating system. If you set a boot password then forget it, you'll be unable to start your computer at all. Since today's computers can run for days or weeks without rebooting, there's plenty of time to forget your password. In addition, if you move the hard drive to another machine, you might get past the boot password, but accessing the hardware-encrypted data on your hard drive will be difficult, if not impossible. Check whether the hardware manufacturer has recovery steps in these situations if you think recalling your master password will be a problem.

The final risk consideration comes with the newest type of password management software, Web apps. Web apps present the same security and privacy concerns described in our article How Cloud Computing Works. You're relying on the company behind that Web app to keep your data safe. One particular concern is similar to that of banking and government sites: The company itself could become a target for hackers and identity thieves looking for a bigger score rather than picking on individual users. The only way to minimize that risk is to take special care when selecting which Web-based password management software to use. Research the companies behind the products, and read evaluations by security experts who have tested the software. You might just decide that the convenience you'll gain by using a specific Web app outweighs its potential risks.

Want to unlock lots more on password management software? Pass on over to the next page.