Community Newsletter: Q&A forum: 2/24/06 Questions about storing and managing passwords

by: Marc Bennett February 23, 2006 12:05 PM PST

Like this

0 people like this thread

Staff pick

2/24/06 Questions about storing and managing passwords

by Marc Bennett ModeratorCNET staff - 2/23/06 12:05 PM

Question:

When logging in to a secure Web page, the browser will often have an option to save my password. Or the Web site will ask if I want to store my password. Are these the same? Where and how are these passwords saved? How secure is it to do this? Are the passwords stored in an encrypted format, and if so, can they be hacked? As a precaution, I never store passwords anywhere in electronic form. I don't trust password managers because there is no way to know what they are doing with the information. What is the safe way to manage passwords?

Submitted by: Gary H.

*******************************************************

Answer:


Well, Gary H., your question starts out simple, but goes quite a bit deeper into online security. Let's start with the difference between the browser's "remember my password" vs. a Web site's "keep me logged in" option.

Your browser actually saves your login name and password info, encrypted, on your hard drive, and fills the fields when you pull up that certain Web page again. However, how it saves it depends on the browser's actual implementation.

By contrast, the "remember my password" option on a website actually saves a special cookie (think of it as a marker) that's unique to you that when come back to the website, it shows that you're user so-and-so and logs you in. That cookie likely will NOT actually contain any password info for any one to unscramble, but rather is just something the website itself understands, but, again it depends on actual implementation. It's probably similar to your local supermarket handing you a membership card. By loading that number, they know it was you using the card, since no one else has that number. The website's "remember my login" would probably work along similar lines.

Neither is technically "secure" since any one who can physically access your computer (i.e. sit down at your table) can get into those websites, either way. Assuming your home is reasonable safe from intruders, that leaves external hack attempts.

The best defense against external hack attempts is a hardware firewall, and regular security updates for your operating system, probably WinXP.
Windows is already setup to warn you and/or to apply the updates automatically so all that remains is a hardware firewall, esp. if you are on broadband connection to the Internet. If the hackers can't reach your PC, they can't hack it. You can of course, not connect the PC to the outside at all, but that would be rather drastic.

On the other hand, is there anything on those websites that you really need to protect from hackers? Or, if you are more worried about the stuff on your PC, why? Hacking individual people's PC's consumes time, with very little chance of payback for the hackers. Think of it this way... let's say they are after... Credit card numbers. How many credit cards is one likely to own? Maybe 2 or 5. Would their numbers be stored on the PC? If so where? It's impossible to say. It could be in Word documents, Excel spreadsheets, Quicken, MS Money... etc. Choices are endless, and searching through it all would be time consuming. Hackers would be far more likely to get lucky with Phishing or Pharming scams, most of that can be automated and takes almost no time at all on the part of the scammer. It's easier to ask you for the password than to dig it out of you (or your PC), so to speak.

As for trustworthiness of password managers... I personally use one. I have no qualms about using one. Your firewall should automatically block traffic from unauthorized programs, which is how you know which program is not doing what its supposed to. However, it is quite difficult to "prove" security. In a way, it's like defending against terrorists. We have to be 100% effective, they just have to be 0.0001% effective...

If you are so worried, get a cheap PDA and put your passwords on those, and keep the PDA with you at all times. But then you have to worry about the PDA getting lost and all that...

The entire idea of security is balancing risk vs. convenience. Password managers increase convenience, but also increase risk by offering a central location to lose ALL of the passwords at once. Firewalls decrease the risk of external hacks, but also decrease convenience by requiring various config of port forwarding and such. It is all about trade-offs, and what is acceptable to me may not be acceptable to you. Ultimately, you will have to decide if the risk of using a password manager outweighs the convenience of having one and having it remember stuff for you.

Submitted by: Kasey C. of San Francisco, CA


Forum Icon Legend

  • UnreadUnread
  • ReadRead
  • Locked threadLocked thread
  •   
  •   
  •   
  •   
  •   
  •   
  •   
  • ModeratorModerator
  • CNET StaffCNET Staff
  • Samsung StaffSamsung Staff
  • Norton Authorized Support TeamNorton Authorized Support Team
  • AVG StaffAVG Staff
  • avast! Staffavast! Staff
  • Webroot Support TeamWebroot Support Team
  • Acer Customer Experience TeamAcer Customer Experience Team
  • Windows Outreach TeamWindows Outreach Team
  • DISH staffDISH staff
  • Dell StaffDell Staff
  • Intel StaffIntel Staff
  • QuestionQuestion
  • Resolved questionResolved question
  • General discussionGeneral discussion
  • TipTip
  • Alert or warningAlert or warning
  • PraisePraise
  • RantRant

You are e-mailing the following post: Post Subject

Your e-mail address is used only to let the recipient know who sent the e-mail and in case of transmission error. Neither your address nor the recipient's address will be used for any other purpose.

Sorry, there was a problem emailing this post. Please try again.

Submit Email Cancel

Thank you. Sent email to

Close

Thank you. Sent email to

Close

You are reporting the following post: Post Subject

If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.

Offensive: Sexually explicit or offensive language

Spam: Advertisements or commercial links

Disruptive posting: Flaming or offending other users

Illegal activities: Promote cracked software, or other illegal content

Sorry, there was a problem submitting your post. Please try again.

Submit Report Cancel

Your message has been submitted and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.

Close

Your message has been submitted and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.

Close

You are posting a reply to: Post Subject

The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to the CNET Forums policies for details. All submitted content is subject to CBS Interactive Site Terms of Use.

You are currently tracking this discussion. Click here to manage your tracked discussions.

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

Sorry, there was a problem submitting your post. Please try again.

Sorry, there was a problem generating the preview. Please try again.

Duplicate posts are not allowed in the forums. Please edit your post and submit again.

Submit Reply Preview Cancel

Thank you, , your post has been submitted and will appear on our site shortly.

Close