Community Newsletter: Q&A forum: 2/24/06 Questions about storing and managing passwords

Answer:

Most web sites are using cookies to store your passwords on the system you are using. There are other ways, but cookies are typically used on a lot of web sites. To test this, just store a password someplace, go back to the web site and see if the password is stored. Next delete your cookies and go to the site again. Chances are you will be prompted for your username and password. Cookies are commonly used to store information about a user preferences at a web site.

If you are curious as to what the information looks like, you can find most cookie files under \Documents and Settings\%username%\Cookies. You will find a number of text files that are cookies for the various web sites you have visited. If you open one of the files, you will more than likely find some readable information, such as espn.com, and a lot of a series of numbers separated by some type of delimiter. It is conceivable that this information could be used to determine username and password for a site.

A way to store passwords that is very safe is to use a Smart Card and a Smart Card Reader. You can use a free program called SmartCache found at http://www.smartcache.net. With this software you can read and write username and password information on smart cards. You just need to find a supported smart card reader, which SmartCache has listed on their web site, and a blank smart card, which can be purchased on many web sites. You can easily find supported readers on eBay for under $10 and the Smart Cards themselves can cost as little as $2 if you know where to look.

If you ever had one of those credit cards with the smart card chips on them and the credit card company provided you with a reader, you now have a reason to use the reader again. If you still have the old credit card, you can use the SmartCache software to read and store your passwords on the credit card, even if it is expired.

When you need to get a password, you just open the software and place the card in the reader connected to your PC via USB, Serial, or PCMCIA connection. The software will prompt for a password to retrieve the card information. The card will be read and your username and passwords will be revealed. You can even store the associated web URL to which the username and password is related to.

In addition, you can back up the usernames and passwords to an encrypted file that you can store on a floppy. You can place the floppy, or any removable media for that matter, in a safe place. So if the card is damaged or lost you can still get to your passwords using the backup file and the SmartCache software.

Now you never have to worry about your passwords being stored on your system. The only password you have to remember now is the one used to unlock your card.

Submitted by: Ralph D.

***********************************************************************

Answer:

Hey Gary,

When your computer system asks you to save your passwords in chat accounts and hotmail, it saves it to a temporary file known as TEMP. These passwords can be erased with a simple click. To erase them you open an Internet explorer page and click on TOOLS, CONTENT tab and then click AUTO COMPLETE under Personal Information. Then you have to click on CLEAR PASSWORDS under Clear Autocomplete History. If you want to stop Windows from asking you to save your password, you click on the box next to USER NAMES AND PASSWORD FORMS so that the green tick is not visible.

Storing and Saving a password is the same thing and I find it not needed to save passwords. It is not very secure to be saving passwords on a family computer/laptop as they can access it. But if it is your own laptop/computer you can save passwords as secure as possible. I agree, password managers actually send your passwords to other people as well so that is not good. The most easiest way to save your passwords are to write them down on a piece of paper or in a diary/note pad.

I hope this helps.

Submitted by: Joshua W.

***********************************************************************

Answer:

Storing or Saving Passwords:

In my opinion, the only safe place to store passwords is in your head. Never write them down. Never share them with anyone. Never use one that a friend or colleague can guess.

Create a password or passwords that mean something to you personally. Like something from your childhood. Never use pet names, family member names, license plate numbers or anything that someone can figure out. Make it cryptic by alternating between upper and lower case, or add numbers after a personal phrase.

After that, remember it! Then change it frequently and remember it. This is the best password protection policy on the planet. I would have to be tortured before I would reveal my password. You cant find it under my keyboard, in my desk, taped to my printer or anywhere in sight, and I wont reveal it to anyone. Even my mother who is 1,500 miles away. It is as valuable as your bank PIN number. Create it then remember it!

Submitted by: Bennie C.

***********************************************************************

Answer:

Unfortunately in my "young" computering days, I used a password manager - Gator - which ended up dumping all sorts of unsavory stuff in my computer, which took forever to get rid of. I have found the best was to store my passwords is an Excel spreadsheet, password protected (with a password I won't forget). I use the internet for paying bills, personal and business, business taxes etc. I feel fairly secure using the spreadsheet because no one can get to it but those on my computer and then it's password protected. This works great for me.

Submitted by: Bea

***********************************************************************

Answer:

My name is Elie and I am from Israel. I am using a very simple technique to keep my passwords. I use an Excel file which you can open only if you know the password for it. In this file I manage columns according to the name of the application for which I need the password, the user name for this application and the date when I changed the password. In the cell where I put the date I add a note (By clicking shift+F2) and I write there the password. I like it because you can see the password only if you stay with the pointer of the mouse on the cell, and you choose the one with the latest date. I use one row for each application.

Submitted by: Elie F. of Israel

***********************************************************************

Answer:

If you never store passwords anywhere, then you are pretty safe. However, asking the question does suggest you would like to. I think you should not worry about the technology and should follow basic rules:

Use different passwords for trivial, moderately interesting and important sites like financial accounts.
Allow windows, or the site, to store passwords to trivial sites which you really wouldnt mind if someone else used your id. Lots of sites insist you register but really have no security implications.
Only store access details to moderately interesting sites on a computer which is totally under your control and then only if you wouldnt suffer serious loss by impersonation. (thefts do happen)
Never store or record passwords to financial or any other sites where crooks could make of with your identity or your money.
Even trivial sites may contain name and address details and other clues to your identity in your account details so be careful even with these.

Submitted by: Paul S.

***********************************************************************

Answer:

Gary,

I am a computer technician that goes to peoples homes and small business. My advice is NEVER store passwords on you local machine. I have a little utility that will tell me all the passwords that are kept one your local machine in less than 30 seconds. Any hacker, that gains access to your machine can do the same.

Antispyware and antivirus programs rely on "signature files" to detect malware. A lot of spyware made today is simply out to get passwords and user names to empty out bank accounts, and sell shares that don't belong to them, and is sponsored by criminal organizations.

Unfortunately when a new bit of nasty ware comes out the companies must get the nasty ware and analyze it then figure out a signature for it, incorporate in there definition files, and then the end user has to update those files. This can sometime take a few weeks for this whole process to be completed, during that time the end user is vulnerable.
As for passwords stored on the web pages server is no less secure. All anyone needs to do is find your user name for that web page and they have access to whatever you have stored there. User names are usually not usually encrypted.

Submitted by: Jim F.

***********************************************************************

Answer:

Gary,

It has been said that the easiest way to hide something is to leave it in plain sight. I dont trust password managers or wallets either. My method is to carry a small Excel file in my PDA called Logs. This file contains three columns, Site, Log-In, and Password. The Site is self explanatory. The Log-in uses code phrases like home email or work email etc. The password column also uses code phrases, and while it does require the ability to memorize, your actual passwords are never written down anywhere except in your memory.

I have five passwords, with the code phrases, alpha, alpha-numeric, numeric, old phone, and first email. One of these passwords will fit the requirements of almost any site I have ever visited in terms of syntax. They are all completely random combinations of letters and or numbers, therefore very difficult to guess, no family names, pet names, or birthdays, etc. Using my file I dont have to guess what I used for the log in or password to that site I visited a year ago. Hope this helps.

Submitted by: Dave M.

***********************************************************************

Answer:

That, I believe, is the wisest way to go - I don't trust password managers either. I write down on paper all the passwords I use, and never use any other form of storage for this type of data. I also have Auto complete facilities disabled. As a user of internet banking services I never store banking login pages in the Bookmarks facility of the Browser - just use Google to locate these pages every time I need to login.

All the best.

Submitted by: Frank M.

***********************************************************************

Answer:

Re password option

I NEVER let the web site save my password. If you do, you give away whatever modicum of protection against a fraud that you have. They get your e mail and your password at the same time if they snoop the web site.

Submitted by: Robert K.

***********************************************************************

Answer:

The way I understand it, passwords are stored by your browser in a special database. Are they safe? As safe as your browser!

For instance: I will not store any passwords on Internet Explorer. Rather, I use RoboForm on my PC, and store the data on a removable disk. At home however, I do store passwords on my iBook, running Safari. Somehow, I trust Apple more that I trust Microsoft.

When in doubt, keep your passwords elsewhere.

Submitted by: Hans W.

***********************************************************************

Answer:

Hi Gary,

I'm with you, I allow some sites to remember passwords, only those that have no further information about me usually. I know some web sites try to keep your info secure, but nothing is infallible.

You could keep a small book, or if you prefer, save them as an Archive on your mobile phone.

Hope that helps.

Submitted by: Deb of Australia