Five Password Utilities for Portable Freedom

image
Password managers are a huge help in dealing with our exponentially growing numbers of accounts. But stand-alone apps introduce a new problem: If you aren't sitting at the PC with the software installed, you can't get to your credentials. Luckily, you have alternatives. These five password tools are all accessible either from a portable device (such as a thumb drive) or over the Web.

RoboForm

RoboForm is one of the better-known password-management applications, but the $30 software (with a free version limited to saving ten passwords) is normally tied to one PC. Its built-in access to GoodSync.com lets it synchronize its account files across multiple systems, but doing so requires Windows network, FTP, or WebDAV access. In other words, setting it up between PCs across the Internet--such as your home and work PCs--could be a pain.

Instead, use Microsoft's free FolderShare utility to sync the directory where RoboForm keeps its account files: My Documents\My RoboForm Data\Default Profile. Newly created files will automatically transfer between PCs, though you may have to restart RoboForm to see a new account created on another PC.

Passpack

The latest online storage features let Web sites tackle what has long been a security no-no: storing all your user names and passwords online. In addition to a site log-in, Passpack employs a "Packing Key" passphrase to encrypt your stored cache of account data. Once downloaded and decrypted, that cache stays only on the computer you're using until you save it, at which point it's encrypted again and re-sent to Passpack for storage. Passpack doesn't ever have access to the packing key, and you can't decrypt your passwords without it--so be careful not to lose the key.

You can use PassPack to log you in automatically to sites, though you might need to train it on a specific site. The free service allows you to store only up to 100 log-ins, but the company may add premium levels of service. While Passpack includes some good antiphishing measures, password-stealing attacks could prove to be an Achilles' heel if they target the service's log-in and packing key, so you might want to use it solely for less-important (namely, nonfinancial) sites until it has been around a while to prove itself.

Password Hash

Another free browser-based option takes an entirely different approach to password security. If you have the Pwdhash (Password Hash) add-on for Firefox and Internet Explorer installed, pressing F2 prior to typing in a password runs that password through some mathematical "hashing" calculations.

The end result is a unique and strong password that transmits to the site and doesn't have to be saved anywhere; meanwhile, you have to remember only one password. The tool will always generate the same password for the same site (provided you give it the same starter password), even if you use a different browser. If you're at a PC where you can't install the add-on, you can instead visit the PwdHash site to run the calculations manually, after which you can simply cut and paste the resultant password.

OpenID

Wouldn't it be nice to use one account to log in to many different sites? Try OpenID. First sign up for free with your choice of OpenID provider; the pool includes big names such as Flickr, Verisign, and Yahoo. Then, when you visit a site that supports the technology, give it your OpenID. You'll be sent to your provider for verification.

Once you're vetted--which might entail your providing a password or correctly identifying preselected elements of an image map, as in myVidoop.com's interesting setup--the provider tells the original site that you're okay, and voilà, you're logged in.

Not many sites use OpenID yet, largely because some security risks, such as phishing, still threaten the relatively new system. But you can save yourself a fair amount of hassle by using it for those nonsensitive sites that do support it.

ID Vault

Guard ID's thumb drive can securely store all your online account data, and it can help guard against phishing by launching a stripped-down custom browser for use with financial accounts. While it's easy to use, it's not cheap: It costs $50 plus a $40 yearly subscription renewal.

Before you can use the device with a given PC, you'll need to install downloadable software (available for Windows XP or Vista). Then you can add accounts from a list of known financial or shopping sites, or input data for other accounts you specify.

From then on, you connect the thumb drive, right-click the ID Vault system-tray icon, and select an account. After you provide a numeric code (which you choose during the device setup), ID Vault logs you in.

Subscribe to the Security Watch Newsletter

Comments