Thursday, April 15, 2010

The password is ...

Last year I started a personal crusade to do a better job securing my passwords. My former student and colleague Mike had a great canned presentation on choosing and remembering passwords that I heard him give a couple of times. And at a certain point I realized that there must be tools out there that make it easier to have diverse, unguessable passwords for the dozens of sites where I have accounts.

My initial research led me to KeePass, an open-source stand-alone password manager application that has versions for Mac and PC. I started keeping separate versions at home and at work, but I was pretty sure there must be a way to have them sync. The problem with the open-source approach, though, was that the solutions were third-party extensions that weren't necessarily maintained and didn't always work with versions for all platforms. Finally, just a month ago or so, I investigated the frequently-mentioned Dropbox solution. Dropbox is a free program that runs on PC, Mac, and iPhone; it works as a folder on your system. Drop any file in that folder, and it's available on any computer or phone synced to that Dropbox account. You can put your KeePass database file in your Dropbox and open it from there with the KeePass application on all your systems. Any changes sync automatically.

All was well until yesterday morning when I started up my PC and entered my master password (the only one I now have to remember!) in KeePass. "Invalid key," said the message. Uh-oh. It was the right key, all right, but somewhere between home and the Dropbox file, something got closed while it was still saving or somethin', and the file was corrupt. I had an export version of the database from a while back, but it was missing some of my most important passwords, like the one for my unit's information system.

I researched repairing the database, and actually managed to do that this morning (the procedure doesn't work on the Mac version, so I had to wait until I got back to work). But the vulnerability in my cobbled-together system had been revealed. And when I ran across a Lifehacker article advocating Lastpass as a replacement, I was ready to listen.

Lastpass's database sits out in the cloud, so syncing between computers isn't a problem. And it's a browser extension (any browser!), so it can autofill username and password fields -- something that wasn't possible with a standalone application. Because I recovered my KeePass database, I was able to import them into Lastpass in one step (using the Firefox version of the extension).

I'm already making plans to replace some of my still-insecure old passwords with unique codes, now that I'm less concerned that I'll be without my passwords anywhere I happen to go. I think I've traded up, and I hope Lastpass will last me a good long time.

No comments: