4/21/08
11:11 am

MacMost Now 71: Storing Passwords Securely

Gary Rosenzweig takes a look at best practices for making and storing passwords. You should have a different password for every account, use secure passwords and store them in using a security utility.

Video Transcript
Hi this is Gary Rosenzweig, how many passwords do you have? If you're like me, you've got dozens,well, actually maybe even hundreds of passwords. A different one for every website, a different one for every service that you've got--what's that?-- oh you just use one password for everything? That's not a good idea. Let me tell you why, and let me tell you how you can easily use different passwords for everything, without forgetting them all.
Okay, so here's why it's a bad idea to use the same password everywhere, or even more place than one. Say you have the same password for, maybe, your mail account, amazon account, and maybe a bunch of other things, including maybe some small website you signed up for to get a newsletter from, or something. Can you really trust that small website or maybe some other service? Maybe somebody will actually get your password from there, and then guess that "hmm, I wonder if this person used their same email address and that same password for Amazon." They can log into your account and start ordering stuff. Maybe they actually look into your email address and say "hmm, let me go ahead and see if I can log into their email account with that same password." Maybe it's not even that site's fault, maybe that site's been hacked, and all of the passwords have been stolen. But if you have just one password for every different account, well then you have to worry about it. Somebody gets the password for that small website, and all they can do is access your account of that small website, everything else you've got is secure.
Now it's easier than ever now to have different passwords for every site you go to. That's because your browser usually remembers what password goes to which site. It'll do this in the keychain if you're using safari. So what happens is that you go to the website and it instantly fills in your id and password and you can log onto that account with that special id and password without having to remember it. Now if you look at your keychain application you can see a list of passwords that you use when logging different websites. So for instance, with this website, we can see here, that it's got a password, it's a demo account, and we can actually show the password, so if we forget what the password is and you need to use it on another computer, we click there, what we get is a prompt into our keychain password. Allow it, and there you go, there's the password for this example.
Now while keychain is a great place to store some of these passwords, you may also want to put them in another location. Now you don't want to just create a text file, and stick all of these passwords in there, because what if somebody gets a hold of your computer, and gets all of these passwords. Instead you want to use a piece of shareware, that saves the passwords in an encrypted format. Let's take a look at a few of those, the one that I use is called Password Retriever and it's from Koingo software. Now this is a great little utility because it allows you to save all your passwords and other stuff, so I can go ahead and put things like, credit card information, or maybe the code to my safe, that type of thing. You store it in here, and it's encrypted so that when somebody looks at your hard drive, all they can find is a file that's useless to them, unless they know the secure password to get into it. Now there are a lot of other apps out there, and everybody's got their favorite. If you go to the Apple download section at apple.com, you can search for password and come up with tons of different applications that will do just this. So go ahead and take a look through them, and maybe there's one from your favorite software vendor.
Another great thing about storing all your passwords and other secure information inside of some sort of encrypted file is that it's easy to back up. You can back up using time machine, you can also save a copy of it, put it onto a CD or something, and put it inside your safe. And then you know all you need to do is know that master password, and also have that piece of software, and you can unlock it. So you can put all sorts of sensitive information like your driver's license number, passport number, social security number, the numbers for your credit cards, that sort of thing, all in one place, know where you can get to it very easily, very quickly.
Of course you want to make sure that master password is the most secure password of all. It should be completely random numbers and letters with upper and lower case letters. Something that nobody could possibly guess.
So the 3 secrets for secure passwords are, one, use a different password for every service, two, make that a completely secure password by being completely random, a lot of these utilities actually have a little button that'll generate a random password for you, use that, and number three, store them in a secure place, like using one of these shareware applications.
Until next time this is Gary Rosenzweig with MacMost Now.