Thursday, March 18, 2010

Consultant Tools Series: Password Management

How many passwords do you have to know or remember? I think if you took the time to count them all, you would be pretty surprised.

Multiple e-mail accounts, web site logins, client VPN connections, RDP server logins, GP logins, GP system passwords, and FTP sites are just some of the passwords I have to manage.

Multiply these by the number of clients you have to manage, and you will quickly exceed your ability to remember them, especially if you haven't used them for several months.

I used to track most of the common passwords in memory, and then used a password protected Excel spreadsheet for reference.

But when I added in all of my personal passwords (bank web site, credit card site, health insurance site, retirement account site, dozens of e-commerce sites, ATM pins, frequent flyer sites, etc.), it was clear that all of those passwords were too cumbersome to manage.

I spent a few weeks evaluating different apps that help manage passwords. I tried common free and open source options and I tried a few commercial products. I think I eventually went to CNet Reviews to see what product they ranked as the best password manager.

At the time, they recommended a product called RoboForm, so I downloaded the trial version. At first, I was pretty puzzled by the product, and somewhat disappointed. It didn't work at all like the other password products I had tried, so it took me a while to figure out how to use it properly. But once I realized how it worked, and how well it worked, I was hooked.

I now have over 300 different entries stored in RoboForm, all encrypted. Over 200 of those are web site logins, which include the URL, username, and password. I also have just over 100 "Safe Notes", which are RoboForm's version of an encrypted free form note. Bank account information, frequent traveller account numbers, client network logins, VPN information, you name it.

I have no idea how I managed this information previously. It was scattered in multiple locations, unencrypted, disorganized, incomplete, and not always current.

Now I consistently store all passwords, logins, or any other sensitive information in encrypted RoboForm entries.

Although there are several very good password management applications available, there are a few reasons why I chose RoboForm over other products.

1) Mobile support. RoboForm has both a Blackberry app and an iPhone app (and Android and Windows Mobile and Palm and Symbian), so I can always have access to my passwords and encrypted information, even when I don't have my computer. This is a critical feature for me. I was at the rental car counter at the airport and they couldn't find my frequent renter number (ironically), so I pulled out my Blackberry, typed in my password, and opened my secure note for that rental car company. At the pediatrician's office, I can quickly pull up my daughters SSN. When I'm out of the office, I can pull up client network or GP configuration information, all on my phone.

2) Web based remote access. RoboForm now offers online access to your encrypted password files. Just setup an account and you can synchronize your encrypted files with their site.

3) Seamless browser integration. RoboForm installs an unobtrusive toolbar for IE, Firefox, and Chrome. With a search box, you can type the first few letters of a web site, and it will find your associated site password file. With a single click, it will open the site URL, and automatically log you in.

4) Profiles and Auto Fill feature. Whenever I register on a new web site or have to fill out my contact info, I can now click on a single button on the RoboForm toolbar and it fills out the form for me. I can fill out my name, address, phone numbers, full credit card info, e-mail, you name it. It's amazingly accurate, and also allows me to have multiple profiles, so I can use either my personal information or my work information.

Other apps that I tried had some of these features, but not all, and typically they weren't as refined. And for $40 for two licenses (one for my laptop, one for my desktop), it was a bargain.

If you aren't using a password management app, I would definitely recommend at least trying something so that you can conveniently and securely store and organize your personal and password data and your clients' password data.


Andy Nifong said...

Nice post, Steve. I was a satisfied RoboForm Pro user for a few years but eventually migrated to LastPass once I started using multiple machines, purely due to ease of syncing that between machines, though now it looks like RoboForm may have that figured out.

Steve Endow said...

Hi Andy,

Yes, I neglected to mention multi-machine syncing.

I use SugarSync, so when I started to use RoboForm, I was able to automatically synchronize the password files between my desktop and laptop.

But RoboForm then offered their GoodSync utility for free to enable synchronization with their web site. This in turn appears to allow you to synchronize the RoboForm files across multiple machines. But since they have labeled their RoboForm "Online" service as a Beta, I don't know if they are going to eventually make it a subscription service.